 Hi, I'm David Smith. This is Samuel Petresky. I work at Georgetown University. I also own my own digital forensics company. Everything is in the guide. Samuel Petresky worked for Georgetown University as well. I run my own consulting company mostly in network security architecture. So I designed big stuff that would fit in the enterprise. And we're going to talk to you about forensic methodology here. So I came up with this idea. I was actually reading a white paper. And it was a fantastic white paper. And I definitely recommend you go and take a look at it. I put the important things up on the screen. But it compared a lot of digital forensic methodologies, broke them up into like a standard phases and which ones have which. And it's just kind of that normal, go and collect it and make sure you have your warrants and all those types of things. But it did a really good job of just saying, hey, there's so many out there. What's missing? And so a lot of the methodologies, I thought none of them out there really were what I taught. I run teams of forensics folks. And I'm always getting a new guy and having a good guy that's learned a lot of good things, head off to his own organization or start his own company. And so I found myself in the same little groove of like, here's what I want you to do and here's how I break it down for you. So I wanted to actually, this was the idea I had and just, you know, why not take all of these processes and turn them into a real methodology. And I did really in my head say, okay, what's the really difference between a methodology and a process? And so I broke it up. And so what I think I really have is the methodology. So to start off, we're going to look at some of the existing methodologies and how they compare and kind of look at what's really good at them. And then we're going to kind of try to show you where our methodology really fits into. So this is the first paper where the idea came from where Dave was talking about initially. This is a really good overview paper. So if you want to find out what kind of methodologies are out there, how they propose that the forensic work works, they analyzed about 13 different papers. It's a little bit older now. I think it was published in 2008. But they looked at 13 different methodologies and they found that different methodologies had different number of phases. Some of them had four phases and some of them I think had 21 phases. And so what they did is they grouped everything in five common phases on the right hand side, as you can see there. And then they mapped the existing phases that the methodology had into their four or five phases here and see where they would fit in. And so the conclusion of the analysis paper was really most of the methodologies out there would fit within the four phases, most of them fit into the five phases of their proposed model. But in essence, all the methodologies have the main components there. Who's a Brian Carrier fan? Cool. So as I mentioned, the different things that we found is the different methodologies have the same main components. Basically, how do you authorize the investigation? Do you get the right data? How do you acquire the images the proper way? So it's admitted in court later on if you need to. Then how do you define the valid technologies or techniques to find the data that you're really after it? And then at the end, how do you report this really meaningful to the requester and shows that the information that they requested really is there or it's not there? So quick show of hands. How many of you are just getting into forensics like just getting there? Excellent. How many of you just do forensics on a regular basis, medium level kind of? And how many of you are experts do this in and out all day long? Okay. Excellent. So I think our presentation here is mostly going to focus on the beginner and the intermediate level of people that know what to do with forensics and show them some tools and methodologies, what they can use there. And then from the experts, we really want their input because at the end of the day, really, this whole methodology is how an expert digital forensic analyst has the conversation within their head when they're analyzing a methodology or when they're performing a forensic job. So we really want to kind of have picked their minds, get the information from them, and then have that information available for everyone to be able to go through the process and at the end of the day, we should all be able to produce the same type of result. So a couple of other methodologies that we looked at, really, what's the digital forensic methodology? The Department of Justice has a process overview. They outline seven different processes there that they think or they want to use in their methodology. And so they have everything from obtaining the data, getting the proper authorization, getting the requests done properly, acquiring it, extracting the important or the relevant data out, analyzing it, and then producing the report and then kind of overview of the whole process, what worked, and so they go into a little bit more detail into each phase and have a pretty good flow chart. I'm not going to go through them, but this is something if you're interested in figuring out what their processes are and what they recommend of doing is pretty neat. And so they have the preparation and extraction phase. They go through the whole flow there of how do you go through the whole process of getting the data the proper way and acquiring it. And then the second is the identification. So we have the data now, but how do we find out what's really important for the case type that we were working on? And then the third one is really the analysis, right? We got the data, we have the information there, but now we need to analyze it to see really what's in there. And so their iterative process is pretty good here into going through all the steps of who, what, where, what, you know, how, and all the other processes to get the right information there. This is my, yeah. So kind of a conclusion of the overview. They're