CEIC Bound

Has it been that long? Sorry folks, I had some personal things to tend to over the last few months so here’s a quick update…

I spoke back in October again at Cardozo School of Law lecturing on the topic of eDiscovery and Forensic technologies. Now, I will be teaching a class at CEIC this May on “Preparing your first in-house eDiscovery matter”. This will be my first speaking attempt at CEIC, but if you happen to be at the conference and not in my class, be sure to look me up & say Hi. I’m always up for a beverage at happy hour. I was told I should also be in a “Meet the Experts” panel put on by Guidance Software.

Regardless, its been a busy year, but as more engagements happen, I hope to keep this site updated with more content. Thanks for stopping by.

I’m Still Here

Sorry for being MIA kiddos. Sometimes life will catch up with you and throw you a curve-ball, but I’m ready to bring you back some forensic & ediscovery nuggets of knowledge and wisdom.

Some topics I’d like to cover soon are:

  • eDiscovery Law  – Things to Remember
  • Tools of the Trade Part 2
  • Life on the Road – Consulting in DFIR

In addition, I would LOVE to hear any feedback  and ideas about this site and some of the other posts. Please comment here or you can reach out to me on Twitter at @JasonPickens.

Tools of the Trade (Part 1)

For all the *newbs* that are just getting into Forensics or eDiscovery, I figure I’d share what some of my favorite tools that I normally use in the field or in the lab. For those of you in college, you might know many of these. For the rest, I hope this serves you well. Many of these are software tools and the rest area bits of hardware that I have or want to have in my bag-O-tricks.

A disclaimer though: all these tools are of my preference and does not mean its the best tool for every job. As always, check your work & check your tools.

COLLECTION: 

Tableau TD-2 or Voom Hardcopy III – I’d use either of these. They have made my life in the field SO much easier. Its a portable hardware imaging tool that has built-in write-blocking features and are super FAST. On top of that, you can use a usb keyboard and enter in all your collection detail so it is saved in your output of choice (E01, DD, Raw, etc..).

Tableau Imager – Its a simple imaging software tool written by Tableau that is easy to use. The main reason I choose to use this tool is because it contains a detailed view of the drive you are collecting which is great for exporting.

EnCase v6x, EnCase v7x – Collections with EnCase are easy and allows you to preview your data while you are collecting it. This can be done with write-blockers or over a network connection (Enterprise version).

PROCESSING/ANALYSIS:

Forensic Computers – Their FRED (forensic workstations) systems are a great asset for the investigator who has a small lab and needs a lot of horsepower. Be prepared to spend $$, but these are a good investment. They come all pre-configured with tools and goodies.

EnCase v7, EnCase v6x. – Outside the collection realm, the EnCase name stands on its own as a powerful & versatile tool that allows for forensic analysis of all kinds. Version 7 is a big change to the previous user interface and I (like many) was a hard sell to change over. However; recently I’ve seen the benefits of v7 and think there is a good future for it in my investigations. I’ll still use v6, but now I have two good options to choose from.

DT Search – My preferred indexing tool of choice. Easy to use, quick & powerful.

RegRipper – A widely known tool that will quickly parse though registry hives and export them to easily readable text files.

Paraben P2 Commander – Many of Paraben’s tools are good at email analysis. P2 Commander is one of my go-to’s.

EnCase Command Center – for Ediscovery & Cyber Security enterprise projects. Its a beast of its own, but very powerful suite of tools that can be used in the largest of corporations.

Splunk – If you have firewall logs, event logs, and Lincoln logs (get it?!), then I’d use this to index and search them.

Aid4Mail – The easiest tool to search & convert email of all (and unknown) formats.

So this is just Part 1. I plan to do a Part 2, but would love to hear some feed back from the community. All comments & questions are welcome.

Till next time…

Giving Back – Charity in Forensics

PHI·LAN·THRO·PY  /FƏˈLANTHRƏPĒ/

Noun:
  1. The desire to promote the welfare of others, expressed esp. by the generous donation of money to good causes.
  2. A philanthropic institution; a charity

Lately I have been doing some volunteer work where I live (NYC). Also, I have many friends that are involved in charities and a few even run their own. So over the last year, I’ve been thinking about what it means to volunteer your time & talents to those less fortunate or in need. This has lead me to wonder “how can computer forensics or ediscovery be used to as a non-profit or to help those in need?”

Its an answer I haven’t found yet. When I Google ‘forensics non-profits’, my first his is the Digital Forensics Association. They are a non-profit site dedicated to helping foster the forensic community. I think that’s wonderful and there are many other sites (including this one) that want to give back for free and help our fellow colleagues in the field. This isn’t exactly what I’m talking about, though.

