SANS Digital Forensics and Incident Response Blog

Keep on Moving

I know nothing. That's the only conclusion I can draw from my four years in the field thus far. Every time I work on a new case I learn something. Most of the time these are little morsels of forensicating goodness but occasionally these things are so immense that I believe that my findings are worthy of sharing with the world. Of course, then I log on to the SANS Digialt Forensics Blog and find that someone else has typically beaten me to it.

As many of you may already know I have spent some months investigating and analysing volume shadow copies (difference files) in Windows 7 and Vista. The result of this is that I have found how these files are structured and can manually dissect these files to find valuable data. I have shared these findings on both my website and in several presentations. Now my question to you is this: What would have happened if I hadn't shared my findings? Stretching further, in what state would digital forensics be if people like Rob Lee, Harlan Carvey, Troy Larson and Jesse Kornblum hadn't shared their own research and findings?

To quote one of my favorite geek films, I know it isn't a classic but still...

"This business is living organism... There's no rule for idle time or second guessing... New discoveries are made hourly...
This business is binary; you are a one or a zero, alive or dead." (Antitrust 2001)

How true this is for our own field.

Too many forensic investigators are happy to sit on their laurels. They go to work, they work on a case, they come home. Now I'm not saying that there is anything wrong with this per se. These people are helping their clients, sending guilty parties to prison and helping innocent parties to escape punishment but what are they contributing to the field? What are YOU contributing to the field?

Returning to volume shadow copies, I saw something in the field that I believed was a potential stumbling block to digital forensic investigators around the world and I did what most people would have done; I sat and waited for someone else to solve the problem. I waited for well over a year for one of the big names in the field to come up with the research and the solution to the problem. Some good solutions were offered but not the complete solution that I wanted. At this point I decided that, rather than waiting for someone else to find the solution I would do it myself.

I wonder how many of us are reading this thinking "I have this problem and no one seems to know the answer." Is this the right way to think? I don't believe so. While I think that blogs, podcasts, and forums are excellent resources we should be investing our time and talents in finding solutions to our own problems. Why wait for someone else to figure it out?

Another scary thing to me is not that we aren't finding the solutions to these problems but that we are finding them and not passing on the information. Now, this may well be down to NDAs and the rules set out by our employers but we should be doing everything we can to improve the field as a whole. After all where would we be if the forensic forerunners had found all this information and kept it to themselves?

Don't stand still. Be anxiously engaged in a good cause and do something productive to benefit the field. If you want to know something research it. If you have something then please share it. You've only gotten this far yourselves by standing on the shoulders of giants.

Lee Whitfield, GCFA, is the computer forensic supervisor for Disklabs Ltd in the UK. He also runs the Forensic 4cast website and podcast.


Posted August 4, 2010 at 6:01 PM | Permalink | Reply

Mike L.

After completing a 4-year undergrad program and a 2-year master's program, both in digital forensics, I've only been working in the field for under a year, and this topic is constantly on my mind.
Every meeting and training I attend, every blog post I read, I can't help but think "my god, there is so much out there that I do not know, I don't know if I'll ever learn it all; how am I ever going to be able to contribute to our field?"
Mr. Whitfield talks about asking ourselves what we have contributed. At this point, I'm still trying to figure out how to contribute. I hope it comes sooner rather than later; there's so much to learn and I can't learn it all fast enough. :)

Posted August 4, 2010 at 6:25 PM | Permalink | Reply

Mister Reiner

You certainly bring up some valid concerns Lee. Here are the challenges that I see:
1. No central gathering place. All of us are scattered throughout the world with no central Website that we can or want to call home. Some professions or hobbies have such a place and all the participants are successful because of it. I cringe at the thought of a Facebook type Website just for security professionals, but that might be what it takes.
2. No process. Has anyone developed something like an ISO standard for reporting or sharing information? This shouldn't be an obstacle to sharing information, but without a standard format or process to follow, people just do their own thing.
3. Independence. Many people who do this work are free spirits and independent thinks that are not joiners. They are happy with what they do and enjoy there little piece of the action, but don't feel a need to share, collaborate or answer endless questions. Even within the same organization, information is often not shared or discussed with counter parts in different regions of the world.
4. NDAs are a real problem. If I find something really Gucchi cool and report it under my real name, even if I obscure certain facts, everyone knows who I work for, which (1) announces to world that the organization I work for had an incident, (2) says the consulting firm I work for can't keep it's big mouth shut regarding customer incidents.
5. Opportunity cost. With work and family, many have their hands full as it is. To help solve the worlds problems is just another burden that many cannot bare. It's nice to think that we all have time to contribute, but at the end of the day, it's really about life itself and all this security stuff is just one part of it.
If I could spend my entire day sharing everything I know, developing tools and giving them away, and helping those most in need within the security community, I would ''" but like most of us, I have to work for a living.
If you can find someone that is willing to spend $20-30M per year sponsoring the 100 brightest minds in computer security (and the support staff), we would really get somewhere, but as you know, that's probably not going to happen. As is often said, "United we stand, divided we fall" ''" and the way I see it, all of us are free falling off of a 1,000 mile high cliff.