really good processes. There are methodologies that have been documented. There are a lot of white papers that if you really are getting into this area, I would highly recommend reading them. They're very valuable. They integrate digital investigation process. They have a really nice paper out there that outlines the whole methodology that they recommend. And there is a Digital Forensics Research Workshop that they publish different papers all the time. And they also, you know, talk about those five phases that we mentioned initially. And then the enhanced integrated digital investigation process, they even have a dynamite phase. How cool was the methodology to have a dynamite phase? So anyways, that was kind of the overview. And what we want to get into is what are the problems with Digital Forensics? Why is it hard? Why are there experts and people have a hard time picking it up and learning it? And I think the number one answer is that it's an open solution set, right? There's many ways to find the answer that you're looking for. And I talk about a few of those in a little bit. But there's many, many ways of solving. It's a lot of self-teaching and just sitting to it, right? You can sit there, an expert will take two hours, and somebody who's just learning it may take 12 hours, whatever. But a lot of it is just sitting there. You're like, I'm going to run this registry. Oh, that didn't really pay out because I'm going to run all the link files. I'm going to do this. I'm going to do that. And then it actually takes a lot of discipline. So kind of one of the differences I see when I see beginners and I see experts is that the experts are really disciplined. They're like, I'm not going to do keyword searches on all these terms because I know it's going to produce, you know, two million hits and I'm not going to cycle through them, right? So it's that patience. It's that determination that stay on target. And I just had to say it. And you also have to do a lot of learning while you're sitting there and there's going to be something new, right? So the first time you got a job that had a VISTA shadow, right? And then, you know, you're like shadow copy and you're like, oh, great. How do I do this? And you're looking up on SANS or trying to talk to Rob Lee or something like that. So you've got to learn new things while you go and you've got to be quick and you already have to have the foundation so it's not a big time. And kind of where we got into the expert is all of these things improve over time. So the more you do, the easier it is next time. And, you know, red gripper over access data registry, right? Which one is going to do the right thing for me? Should I build my own custom templates? I don't know. These are things you learn. So the open solution set example I always give. I used to give another one and then I read to Brian Carrier in 2008 and he actually used this one I liked a lot better. But you arrive in the break room, there's five people drinking coffee. Coffee pot's empty. How do you determine who drank that last cup of coffee? It's an open solution set, right? You've got to think there's a hard grilled veteran detective out there that could bust that case in five minutes and me, right? I don't know, Jack. You know, it might take me five hours. But anyway, anybody want to give me an idea of how do I determine who drank the last cup of coffee? Right there. Ask them. Okay. Interview. That's in there. All right. So this is my first round. Temperatures, the amount of coffee in each cup, the strength of each coffee, right? It's going to be stronger at the end. I just want to keep going. I got about ten of these. This is one of the questions I ask everybody who ever works for me. Like, give me something new. What's that? Okay. They're right. There could be a six cup of coffee out there. Mount of coffee grounds, right? You know, hopefully there's more at the bottom. So the last person might have some more. Obviously there's interview. Interview, group, interview individuals. Yep. There you go. Does video exist? Develop a timeline, right? You know, temperature of the coffee. That was one I got a little while back. That is actually from the Brian Carrier example. He's actually doing it for a different reason about the statefulness of computers. But, yeah, offer reward. I like that one too. So it's really great. I get some all new ones, and I'd like to add them. I don't have them all listed. I keep a little wall of this example. But it just kind of shows that there's many, many ways of doing it. And how do we get the most optimal? How do I become that guy? No last one? Yeah. That one's mine. We were trying to come up with off the wall at some point. I think over a beer. And I was like, we're just going to hold them, right? It doesn't have a good payoff because it might be a really, really long time. But anyway, the point is, is there a combination that can produce a higher probability answer? You know, what can I do? It's always tough to get like the smoking gun that's 100%, but you know, you get enough data, enough information to draw conclusions, and support those conclusions. You're really good to go. Be efficient. And this is what experts do, right? So these guys right here in this row, they're all sitting together. They've probably done a ton of these things already and say, this is enough to provide the conclusions that I need. Let me know when we switch. And then this is also another, it's a thought experiment. Kind of the same line where I'm saying, this is why we did this and this is why I came up with some of these things. But if we took three different skill levels, let them talk to the requester, ask them any darn question and go do it, what would we really expect? If we had an expert, kind of somebody's been doing it for two or three years, and somebody that's pretty new, you know, what are the results going to show? How varied are they going to be? And of course that's what I'm trying to fix, right? So if we gave them 20 hours and said, oh, you know, if we get unlimited time, we've only got 20 hours to report, you