Analysis vs. Translation

December 14, 2016

Analysis vs. Translation

Very often, examiners get called upon to do what may be referred to as "push-button forensics".  Meaning that we acquire data, plug it into a tool, and wait for the processing and output from that tool to tell us what we have that may be relevant to the case.  Unfortunately, this isn't forensics at all, it's allowing software to do a job for us.  Perhaps that's why some prefer forensic tools such as X-Ways Forensics, because while tools like X-Ways make the examiner's job easier, the data is not necessarily served up on a "silver platter" and the examiner still has to know how the tool works and how & where to find the relevant data.  This is analysis and investigation, not simple data extraction & reporting.  But there are nuances to this practice that go even beyond the analysis for the final product to be useful and understandable.

Analysis Levels

In digital forensics, analysis levels are important to know and distinguish.  Very often, the quick acquisition of evidence and triage of data can lead to a break in a case of a missing juvenile or help stem further data loss to mitigate a breach.  Triaging evidence can also help identify which pieces are more likely relevant and help examiners spend less time weeding through data that is simply not important.  However, triage is a very low-level type of analysis.  It's so low-level that triage of digital evidence is being taught to non-examiners just to help streamline the overall examination process.  Triage evidence should be used for investigative leads only as very often the finer points about where the data is stored, how it got there, who put it there and other key factors are not part of a triage of evidence.

When we dive deeper into the analysis of the evidence, we start to get into the nuts and bolts of forensics.  Important factors can include the type of file system, the users on the system, the time offset on the system, files and metadata.  This is the area where some push-button tools operate, because they do dive deeper than triage or preview levels, but it's also a danger zone for many would-be examiners.  Push-button tools are great for pointing you in the right direction, but sometimes lack with the detail that is often necessary in forensics.  And as any experienced examiner will tell you, the devil is in the details.

Deeper levels of examination, analysis and investigation require intense, skill and above all, experience.  No course of study can prepare an examiner for trying to prove or disprove the really hard cases.  For example, will a push-button tool really help you prove a child exploitation case without any images being present on the system?  Probably not.  Even if it did present some valuable evidence, you'd have to dive deeper and search for fragments, history and other evidence that may be "hidden" or very difficult to locate.  Most push-button tools won't dive deeper into slack space or volume shadow copies.  They're designed to streamline the digital evidence process to decrease backlogs and get cases out the door faster.  This is a dangerous trap in forensics and one examiners must constantly work to avoid.  

So once we've done our in-depth analysis and completed the digital forensic portion of the investigation, then what do we do?  This is where the intangible asset of translation becomes the point where the proverbial rubber meets the road.  Without it, the evidence is almost useless.

The Value of Translation

A wise man once said, "You can make a cop a geek, but you can't make a geek a cop!"  So what's a "geek" and what's a "cop" and why is it only a one-way street?  In this discussion, the term "geek" is used to describe a person who is good with computers, good with technology, enjoys gadgets and all of the new innovations on the market today and even goes so far as to learn more about them, study them, hone their knowledge of them.  These are skills that are necessary for a good digital forensic examiner.  One can be taught about file systems, operating systems, metadata, slack & unallocated space, but without the ability to articulate what those things are and why their important (i.e., relevant) in your investigation, those skills are only utilitarian. 

In this discussion, a "cop" is someone who has an inquisitive nature.  A truth-seeker.  A trained hunter of facts.  Someone who has honed the ability to weed out what may be irrelevant and concentrate on what facts or evidence help prove or disprove the matter at hand which is being investigated.  Most importantly, they've honed the ability to explain and articulate that evidence for stake-holders in the case, being other investigators, attorneys, judges and juries (i.e., laypeople).  It is this intangible asset which turns the analysis into something meaningful.  Because all of the technical skills in the world don't matter if you cannot articulate what you did, why you did it, what you found, where and how it got there.  Even the ability to explain what you may not have found is an asset to a trained examiner.  Sometimes the absence of evidence can be evidence in itself.

So when it's said that you "...can't make a geek a cop", what it means is that many "geeks" don't have this intangible ability in large part.  Think back to the last time you asked a really technical person a question.  You probably received a very technical answer, which is not something that lay people understand very often.  The ability to whittle down the minutiae into specific, articulable and understandable talking points is something many people in general don't possess, let alone highly technical people.

Wrapping it up

Analysis is but one important component of digital forensics.  The translation of that analysis into specific articulated facts is quite another.  It's hard for technical schools to teach students two basic, yet very important skills:  critical thinking and effective communication.  So just because someone has a degree/certification in digital forensics or law or medicine doesn't always mean they can effectively translate (i.e., communicate) what they know, suspect or conclude based upon the evidence at hand.  This ability comes from one primary source: experience.

