Brad Garnett

Welcome to my Digital Forensics and Incident Response oasis!

Digital Forensics, Incident Response, and Information Security

Filtering by Tag: Reading

DFIR: Digital Forensic-Archaeology

In the digital forensic consulting world, the law enforcement analogies are often synonymous; And, this analogy (COPS) always comes to mind when explaining to clients and/or the legal community what it is that we do as digital forensic examiners. We are great at at our analyses and processes; however, we fall short on explaining the tedious, methodical forensic analysis process to the client, so the client is left to draw his/her own conclusions based on what they know. Long-term, I believe there will be less "open for interpretation" matters during a forensic engagement as clientele and society for that matter become better educated and aware of forensic technology.

An archaeologist methodically putting the pieces together.

An archaeologist methodically putting the pieces together.

Would you hire an excavator operator to recover and analyze material fragments beneath the Earth's surface OR would you hire an archaeologist? Depending on your goals, you may hire both!

Do you need to burn down the haystack to get to the needle OR do you want to methodically recover the needle from the haystack? Knowing your goals beforehand is a must! The way an incident responder approaches a computer system where there is an active attack on-going could be different than the traditional digital forensic examiner, because the goals of each are different.

Staying with the analogy of a excavator operator vs archeologist, would you hire "IT" or a digital forensic professional to successfully identify, acquire, analyze, verify, and report on digital artifacts for an inquiry?

Digital Forensics is not just "information technology" whereas an archaeologist isn't just finding artifacts in the dirt. An archaeologist is a scientist whom is educated, certified, and trained in archaeology. An excavator operator is also probably educated, certified, and trained but not on the science of archaeology. In my opinion, Digital Forensics and Archaeology have a lot of commonalities. As a science, both are looking at artifacts left behind by humans. As a forensic examiner, when I am explaining how a Google search term was recovered during an analysis of browser history on a computer, I'll often provide written and/or verbal context to my client as I'm compiling the artifacts present on the computer system and adding context to those artifacts. Similarities amongst science?

Bottom line, IT professionals and Digital Forensic Professionals may have some similarities as it relates to familiarization with technology, but are entirely two separate, distinct professions. Before you retain an expert, know the difference between a computer expert and a digital forensic expert. Your case, our legal system, and the digital forensic discipline demands it! 

DFIR: Sunday Reading 01/26/14

Here are some recent articles from this past week that I thought were noteworthy and share:

  1.  Patrick Olsen has a blog post up that I should've included in last week's Sunday reading "Know your Windows processes or Die Trying". Patrick provided a high level overview of Windows processes and also reminded and reiterates of how important it is to "know normal" on Windows systems that we are analyzing.
  2. Harlan has included his book review of Cloud Storage Forensics up on his blog. Speaking of Harlan, WFA 4/e is rumored to be released in April. 
  3. The weekly Forensic Lunch hosted by David Cowen is every Friday @ NOON Central Time. This week's Forensic Lunch featured Hal Pomeranz and Jake Williams. Hal discusses his Digital Forensic Perl scripts that he posted to GitHub and Jake discusses his recent Shmoocon Talk with Alissa Torres on anti-memory forensics titled ADD. Also, this week's show featured Lee Whitfield discussing his new online safety videos series. Kudos to Lee for creating this series for anyone who wants to learn more about the dangers of the internet today. A great way to give back to the public at-large on computer security issues today. Lee's first video, Streaming Consequences has gone "viral" and has had over 21,000 views to date. Online Safety: Part I is also now available. If you can't catch the Forensic Lunch live, catch this week's show and past shows on YouTube.
  4. Michaels Stores just announced and alerted its customers that is may have also suffered a potential POS (point of sale) data breach. This is yet another "known" retailer to have recently announced of a data breach since December. Target announced in December and Neiman Marcus announced just a few weeks ago.
  5. e-Discovery Law Blog: This article points out on why it's important for organizations to preserve ESI (electronically stored information) in anticipation of litigation and sanctions for "selective" preservation.
  6. Brian Moran of BriMorLabs has a new blog post up on his blog regarding RAM scrapers. A very good read and overview of RAM scrapers targeting POS systems for credit card data.
  7. Benjamin Wright, Esq. has a new blog post up titled Legal Evidence from Dedicated Computers. Benjamin provides good, cyber investigative techniques from a legal perspective. Mr. Wright is an attorney and also a SANS instructor.

Finally, SANS just announced the #DFIRCON photo contest. If you are looking for top-notch Digital Forensics training, SANS is having a contest to win a FREE Simulcast seat for the upcoming DFIRCON March 5-10 in Monterey, CA. 

DFIR: Sunday Reading

After catching up on my RSS feeds this morning, there are a few articles that I thought I would share.

  1. 2014 Forensic 4 Cast Awards: Have you submitted your nomination?
  2. The Volatility team has a good blog post up regarding POS (Point of Sale) Malware that was allegedly used in the Target data breach.
  3. Master Linux forensicator and SANS Instructor Hal Pomeranz has started a GitHub with his perl scripts that he uses in forensic examinations. 
  4. @jackcr's  Handler Diaries Blog: Keeping Focus During An Incident is a good read for the incident responder. 
  5. Unless you have been living under a rock, you probably follow Harlan's Windows IR blog and Corey's Journey Into IR blog. Both are superb resources for the forensic examiner and incident responder.
  6. David Cowen's HECF Blog is updated daily. Every Friday, David and his team host the Forensic Lunch. This past week's show featured Sarah Edwards and Craig Ball. Sarah discussed her upcoming Mac Forensics course with SANS. I've met Sarah and have heard her speak. Being a Mac forensicator, I am looking forward to this course. Craig Ball, Esq. discussed his role in being a Special Master in civil courts and brought an excellent perspective of digital forensics in the American court system. If you are a forensic examiner, make sure you watch his segment on the Forensic Lunch
  7. Shellbag Forensics by Dan Pullega shared his research to his blog last month and is continuously updating it. Dan's research is being updated regularly (01.14.2014). Dan has done some groundbreaking research and if you are looking for someone to nominate for the 2014 Forensic 4cast Awards, this would be someone you should consider.
  8. Finally this Sophos article also caught my attention, Anonymous Yelp reviewers must be outed, US Court rules. This article points out,"...that anonymous users aren't covered by First Amendment protection of free speech if a review is "based on a false statement"...". As a society and with the evolution of technology, people have generally become desensitized. Don't say something online that you would not say or feel comfortable saying in person. So remember, spreading false information does not carry First Amendment protection of in itself. If you are interested in reading excellent articles and case studies on cyber crime and cyber conflicts I would recommend Susan Brenner's Cyb3rCrim3 blog. Another great legal resource is Benjamin Wright's blog at