know, are the findings going to be different? You know, is the expert going to knock it out in two hours and go drink some beer for the rest or what? And then drop it into the water, we need an answer by the end of today, right? And does that mean I'm going to do, you know, super timeline, which is going to generate for six, seven hours? No, it doesn't. So anyway, where we fit in, and this is for the analysis phase, we don't, we're not really going to focus on what the methodologies do right now. I mean, they do a great job of telling you to go get the data and to grab the data, but when you get to the analysis phase where we put up that DOJ and they were like, who, what, when, where, how can we do a better job of maximizing our time with the requesters, right? I mean, a lot of places have forms and things like that, and it's really hard to have an interaction. I think the biggest thing for me in digital forensics investigations is getting that right initial contact down, right? They're going to come in there and say, this is what I think I want. And you're going to go in there and say, this is what I can do. But how do I maximize that? How do I really get like, these are the goals? And how do I come in there? How do I go forward? So these were kind of our goals and the questions that we had as we went. And can we really achieve consistent results in the field? I think we can get better, but actually, every consistent, no. So here's what we came up with. And again, this methodology is just an overview. Sam's going to get into a little bit deeper. But we've really set it up so it's part expert system, part process. So when you go in and you're talking to them, we've got a tool that we're working on. But anyway, it's got case types. And the case type might be compromised machine or intellectual property. And on there, they're going to have common case goals. I mean, these are the things that you see all the time. I want to know if this document left or I want to know who this person emailed and all those good things. And so you start with that case type. You can go in there with a little bit of knowledge or have it on hand when they start to tell you what they want. We broke it out into three. Their question is going to be pre-analysis phase. The last thing you really want is, you know, that request or coming and getting your report after all this work and saying, oh, you know what, I forgot to ask you. I want to know if this malware compromised any of my other systems. So that's why you got it in front of you. It's going to be a common case goal for compromised systems. Do you want to know if there's additional exposures? Once you get that, it's golden to get the agreed upon case goals. You've got to walk away with it. It's completely understood by both sides. Because if you go out and you're working a case for a lawyer or something like that and then bam, you give them what they want and he's like, great, I can't use it. I really needed to know if these PDFs ever existed. So if you can't get that, you're in big trouble and you're going to have to go back and you're going to have unhappy customers because they're spending a lot of money. So anyway, by developing the acquired list and the beneficial list, you can provide a case estimate. And that's a really, really big deal for me. Because you get people, you get these expectations. If you can be as close to correct as possible, then you're not really having people that I thought it was only going to cost a thousand dollars or I thought it was only going to take ten hours and my lawyers are waiting standing by. So getting into the analysis, I'm going to go through because Sam's going to go pretty deep in this. Determine the methods. And this is kind of where we started getting into that optimal case and I'm going to find out how this machine was compromised. What's the best way? What's going to take the least amount of time? Just going back to that coffee cup example, what's going to be the best answer in the shortest amount of time? And then for the SPM, or I'm sorry, for the analysis where we do an index, we're actually estimating the analyst skill with that method and those types of things to actually generate what we call the SPI and put some time limits for reevaluation. So if you think maybe you need to look at, hey, putting this one on hold and going for something else. That's it. So some of the details. We want to develop analysis phase for visual investigation. So we want to have a good understanding of what we're trying to accomplish and then we're going to try to organize because every case type is not the same. Malicious activity case type is different than the pornography or examining cell phones for malicious activity. So there's all different types of cases. So we need to organize our cases differently and then have different type of goals for each case because we just cannot use a standard questionary for all the different type case types. And then the other thing is we want to do also at the beginning, as they've mentioned, implement a time management process. We know for this type of case, if the hard drive is 80 gig data on it, it has 80 gigs of data and we need to analyze it for this type of case, then most likely we're going to have these four or five goals that we have agreed on and they are going to take an excellent amount of time. So we want to definitely understand all of that and know what we're looking at. And then part again is the expert system. An expert person would just likely know, okay, I have 120 gig drive, I need to produce these types of results, it's going to take me five hours, ten hours, whatever the time might be. So the goals of the methodology, develop better pre-analysis information. This is before we start, we know what we're dealing with and then achieve better time estimation and then how do we provide that information? So the three components to our methodology are pre-analysis, analysis and the structure time management. The pre-analysis we define in depth, what kind of information we want from the requester and how do we get the right questions