Author:

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Globally

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Twitter: @ProDigital4n6

Training Review: X-Ways Forensics

April 15, 2016

Training Review: X-Ways Forensics

I’ve been involved in computer/digital forensics since 2009, starting off my first training with Basic Data Recovery & Acquisition (BDRA) given by the National White Collar Crime Center (NW3C) in Fairmont, WV.  Many of you have probably started your forensic training at NW3C or any of the other governmental or non-governmental entities that offer basic training.  Starting with BDRA and progressing through my forensic training, I’ve observed one (mostly) universal characteristic about the trainings:  No matter the host/vendor, no matter the tool-specific application(s), no matter the level of complexity of the subject matter, it’s very hard to make computer forensics training ultimately compelling and engaging.  Maybe it’s because we sit in a chair for 3-7 days and stare at a computer screen all day long.  Maybe it’s because there’s some overlap with training we’ve received previously.  Maybe it’s just because we don’t want to be there (everyone loves to be “voluntold” to go to training), but the fact remains, it can often be dry and sometimes even boring.

When I left the public sector and launched Pro Digital Forensic Consulting, I did my research about which tools to invest in initially.  Without question, there is a different mindset when you’re paying for the tools and licensing yourself as opposed to your department or company paying for them, so I was very discriminating about what I wanted, what I needed, what I thought might best serve my clients in the future.  With the ever-growing need for dedicated tools for both computer and mobile forensics, I decided to invest in tools with a dedicated purpose.  Having been a previous user of a very popular and widely-used tool, I reached out to them first.  Their salesperson was less than knowledgeable and even told me “I don’t do forensics myself, so maybe tech support could answer your question”.  This turned me off.  And being a self-admitted non-conformist, I decided to go in a different direction for several reasons: 1) from my perspective, the “heavy hitters” in the computer forensic industry were trying to take on too much re: mobile devices, eDiscovery, etc., 2) the same “heavy hitters” were forcing users to use tools that were less than stellar by way of newer versions & updates that were not as effective as previous versions and 3) I kept hearing great things from real-world computer forensic practitioners about the German-based tool, X-Ways Forensics.  With all that in mind, I made a leap of faith toward X-Ways as my primary computer analysis tool in 2014 and haven’t looked back.

Training in the Use of X-Ways Forensics

As every experienced examiner knows, computer forensic tools all try to do the same things, but some have strengths over others.  They also have their own terminology which is sometimes tool-specific.  Having only used X-Ways Forensics (XWF) very seldom during my time in law enforcement, I opted to partake in an online course of study that was created by Brett Shavers.  The course was good because it gave a very basic overview of how to set up XWF and use XWF to work cases effectively.  Brett and former FBI Special Agent Eric Zimmerman also wrote a book that I would recommend to all users of XWF because it’s great for a quick-reference to intermediate guide.  The book is entitled X-Ways Forensics Practitioner’s Guide.  It got me to a functional level, but I knew I needed more.  

Unfortunately, I also knew that XWF doesn’t offer open training in the US quite as often as some of the “heavy hitters”, nor are the locations always convenient.  For instance, there are only four open classes scheduled so far in 2016 in the US.  However, because I’m an XWF customer and user, I received an email late in 2015 about the 2016 training dates and, lo & behold, one was offered in April, 2016 in Manassas, VA… Very convenient for Pro Digital!  The cost of the training was very reasonable ($1,799.00 USD) especially in comparison to other vendor-sponsored training, whether online or classroom-based.  The list of what is included in the X-Ways Forensics I course may be found at this link:  http://www.x-ways.net/training/index.html

Course Content & Delivery

The XWF basic course is not for beginners in the field of computer forensics.  If you have no forensic experience, I highly suggest taking the NW3C courses (BDRA & IDRA) or their equivalent before attending any vendor-specific training.  You must have prior knowledge of basic forensic terminology and a basic to intermediate understanding of how files are allocated in different formats, how different operating system versions work, how file carving works, disk partitioning and a number of other concepts that are considered basic computer forensic knowledge.  Simply put, if you don’t have this knowledge, you will be lost and you won’t get anything out of the training.  I would also suggest that it may be beneficial to have some knowledge of how forensic tools work generally.  You don’t need to purchase one of the expensive tools to do this.  Consider downloading Autopsy from SleuthKit and some training disk images and experiment with it.  Naturally, I’d suspect most of you reading this are very familiar with tools such as EnCase, FTK, Nuix, IEF etc.

Our instructor for the week was Fotis Mouratidis.  As mentioned previously, XWF is a German-based company and, as such, their instructors are European.  If you’re in the US and weary about language problems, don’t.  Fotis was very fluent in English, as well as 3 other languages.  He was also very knowledgeable about the tool itself.  While that should be a “no-brainer” for a vendor-instructor, it’s not always a given that they know (almost) everything they need to know about the tool.  Fotis walked us through such tool-specific topics as initial set-up of the tool, the multitude of case and user-specific options that XWF provides, the benefits of XWF over other tools (like disk imaging speed and compression rate) and how to use XWF in a very efficient manner.  