I had this mental picture of what this might look like. We could be Robin Hoods going into Legal Aid being assets to the volunteer litigation staff with our E01’s and write-blockers.  Or coming to the rescue of oppressed charities who desperately need RAM analysis because of malware infection.  I was tying to think of an exciting eDiscovery scenario, but let’s face it.. deduplication and secondary culling are not as sexy.🙂

I spoke to some higher ups about this once at my company. One idea that was tossed around was to offer free education classes in our field to disabled war veterans who need a new start on life. Not a bad idea, really.  I also wonder if there are other ways we could give back to the world as Computer Forensic, IR, or eDiscovery practitioners.

Please provide your comments below and let me know if you’ve thought about this before or if you had found other ways that I’ve missed here. You can also reach me on twitter as @JasonPickens.  Maybe with some good ideas we can start our own coalition of FREEdiscovery or FREErensics?  I know its cheesy, but it is catchy!

Teaching Counsel: Part Très

I can’t speak a lick of French, so I don’t know why I used it here or in “Part Deaux“.  Maybe I should have used more appropriate trilogy terminology like “Teaching Counsel: A New Hope“, “Teaching Counsel 2: Teach Harder” or even “Teaching Counsel 2, Electric Boogaloo“. But I digress…

The third installment of this series came in the form of surprise recognition from my lectures on Forensics and EDiscovery. One of the law students I tought apparently was published in Law.com in an article. My AGC at work (who was also the adjunct professor), showed me this yesterday and thought I’d share it with you. Honestly its just a small sentence, but I feel its nice to see the fruit of your labor at times.

Academia Meets The Real World

You may need to register to read the full article, but its free.

So with good feedback hopefully will come more opportunities. Either way, I’m pleased and thankful to the author for the mention and thankful for the chance to do it at all.

The Basics: EDRM

One of the primary basics of working in eDiscovery is the process model called the EDRM which is short for Enter Data Release Mutants!  Just kidding… it actually stands for the Electronic Discovery Reference Model. 

I was in eDisco for a while before I really knew about this term and then later on I understood what it meant. Essentially is it an industry-used system of thinking that allows for a global approach to eDiscovery projects. There’s a lot of good information out there on the interwebs, but specifically a perfect breakdown is explained on the EDRM.net site. Don’t overload yourself here too much at first. Start with the basics.

For the new eDiscovery dude (or dudette) in your office, you should become familiar with the general concepts of EDRM. You may not have any real input or access to all of the stages, but with any new case, you should know what is happening behind the scenes. Know this systematic approach that is repeatable and defensible. That’s one of the main reasons EDRM exists in the first place. All of this work is going to legal review and the courts want to know that the processed used is well documented and has some standard approach that is acceptable.

Another reason is that it creates organization and communication between the multiple parties involved.  Legal may need work done, but they can’t access ESI (data) on the corporate network. in the same manor, eDisco examiners cannot present the ESI to a trial or court for review. Working between the multiple teams and knowing the steps involved, allow for a streamlined process of execution.  The goals are the same: to collect relevant data in a timely fashion, cull based on specific needs, and present for review.

The EDRM model looks like this:

Information Management –> Identification —> Preservation/Collection –>

Process/Review/Analysis –> Production –> Presentation

If you look closely, the non-italicized items in the middle are where the meat & potatoes are usually done by the eDiscovery practitioners and project management. The rest is where there is overlap often between the Legal Team, Project Management and eDisco people.  Think of it as a book-end where Legal starts it off and finishes a case.  This isn’t to say they are never there or involved in any other step, but we’re talking generally.  Rightfully so because none of this kind of work would be possible if it were not for the needs and laws of modern litigation.

Take some time to familiarize yourself with the EDRM model. Its becoming a standard in the field, but please note that not all lawyers know this yet, neither do project managers or IT people. I had to learn this over time, but since I have, its helped me become a much more efficient and knowledgeable player in the eDiscovery game.

Train of Thought: Forensics vs. eDiscovery

When I first started working in forensics, I was doing eDiscovery work in parallel. This was almost six years ago and in that time, forensics has pretty much stayed the course while eDiscovery has taken a more drastic change in best practices and methodology (from my point of view).

My first experience in eDiscovery was more primitive and used a more broad methodology than what I’ve come to learn and use now. While it wasn’t a bad system, I think it was more the industry at the time was still growing and understanding how to best address a need where there were few players and tools were in the game. Actually, my previous employer created their own in-house eDiscovery processing solution which proved to be effective in some ways but still needed polishing.  I’d still recommend them, but that’s not what this post is about…

It was confusing in the beginning to separate what was a “forensic” job and what was an “eDiscovery” job. Meaning, if I’m to collect & process data, what is the best practice to do this? Should I get a full image of the drive and filter out? What if I just collect files based on a file extension filter, would that be enough?  Or maybe the legal team is right by asking I collect all active files on the drive and network shares?  These became confusing and even once I started to realize the difference between why you do one and not the other, it was hard to convince my project leader or legal counsel to accept my reasons for not going in an doing a collect-all job and vice-versa.