in there. And then during the analysis is when we sit down and we try to figure out how do we answer those goals that we have agreed with. And then the structure time management kind of fits in in both of those phases. Initially when we develop the case goals, we know how much time we're going to estimate and in the analysis we kind of have a measurement of where we're spending our time and how much more time do we have left? Can we achieve those five goals with the left out time that we have on our plate? So the pre-analysis phase really we broke it down into two different processes there. First is you meet with the requester. That's the easiest one. You sit down and say okay what do you want at the end of the day? What kind of information should I produce? What are you looking for? He says well I want you to find out who compromised this machine. But then as the expert you want to go back and kind of refine those questions and get the information that's going to help you at the end of the day to produce the report that he really wants. So you can that's a more iterative process. You have a conversation with the requester and you go through the different questions that he's asking and you produce or you refine his questions to give you the information that you need. Some bigger forensic companies they have developed their own questionaries and they use those as a standard. They're pretty good because you don't have to meet with the requester. He fills out the answers to the questions that you have there. However they tend to take a little bit more time and then sometimes you might not get that personal interaction with the requester and kind of really understand if he's getting the questions that you're asking on that questionnaire. But just different types of questions that you can ask and you can get it from the requester. Then so we've got the information from the requester. We know what he kind of wants. Then an expert is going to say, well, okay this guy has that but for this type of case I know that these are common goals that should always be answered, right? So we find out how this machine was compromised. That's what the requester asked us and then the forensic analyst will say, well, determine what the attacker really did on this machine. I mean, yeah, we know that it got exploited through MSO640, whatever it is, but really what did they do after they got into the machine. And then we also can have common goals based on case type. This is basically what we kind of see the industry usually does, right? For a network break-in these are the types of logs. This is the type of information. I want firewall logs. I want IDS logs. I want all of this standard procedure that you're always going to ask. And then as a forensic analyst that has some experience they're going to come back and say yes, this is really what they wanted. This is what the industry says we should do but really to solve this case these are some of the additional goals that I need to include here to provide that information. And then we are gathering all these goals, right? And then we also need to have a process to give us a time for each goal. How do we determine what's the time that's going to be needed to process that goal or to deliver that information. And then this is where we find out the required information and also what's beneficial, right? We must have the image of the system to process the case, right? But it will also be very useful for us to get the logs from the firewall or from the other machines on the network. And then what does this give us after we have done this outline? We really know what we're after. We kind of have a schedule or a plan of what are we going to attack now. We have the primary data points and then we know what our resources and what our time is available and then we need to start breaking it down in terms of the tools and everything that we're going to use. But this is going to give us the information to where we need to get started. And then I think the determination for the case type. If we have a malicious activity, standard goals, let's say 4.2 methods that we need to use and then the analysis analysis, I'll need about 20% time to produce this type of case then we can generate a SPI index that will basically help the analysis know how valuable it is or how much time and effort it's going to take to produce this goal. And again, this is what we mentioned in the beginning, it's the expert that goes through his head and says this is what I usually did for this type of case, this is what I did last week, these are the things if I need to produce the registry report the web browser history and these other things, usually it takes me 5 hours processing time, I'm going to add 2 hours buffer time and then I should be able to get the report done in 10 hours. And then the case goal estimation time, right? It's very important to be able to produce the requester at the beginning or after that initial conversation and tell them, okay I'm going to probably need about 10 to 15 hours because they need an estimate so they know how much how much you're going to charge them at the end of the day. And so producing the appropriate time estimate is really going to tell them, well you know, this guy is really good we ask for all this information but really we can't afford it. So we'll cut some of the goals out or no, we're going to add some more goals because we really want more information out of that. And I think the next thing is the analysis. I just want to add on to that. There's that expectation you get right away. Whether it's internal to your organization or what, just setting up that expectation they really think you're going to do it in 10 hours and you end up at 20, 25 you're not making friends, you're not giving them the trust in you. That to me is the big reason for estimation and getting estimation dead on. So now we get to the fun part, right? It's the analysis. This is where you actually get to sit you know, you've already got your goals and you've given an estimate of how long it's going to take you to do. So yeah, we want to