X-Ways Forensics training is somewhat no-frills, but I don’t need frills.  I need good information that I can use to work cases better, and I got that.  You’ll need to bring your own laptop.  Fotis didn’t come with Pelican cases full of freshly-imaged computers for us to work on, but he didn’t have to and honestly, I appreciate the ability to use the tool on my equipment to see how well they work together.  X-Ways provides a number of training disk images on which to practice and complete practical exercises as well as training licenses for the duration of the class.  The handout materials follow the PowerPoint presentation, but in keeping with good presentation practice, they only have a snippet of information so you are forced to concentrate on the instructor’s presentation where the real knowledge base resides.  I highly recommend bringing a notebook and taking frequent notes on items that may be of particular interest to you.  Throughout the 4-day course, I took a dozen pages worth of notes… and I still feel like that wasn’t enough.

One definite observation that I noted several times is that the instructions and the tool itself are very precise and specific.  Remember, XWF is a German-based company.  Throughout history, Germans have always been thorough and precise in their engineering of anything of quality, so it helps to keep that in mind during the training, practical exercises and when using XWF.  The tool will do exactly what you tell it to do.  Fotis reminded us of this several times with regard to the tool-specific X-Pert Certification test and process that is available through X-Ways Forensics.

Brief Notes About the Tool

Of particular note about XWF are a few points: First is the filtering features in XWF.  There are a multitude of filtering options in XWF that can help narrow the focus of your investigation.  Not only can you filter by file type, size, dates, etc., but you can filter by metadata information, child objects, file attributes and a number of other categories.  What is even better is that XWF does a good job at telling you those filters are in place.  In using other tools, I’ve often fallen into the trap of trying to search for evidence while a filter is on, only to waste time (and frustration) because the tool didn’t have enough “idiot icons” telling me there was a filter in place.  XWF tells you in at least 3 different places that there is one or more filter activated.  It’s a small, but nice feature and it can save aggravation and wasted time.

XWF is also very easy to install, customizable and portable.  Once set up, the tool stores all of your options in a configuration file that can be easily copied and transferred upon installation of a new version (versions are updated every 3-4 months).  If you have a particular type of file header that isn’t included in the search list, all you need to do is add it and save and it can be searched for from that point forward.  One of the big reasons I invested in XWF is because it is lightweight and portable.  By that, I mean that it is not a resource hog like some of the other tools.  There is no external database that needs to be run on a separate disk for optimization.  XWF doesn’t eat up a ton of resources on your machine to simply examine the evidence.  It can be run from a thumb-drive if necessary, which can also make it an ideal tool for live response and/or advanced triage on-scene.  The GUI can be intimidating to some who prefer lots of fancy icons and colors, but it too can be customized to highlight certain types of files that may be of interest in your case.  It’s not going to dazzle you if you like the shiny, pretty things, but at the end of the day when you need to get the job done, XWF does it very, very well.  As with all other tools, the more robust hardware you incorporate, the faster XWF will work.  This is particularly true if you’re trying to work and process more than one case at a time, which XWF allows for as a user option.

If you are used to features like the picture gallery, file preview, timeline (calendar) and details/metadata, XWF also incorporates those and they don’t take forever to load or view.  If you are investigating a potential security breach and your investigation has narrowed to a particular day (or set of days), then a simple click on that time frame highlights the activity for the period(s) in which you are interested.  For all of the tool-specific symbols and icons, XWF offers a full-time “legend” button, just in case you get mixed up between using three different tools and need a refresher as to what the XWF icons mean.  It’s a nice, functional feature.

Conclusions

Having attended a multitude of different training offerings including instructor-led, online and webinar-based, I would rank the XWF training among the best.  Fotis kept the class moving along and knew how to demonstrate everything we covered effectively and simply and because of how it was presented, we had to pay attention to learn what he was presenting.  He was patient and easy-going and, as his car-pool partner for most of the training, I can say he’s a genuinely nice person.  But the true measure of the quality of training is 1) how much you get out of it and 2) does the instructor compliment the subject matter and vice-versa?  As one who has used XWF for a couple of years, I learned how to do things better, faster and more efficiently.  I also learned many new features I didn’t know were part of the tool.  As for the instructor-tool synergy, they complimented each other very well.  The instructor was able to flow with the tool demonstration and instruction and the tool flowed right along with him. 

 

Most of the time, I come away from a week-long computer forensic training drained, knowing that it was necessary, but not looking forward to the next one.  This time, when the training was over, I found myself almost immediately researching when and where the XWF Advanced course was offered and how to make it work with my budget and schedule.  Sadly, it appears there may not be an open advanced course scheduled in the first part of 2016, but I’ll be keeping my eye on the 2^nd half of the year and beyond to see when I can take advantage of this great training again.  If you’re impressed with the simple elegance of how your computer forensic tool functions and can help you work cases better, I highly recommend signing up for the next X-Ways Forensics training in your area!

**NOTE**:  Special thanks to the Virginia Department of Forensic Science for hosting this valuable training and making it available to the wider digital forensic community! 

Author:

Patrick J. Siewert, SCERS, BCERT, LCE

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Globally

We Find the Truth for a Living!

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.

Email:  ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Twitter: @ProDigital4n6