Over the many years I’ve spent training various local, state, federal and law enforcement organizations on forensics methodologies, one story always sticks out in my mind as I prepare for courses. As I get organized for the upcoming Computer Forensics & Incident Response for Investigators course on July 27th – 30that BlackHat USA in Las Vegas or hear about another breach in the news, I’m reminded of the following story once again.
A certain engineer retired from his job of 37 years at a very productive factory of a very well-known company. Prior to his departure, he trained three young college graduates with engineering degrees on the ins-and-outs of the factory. Because the retiring engineer did not have a college degree his replacements quickly discounted his admonitions as the ramblings of an "old man".
About one week later, the retired engineer's phone rings and at the other end is the plant manager. A problem with a machine on the production floor had ground the factory to a halt. For several days prior the three young replacements had tried to resolve the issue but didn’t make any progress. The plant manager pleaded with the engineer to come back as a consultant and help identify and correct the problem. The engineer gladly agreed.
An hour after that phone call, the old engineer arrived at the factory with nothing but a piece of chalk in his hand. Staff quickly escorted him to the production floor. His young replacements glared at him, certain that he would not be able to help and involving him was an obvious waste of time.
The engineer puts on the safety glasses that hung around his neck for almost 20 years and walked around inspecting equipment. He tapped on a machine here and there, examined a few gauges and finally focuses on one piece of machinery in particular. He turns his head to the right to get a close look and then to the left. He pulls up his safety glasses, squints as if to focus on something very small and quickly sets the glasses back on his nose. He then takes the chalk and marks a piece of equipment with a white "X.”
"Replace this" he said, "and you will be back up and running."
Immediately his young replacements protested, indicating incredulously that they had already checked that piece and determined it was definitely not the problem. They had used the latest diagnostic tools to perform system checks on that part and the tools said the device was functioning properly. The plant manager, looked at them and affirmed the old engineer's diagnosis—the component marked with the "X" had to be replaced.
After a few hours the part is replaced, and the system is powered back up. The factory springs back to life and production is back to normal! Crisis averted.
A few days later the old engineer's phone rang. And again it was the plant manager this time flabbergasted at the bill he received for $50,000 with a single line item of, "consulting fees.” The manager states that the invoice is unacceptable and that for that kind of money, he needs a line-by-line breakdown of what cost so much money for less than four hours of work!
The old engineer agrees to the manager’s wishes, and sends him the following invoice.
1. $1—box of chalk
2. $49,999—knowing where to put the "X"
For some unknown reason, many forensic investigators think tools solve cases. During my tenure in this field, I have frequently heard statements like, "I wish I had a tool that did this!", or "If only there was a tool that did that!". Likewise, there is a fever pitch whenever a new forensic tool is released; a sense of wonderment and the ever lingering question, "Will this be THE tool to change everything?".
Since 2009, many of us in the forensic community have spoken, blogged, tweeted and presented at conferences about shifting focus away from tools and onto methodology. We have gained some traction, but we still encounter heavy opposition from many practitioners who want to hold on to the "old ways" and their heavy reliance on tools. This would be fine if we were dealing with 20-year-old technology in strictly post mortem cases, and only being asked to perform simple tasks such as finding CP or comparing file time stamps. I cannot speak for what your cases look like, but ours at Trustwave...yeah...they’re a bit more complicated.
We go after answers, not data. We use a sound, repeatable, consistent methodology that has been proven in more than 1,500 cases (450 last year alone). It has withstood the scrutiny of both criminal and civil litigation and has helped Law Enforcement at all levels put bad guys in jail. It just flat-out works.
As technology marches ever forward, computer forensics and incident response gets more complicated, not less. Operating systems change, networks expand and data storage increases exponentially. Add mobile devices and cloud computing to the mix and there are suddenly so many places for trace evidence to reside that the old, "shotgun" style of forensics is no longer plausible. There has to be a shift in thinking, or responders and investigators will quickly become as obsolete as 3.5-inch floppy disks.
So what's the answer? In the vignette described above, the old engineer used his knowledge of and experience with how the machinery worked to place the white "X" on the correct system. He didn't rely on a tool to make that decision for him. Instead he used the most effective tool he had in his toolbox—his mind! His years of experience and expert eyes allowed him to know what "normal" looked like and fueled his remarkable ability to spot the abnormality no matter how seemingly insignificant to anyone else.
By leveraging our existing knowledge of how crimes are committed and why criminals commit them with our understanding of computing fundamentals, we can formulate a clear and concise path upon which to base investigations. This knowledge, coupled with a proven and repeatable methodology, can take you from being an average investigator to being an exceptional one.
I hope you will join me and learn exactly that philosophy at the Computer Forensics & Incident Response for Investigators course in Las Vegas, NV during the BlackHat USA Training sessions. You’ll engage in hands on labs and instructor-led demos in a “real world” environment. There are a lot of bad guys out there, and as with the story about the “White X” experience in the “real world” is often the best place to understand their modus operandi.
Click here for more details and to sign up today.