achieve the case goals that we've determined and we've agreed upon in the optimal time, right? So we developed an index so we can rate all the different methods of solving that goal. It's just a simple algorithm and we want to generate the highest probability based on the time. So we actually use the probability. We wanted to use just a different algorithm that was actually used for gambling about probability and how much of your bank roll you should use. But the SPIs generated based on effectiveness, level of effort compatibility of your tool sets, whether you have them is a good reason. And then the familiarity with the method, right? So if you've never used Redripper or any of the registry tools we want to know that because then we can actually help you estimate which one is the best for you if you've already got experience doing XYZ. Yeah, that's going to come out with a little bit higher. The software we've developed actually has it where you get to choose some of these things and you can add values and it can actually, you know, dynamically. And you can actually use it in the pre-interview process when you're talking to the requester. You know, when you're working up those goals a little bit you can actually see those numbers if you so choose. For methods, you know, this is actually in the software. Right now it's in a spreadsheet that, you know, we've almost got ready. We had some problems with Chrome and I didn't want to just put it on Firefox only. So anyway, but this is what we list for each method and so what we're hoping to do is when you have a case type like, you know, intellectual property, then we're going to have a whole bunch of methods, right? So if you've got, you know, review usage data you're going to see super timeline and you're going to see, you know, registry rippers and you're going to see link file and then all kinds of good things like that and these are the fields that we use. Not too, too exciting. And the goal of it really is to get the best bang for the buck, right? You know, this is what we think will give you the highest probability of solving that case goal. You might have ten, you might have two. But we're going to run it through. And I think I already went a little bit to what we mean by methods. We specifically didn't want to be tool-based, right? We wanted to use generic things, you know, generate web history or generate system usage or whatever. But we just didn't want to get into specific OSs. That's something that you could wait for in SPI, but, you know, that's also where the expert comes in, right? The expert is going to say this is the right tool for this right job. And it may fit into a category of, you know, web history generators. But, you know, if you're looking at, I don't know, 60 gigs of web histories, you know, you're not going to use something small, right? So a part of it is that it is a probability based. I threw the function up there that we use. I also threw up, you can take it right up to the spreadsheet if you really want to do it yourself. It's really not too exciting. I wanted to break out machine time and person time, because a lot of times you can have machine time running, running, running, and your person time is what takes up the value when you're doing this. So if you've got something that's 10 hours of machine time and one hour of person time, I wouldn't have to be waited higher than the reverse. And, of course, we couldn't address everything, right? You may not be willing to buy this tool kit for $4,000 or $5,000 or whatever they charge right now with its Oracle license, but we also didn't know what the expertise was. So I wanted to have some things in there saying, hey, some things may be heavy scripted, and if you don't have that, then we don't want SBI can't predict that. We try to be very descriptive in the methods and kind of what this method is and what it does. But then also, type some environments. If you don't have anything to look at, like my blackberry or my iPhone, then we just couldn't foresee that in this algorithm and listing of what to do. I think the big thing here is really that its experts have these things already. They already know what tools they have, and they already know what they're missing. If they get a forensics case that's mobile-based, they're going to say, I can't do this. I need to send it somewhere else, or they're willing to go out and buy it. But they also understand the failures of methods, right? How did I miss a deadline? And what did I do wrong? We're just trying to really take that data and plug it right back in. It's what I do when I got my teams. I'm like, oh, first, when they're new, I'm like, break a case down like this, and then go after this and go after this. Because I already knew that, hey, you're going to get better results with the web histories than with pulling the registry. Or you're going to do better than going through and scanning all the files and doing your keyword searches and trying to take some of that back. So there's two factors in the time estimation, right? There's the data size. If you get a huge amount of data, I need to be able to account for that in the SPI because that goes to the machine time in a lot of cases, and hopefully what you get out in the back. But then there's the skill level. And like I said, that's the skill level comes into determining what is the right tool for the right job or knowing the limitations that the web history doesn't even know about Chrome. Why am I going to bother with that? Providing the ability to budget time based on the expected results. It's a good way to go. It's really set up that goal. And then that way if you go over by your 20%, you're like, okay, stop. Maybe this isn't the right tool or maybe this isn't the right method that I need to use. And of course that ties right back into the time management strategy. So you've made it past all the drives. Are you assuming? You made it past all the methodology and hopefully so we get a little bit more entertaining here. I wanted to take three cases, but it turned out that it just got so big and unwieldy that we