Posted August 4, 2010 at 8:02 PM | Permalink | Reply

Lee Whitfield

Mister Reiner,
Thanks for the comment. While agree with most of your post I have to say something concerning point 5.
I realise that it is difficult to find the time to contribute something but just look at what you've done above. You've given a fantastic reply to my posting. All you need is a spare five minutes to write a blog post. I'm not saying that everything we do to contribute has to be some kind of ground-breaking event. Just get involved in something. There are plenty of ways to share information. There are so many ways to share your thoughts or ideas just pick one and go to town.

Posted August 5, 2010 at 12:22 AM | Permalink | Reply

Eric Huber

I think one of the things that helps is to be passionate about the field of digital forensics. If it's just a job, it's unlikely that someone will spend the extra effort to do research work, write a blog post or start up a podcast after hours.
Lee is someone I hold in very high regard so I was glad to see him share his thoughts on this. One of the barriers that I had to over come (and Mike L., I would be curious on your thoughts in this regard) was that because I didn't know everything, I didn't think I knew anything.
You don't have to be a Rob Lee, Harlan Carvey, Troy Larson or Jesse Kornblum to be a productive contributor to the community. That was something that was hard for me to accept, but once I did I was able to start contributing in my own little way. I'm not going to pretend that I'm as useful to the community as Rob Lee, but that doesn't mean that I can't help out the team in some manner.
Also keep in mind that contributing to the community doesn't necessarily have to take the form of cutting edge research and tool development. Taking information that is out there and teaching it to others is a very productive way of helping everyone out.
So fine, maybe maybe don't have enough knowledge to reverse engineer Artifact X or create a tool to parse out all of it's secrets. However, you can educate yourself about all of the research and tools that others have created in regards to Artifact X and then craft a white paper, a blog post or conference presentation where you teach others what you have learned.

Posted August 5, 2010 at 3:46 AM | Permalink | Reply

Joe Garcia

I couldn't agree with you more. We've talked about this prior and I felt the same way you did''.. Oh, if I can't do something radical then I'm useless to the community. I have since changed that attitude. Between my podcast, my writing here, etc., I am doing what I can to spread the word of the Cult of Forensicators :-)
Hopefully, the little knowledge I can pass along (as compared to the aformentioned Forensics Giants) can help someone else and that person can pay it forward.

Posted August 5, 2010 at 7:06 AM | Permalink | Reply

Mister Reiner

I blog and I spend a lot of time reading blogs, but I'm presently targeting a different audience. Read this and you'll know where my head is at:

Posted August 5, 2010 at 1:21 PM | Permalink | Reply

Mike L.

@Eric Huber
That's pretty similar to how I feel. I'm still new to the field, so I'm still looking for areas where I can contribute. But I guess I'm still in the (idealistic) mode where I want to be a Forensicating Giant like these guys. What can I say, I'm ambitious! : )

Posted August 6, 2010 at 12:52 AM | Permalink | Reply

Eric Huber

That's the proper attitude to have, Mike L., in my humble opinion. If you are comfortable with being mediocre, then you won't realize your fullest potential. People like Harlan, Jesse, Rob and the rest of the gurus have provided us with examples of excellence and even though we might not be able to match them, we should continue to work towards that goal and give it our best effort.
Joe Garcia is another good example. He gives his best effort and does a fantastic job educating people about cyber security issues through his blogging and podcasting via his Cybercrime 101 efforts.

Posted August 6, 2010 at 3:16 PM | Permalink | Reply


I'm just another security consultant who, quite frankly knows very little about forensics. I do read of course, as and when I get the time and that's how I got to this blog.
The reason I'm posting here, is that while this is definitely true of forensics ''" It is also true of every single thing that we learn about. I think a lot of us are guilty of taking too much and giving back very little. Sure we all "want" to.. but what ever came of just wanting?
So its like the writer says'' everyone blogs or tweets or ; The next time you get a feeling of.. "Wow.. this is something cool I learnt today" '' blog about it. Or if writing isn't your thing, just discuss it with a colleague over lunch or whatever. Keep watering the tree of knowledge.. in your own little ways'' so its branches remain evergreen :)

Posted August 6, 2010 at 4:33 PM | Permalink | Reply


I agree with the original post completely. For my two cents, once I start working in the field, I do plan on actively pursuing research, even if it is on my own time. Hopefully I can move up in the company to mandate that examiners spend a certain portion of their day or week to research and publish as well. Google does something vaguely similar (it regards new projects though), and it has been a windfall for them.