It took some time, but I think I finally have a solid understanding and ability to effectively collect, preserve and produce data based on a request.  So the question still asks… “when should you use forensic and when should you use eDiscovery methods?”

Ediscovery thinking is like this AutoTrader commericial. The cars are files/folders/emails/etc… You are filtering out and filtering out large batches of data (cars) with basic “this NOT that” commands till you get a small subset of what you want in the end. You don’t always think this way when you work in forensics (although sometimes it can apply here & there).

When you begin an eDisco job, you follow the EDRM system that starts off typically with a legal team narrowing down the custodian lists, locations of potential ESI (electronically stored information), and finally keywords and what’s left is to search for is user-created data.  Before you collect one file or email, you have already gotten rid of 1/2 the haystack already.  Forensics is different in the way that once you have your custodian(s) machines, what you’re looking for could be hidden anywhere in one of many drives, partitions, or externally mounted devices. Additionally, how you found your data is just as important as what you found.  Both processes can be intensive and require great organizational skills, but eDiscovery methods are more systematic on the whole.

That’s one way I think about it. The other is to pay close attention to the requirements of the job they want you to do.  More commonly you’ll hear people want a forensic job to collect all the Excel files on a network share and some laptops, and request full images and provide all the .XLS files.  Clearly this is not forensics and should be address in such a way.  In rare cases, I’ve even had to redefine an eDisocvery job because they wanted a broad collection of user-created files in a location, and also realized some of these files may be “deleted” and that some could’ve been copied off USB drives and some laptops to steal intellectual property.

More recently you’ll may hear someone say its a ‘forensic job’, but its your job to understand what is they really need. Not everyone requesting you to work on a project knows enough about your industry except for some broad concepts and some buzz words like “forensics” and “unallocated space”. Don’t let that dictate what you ultimately need to do. Listen to what is requested and always ask questions to get the real scoop on what it is you need to accomplish.  Lately, I’ve seen this becoming less of an issue as people on both sides are learning not just about eDisco and forensics, but also about how different they are.

My apologies for the length of this post. I hope its not boring. I’ll try not to do it again. :) 

In The News: Forensics and Broadway

I was doing some news searches this morning and came across a recent NY Times article about how someone in the forensic community decided to use their experience to analyze what many in the uber-fan club of musical theater would consider their holy grail.  I’ll have to admit, I’ve seen my share of Broadway shows and I actually performed Off-Broadway a few times (that’s a different story all together). So I can speak with a bit of interest on both sides of this coin.

You see, back in the day, we saved everything onto floppy discs… everything. When Jonathan Larson, creator of the show RENT, began his journey back in the early 90’s, he used his computer to compose & write the script for the show over a period of years that ended up in 189 floppy disks (about 272MB of data).

I’m a little disappointed that I didn’t know about this event in time to catch it. The talk took place after the analysis was performed to explain and discuss findings. The talk called, “’How Do You Document Real Life: A Tale of ‘Rent,’ Jonathan Larson’s Floppy Disks and Digital Forensics,” covered how the person acquired the data, imaged, emulated, and performed other tasks as stated:

Mr. Reside’s first step, after drafting a study plan and getting the necessary permissions, was to make bit-for-bit copies of all the files. He then hunted down vintage software and tools like the Basilisk II emulator, which allowed him to see the files exactly as Larson had seen them, right down to the chunky fonts and irritating pop–up error messages.

I think the overall purpose of this talk was not necessarily about digital forensics, but using the tools of our trade to discover or uncover a history of how someone’s creative mind used technology in an earlier time period (even if it was less than 20 years ago).

We can all be digital archaeologists, right?  Hmm… maybe I’ll add that title to my linked-in profile.

Taking my own medicine.

I’m about to embark on getting my EnCEP certification for work. That’s the EnCase® Certified eDiscovery Practitioner, if you didn’t read my earlier posts. Its a 2-part exam that focuses on the primary uses of the EnCase eDiscovery software suite (navigation, collection, filtering, culling, criteria, processing and so on), as well as ask challenging questions along the lines of eDiscovery best practices, EDRM Model, planning and project management.

I’ve had my EnCE for a while now, and that test was no walk in the park. Seeing how I am knee-deep in eDiscovery tools (especially EnCase and ECC), I feel confidant in getting this done sooner than later. However, I don’t want to stop with the EnCEP. Having another certification under my belt before the end of 2012 is a goal I want to achieve.

The question after this test would be… which should I go for next?

A New Year

Happy New Year and hope you all had a pleasant holiday. I took a bit of a much needed break, but now looking forward to keeping this site updated with (hopefully) new topics, tools, and insight for anyone trying to get going into DFIR or a similar field.

As always, I’m open to discuss any topic you would like to see here or to clarify anything I have posted before.

Cheers,

@JasonPickens