couldn't. We just did it with one. The case study that we're doing is one of the intellectual property cases. It's actually a combination of about two or three. You don't have to read that, but that's what you would get in the SPI. You're going to get this thing that says, here's what a case type is, right? Experts here, they already know what intellectual property cases are and what they normally involve and in this particular case the employee left started a competing business. The higher date and last date they were given those times and then they had an assigned workstation and so we of course had to go image that workstation. Give me a time check. So we went to the initial meeting and of course in this particular case it wasn't through my organization it was through my own digital friends company they got there and they're like, we don't know what to do. So we're sitting there in that initial meeting and they're just like, what? And we're like, well, did they take your vendor list? Did they do this? Did they do that? And so we actually generated the common case goals and they were identification of specific documents and parts of documents. So we knew we were going to have some fuzzy hashing in there and system use and did it connect to USB and copy stuff off and all these good types of things that you normally get. And wow, that's not cool. Let's say I do a little magic there. So these were the agreement of goals what I walked away with, right? We want to know about the USB and it was amazing that once they got going they really came up with a big, big list of like, here's all the things we want and then once we started kind of bringing it down and it's not atypical I think typically you're working in an organization you're working in an organization and then they kind of know what they want and they're not completely new to asking for things like this. Cool. So this is what we ended up with and then agreed goals and we added a few, right? We wanted to extract some instant message laws because right away we saw there was some definitely recovered deleted files they never even mentioned that and we performed a memory analysis before we went and shut the machine down. So we got our required information again this is what experts do they don't even think twice about it they just, you know, these are all in their head these are the one, two, three, four, five these methodologies that we talked about earlier they don't really cover a lot of this they're really focused on getting you the image and getting you the authorizations and the warrants and then going through and finding this stuff and building a report and so we were really focused on just in this analysis phase how do we go and how do we go in through this so we got our beneficial information we actually got them to give us a full case background which was pretty cool we got all the names and this is one of the things I like to do and I mentioned it later too I love to build dictionaries of all the different you know, words and things that are important to the specific case not just like run them, not just throw them into a big giant search list but actually then go back and prioritize them so we actually they gave us all the work product names of the processes they do and all these unique distinct names that were going to help us find things so anyway, so for the pre-time we actually came up with 28.5 hours because they had a lot of goals and that includes all the processing time and all that good stuff and so anyway, and so we pulled up and these were some of the common methods from the sorry, the common methods from the from the SPM and you know, those are some good ones and I think later actually here we go we pulled some of these out and actually these were the SPIs that were generated so in this case they are a little bit out of order it was really extraction of emails for analysis based on the case goals we had recovered deleted files just because of the time it took to do it and the value that it had and then of course the fuzzy and again, if we were just doing it for one case goal we would probably start with the top method but when you start getting into multiple case goals and tiering them then a lot of times you just set things up to run the hash files is a must do no matter what the SPI is because they want parts of a document to see where it existed and sure enough and I'll get into some results later but they actually took some of the work product and came off and put new company in and had copies on their workstation that they worked at, you know, the previous employer so that was fairly interesting here was some more for system usage I love Super Timeline that wasn't a part of it originally you know, it's been gaining popularity and with some of the new tools you don't do anything really you just plug in your shift workstation and set up, was it logged time to log and it actually goes and finds the server for the time Super Timeline and puts it together it's a fairly long process though so as you can see some of the SPIs that I could do with the registry analysis and those types of things were going to happen faster and they were what you wanted to do because Super Timeline analysis is mostly you don't touch it until you actually get to the analyst part you just let it run for five hours and then you look at the results for the time you care about that was pretty good so again, if you're an expert these things all come naturally to you you know the case better than I do I know I exactly want this I'm not going to even bother with this PI but it's getting that knowledge back how do you mentor somebody else it's this kind of thing that can help you as a mentor you can say here's exactly what you should do but it's hard to say here's why you can break it down and say this tool is better than this tool and this particular job that does this particular thing and here's what we're licensed for and here's what we don't have a license for so those types of things here's what we found we found obviously identified documents those were easy enough to find we had lots of link