I started working in digital forensics and incident response (DF/IR) in 2004 when I founded a high-tech crimes unit for a municipal police department. Seven of my eleven years in law enforcement were spent investigating cyber crime and performing digital forensics for local, state, and federal agencies. The unit I started eventually grew from a one-person high-tech crimes unit into an ASCLD/LAB accredited ten-person federal cyber crime task force of which I was the commander and laboratory director. I was responsible for managing people, equipment, budgets, grants, investigations, forensics, and all other aspects of the operations. My career path has given me some unique opportunities and experiences, allowing me to have a perspective into many areas of DFIR, Information Security (InfoSec) and cybersecurity.
Here you will find a variety of resources related to digital forensics and I hope it is helpful. If you have questions or comments, please post them.
For my Master of Science Degree in Information Security and Assurance (MSISA) I wrote my thesis about the overall lack of standards, certifications, and accreditation in the digital forensics discipline (available here). This lack of rigor within our profession may very well jeopardize the credibility of our discipline. Over the past decade that I […]
Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifications, and Accreditation
Abstract Technology and digital evidence are at the forefront of nearly every criminal, civil, and corporate investigation in the world. For the past thirty years digital evidence such as computers, cellular phones, tablets, servers, GPS devices, gaming consoles, storage devices, and network infrastructure devices have been forensically analyzed and presented in legal proceedings. In […]
Over the years the question of how to store digital forensic evidence has been raised many times. Forensic examiners often ask how to properly use a Storage Area Network (SAN) or Network Attached Storage (NAS) device in a digital forensic laboratory. Some of the main questions asked are: 1) How do you handle the […]
Developing a Business Justification When I began investigating cyber crimes and seizing digital evidence, it was rare to seize more than ten items of digital evidence from a residential search warrant. Usually a suspect would have a desktop and laptop computer, a cellular phone, and some loose media like floppy disks or CDs. It was […]
Finding user accounts on a computer running the Windows Operating System (OS) is a standard part of a forensic examination. Local user accounts are found within the SAM Registry Hive, but what about computers connected to a domain? During an examination, you may see a mismatch between accounts stored in the SAM Registry Hive […]
There are many reasons why anyone working in the digital forensics/incident response profession should have the ability to record the screen of their computer. Whether it is recording the actions taken during an investigation so another person can replicate them, recording an adversaries activity on a victim machine, or simply creating some training videos, screen […]
Issue: URLs visible within the places.sqlite database file when viewing the file in hex view that are not visible when viewing the file in SQLite Manager or FTK’s viewer. The URLs seen in hex view are relevant to the investigation. Test Information: Path for Mozilla information (Windows XP): C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\%uniquevalue%.default\ OS: Windows XP […]