I just got back from the NYC4SEC Meetup held at Pace University. It was a welcome opportunity to see old colleagues and friends and meet many people in the industry with whom I’ve conversed electronically. The turnout was great – probably about 30 people – and it was definitely a success! It’s great to be able to swap war stories and share experiences with peers in the forensics world.
The speaker tonight was Ovie Carroll, Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS) and an adjunct professor at George Washington University. Ovie was in town to teach the SANS Forensics 408 course and agreed to stop by and speak to our group. Ovie is a fantastically engaging speaker with a quick wit and more jokes than Steve Martin. I think it’s fare to say the crowd, which represented diverse experience levels, thoroughly enjoyed his presentation. His style of presentation really brings the audience into the conversation.
Ovie touched on a lot of things from basic knowledge on where to look for physical pieces of evidence to very specific artifacts. He showed some intelligent timeline presentation graphics and underscored the value of trace pieces of evidence by discussing a prominent case he dealt with and how they tracked the suspect down from a seemingly innocuous screenshot.
The overarching theme of his presentation was that forensic analysts have to be smarter about how they approach different problems and also how they interface with counsel or those requesting the analysis. He discussed the need to develop an investigative plan, just as one would do with non-digital evidence and investigations. This plan should involved counsel as early as possible and you should push back on those that say, “Just give me everything!” (My addition: As experts this is exactly what we get paid to do – not just to nod and go digging for everything, but to tell the client and counsel what our expert experience says they should be looking for and what its value is!!!)
There’s often a first reaction for analysts to say, “I can’t do anything with this drive yet, it’s not imaged!,” and Ovie would say that’s dead wrong. He pushed the idea of triage quite a bit, pointing out that you might not get all the benefits of a full forensic exam, but you might get just enough to have a conversation with the subject of your investigation and bring more value in the process. Triage is not going to put an end to forensic exams, it’s just another tool that gets you a few pieces quickly. The key to making this useful is that it must produce output that’s easy to understand for non-technical people, otherwise the usefulness of fast data retrieval declines rapidly.
The other pain point Ovie listed is one I’m sure everyone feels: an overwhelming amount of evidence to deal with. For law enforcement, more and more digital evidence is being seized as officers and prosecutors become more familiar with the value of digital evidence; for corporate investigators, enterprises are adding more varied devices to their technology lineups that analysts need to keep on top of. This is an issue everyone has been dealing with for a while now and Ovie, like all of the rest of us, is searching for the light at the end of the tunnel. Of course, no good digital forensics presentation would be complete without the Find All Evidence button!
Thanks to Ovie for his great presentation, to Doug Brush for organizing, to J-Michael Roberts and his wife for the delicious USB dongle-shaped cake (!!!), and to Pace University for hosting us! Joe Garcia is trying to line up some great folks from the industry for upcoming meetups. I’m sure everyone is looking forward to our next great get together, so keep an eye on the schedule and please join the Meetup group to stay informed!