files that actually led to them taking documents putting them on their USB drives and then looking at them so it was pretty easy to put all this whole thing together there was a hash match hash match to the zip file for the name needed and it was actually the name of the new competitor that zip so we found it in a variety of ways but when we broke out all the files and looked for the specific files they really really cared about those vendor lists those customer lists we found that we did a lot of fuzzy hashing it was something that we just ran in the background and then we didn't have too many false positives and it led us to directories of the new company's name where they really just took out like the entire contracts and just swiped out their old names so they weren't even going to pay a lawyer to build a new contract for contracting services so it was kind of nutty yeah the extracted and processed mail was really interesting I'm not going to go through it all but I think we're doing good on time right I'm not going to go through it all but yeah there was a ton of I am's it was amazing what this guy was actually doing let's see offer sent to FedEx last minute so we had the whole when they got you know asked to join this new company it was actually they were partnering with somebody else to start the new company the exit strategy there was a how to like here's what you should say when you leave you know and here's the best way of telling them that you're going to a competing company and that you're hopefully you know going to take everything with you so it was also a lot of pros and cons there was a great conversation between the the significant other was like I don't know maybe you shouldn't do this you know this person's really been good to you so it's pretty amazing and it would all happen pretty fast we actually came in a little bit under the 28.5 because some of it was just so simple to find I mean you got to love somebody for you but this is one of the things I do I'm really big on dictionaries where you can take all the different names and the different part cases that you see just write it down as you go and then you can you can prioritize them so as the case starts to develop and you see where the important information is and and what what you know is important about the case I guess is the biggest way of saying and what's the real goal of the case you can start you know then using those specific keywords to help you I hate to see in the world is where you just got somebody sitting in front of the screen access data x ways in case whatever and they're just looking around they're going through browser the little browser and they're looking at files and they're like let me just scan the web history you know no if you're don't just scan right you want actually want to develop the web history get your timelines and look specifically what you're looking for I think there's a talk right behind me called sniper forensics and it's kind of that's what we're going after paying attention to this or hey you know what I found this cool word I'm going to search for it now so it's really just write down that cool word and then you can prioritize it to stuff better anyway registry analysis usually has a great SPI so of course we did that and we found tons of supporting data for all the accessing files and changing files once we had identified the files with kind of all the other the other methods that we used we were then able to generate it completely super timeline and I didn't exist at the time but we know I would have definitely made the cut for getting processed and then we because we started we actually had solid timelines for these events and you know kind of the follow-up we analyze the web history that was fun always good stuff to there there was a little porn on the work site so you got to love that and definitely was a little people porn but it was great I just it blows me away that people are going to sit on their workstations and their organizations and look at porn it is you've got a system clock so I'm never I guess I'm just never I can get over it I'm always amazed that just the amount of people that will choose to look at porn in the workplace great conversations trashing so we had some great I am so that was one of the ones that we put in there because we we knew that there was some instant message that was going on with the competitor and then of course there was lots of discussions and who to take with them right they're going to start their new big company who they're so we met all the goals we had defendable dating conclusions it was pretty straightforward this is probably the easiest case in the world that we were able to get in a really good time we actually came under we rechecked our primary findings with multiple tools is something I believe in there's been so many times where you know I've run a tool and I got a date say an MFT date or something like that and it turned out to be in the wrong order right the tool had a problem and you might be familiar with the truth kit or you know autopsy or X ways or whatever you want to do that's in a different thing just validate your finals right so you know my personal conclusions from the case this guy really does fill out his ID-10 team forms in triplicate I mean it was amazing right it's idiot but it was just amazing that there was just so much information about what he was going to do and how he was going to sell it and who he was going to sell it to and how he was going to take these contracts and get him but he doesn't even own a home PC that's where that stuff should have been and of course eraser and CC cleaner and true crypt and all those good things so that was interesting right I think I covered all of that that was just interesting but a big thing I'm also that isn't a part of SPM is just judging your performance right so feedback can be shaky because if you didn't find exactly what they wanted they're gonna they're gonna be like yeah well you know it would have been great if you did feedback and have it be meaningful on what you do and so I actually did try to wait some of the metrics that I use and I push on my teams the number of follow-up questions if you did a good job in the pre-analysis phase you're not gonna get all these follow-up questions they're not gonna say oh great how about where did this file go after it got sent to our mail system right you know you could have looked at the SMTP header for whatever when they wrote replied back or whatever but you didn't right because they didn't getting those greet upon goals that's a good metric for it the number of goals that they requested versus what you were able to draw out of them right so as you get better at interacting with the with the client if it's a form you know you're set on it but when you're talking to that that person for either from your organization or from next to a party you know they're like I want this and then how many goals can you draw that are more specific of things they really want and so that's a great metric I think the amount of time as you get better experts are really good at making that estimated time equal very close to that total time barring something crazy and then of course the total predicted value versus actual value right so it's here's what I think I'm gonna be able to get for you which is always a dangerous statement when you're talking to somebody with their forensics of a investigation but it's you know it kind of comes out they're like what do you think they're gonna get and they're really what was going to happen versus what you actually gave the requester and of course I really count this this one's important to me it's a number of wrong turns and I am known for making mistakes learning from and then you know hopefully getting better I really believe in it look where you make a mistake focus on it say hey I'm not going to make that mistake again you know so those are kind of my big judging your performance metrics are we doing on time are we way under okay so anyway methodology right you get something good out of it just really really focus on defining your case goals better you know even if it's just your boss comes down and says hey I want this is this he can be your requester right so you can do a better job like hey tell me what you really want or let me help you develop that right you don't have to use our tool or our what we're trying to plug in as far as estimation of time and how long they'll take you to do what but do do just make that your primary goal you're gonna find the stuff you know bad but or you may or you may not I should say but I think really getting that better better definition and just agreed upon is the way to go and then improved from familiarity with your common goals you know you work at a place you've got a lot of compromised machines you know so you're doing graphics right porn on the workplace and they want you to develop you know what point where this was this person looking at porn and were they looking at at this time because that's when they get played came in usually care about a history right is this person just looking at porn once and they've been looking at porn like four hours a day for the last 20 years so that's the kind of stuff those departments are going to want to hear and if you're not thinking about that if you haven't already done a ton of cases where for whatever reason you're doing investigations whether they're looking at who's going where on the firewall or what those are the kind of things that you'll want to say to them so having been familiar with what types of cases you know ask does this exist already you know what are the questions that we normally ask when we go through this you may get hand holding for your first couple you may you may not I definitely believe in mentally organizing methods with the best bang for the buck mentality which is kind of the whole Smith-Patresky methodology and index but then in developing your internal time management so even if you don't you know use any of the I think good stuff that we have that's what the value really is questions in one thirteen thanks to a couple guys that helped us out there's our contact information Kyle Davis Mickey Lasky got molding yeah yeah and then I'm always going to leave on a few extra thoughts and I guess we can take some questions if we got a little bit of time but like I said I like building those dictionary of account names email addresses all the stuff you think is important don't go don't break off your primary task and go looking for it write it down and then it can become meaningful later you find that you never had a reason to go look for it right and you would have you might have if you weren't disciplined to to push it off to the side spend 20 minutes going through and looking at false positives all that good stuff it's always kind of crazy to sit there and just search for single words and then get a result and search for single words my opinion keep the little case goals handy right it's great for actually making sure I'm a mental checklist and then of course I like to print them out nice but you might find yourself in sometimes where you know you've got a drawn conclusion you can back up your facts you've you know but you just keep going you're like oh I also found this email I found this email and how many pieces of you know other than getting a number of how many graphic pornography pornography images were on this machine the total number you know you don't need to look at them all right you don't maybe fun but you don't need to and then of course a couple of things and that was the kind of thing where it's experts have to have their testimony in by this point and so I include raw data because what's really funny is they tend to make that draw that line and then do depositions after experts turn in their things so they'll do find something in the deposition that's this person says that they they emailed this and if you didn't actually have it in your raw data you can't because your report's in and then you can't create a new report after the report but it can be used you know after the report so that's just a little lesson I've learned and that's it applause