Archive for the ‘Training and Certification’ Category


Digital Smoke, The Art of Incident Response, Part II

January 6, 2011

The first installment of the series Digital Smoke: The Art of Incident Response discussed the modern threat environment. The analysis of the threat environment was juxtaposed with the traditional methodology of responding to a scene where there is a running computer, namely, pulling the plug. The conclusion of the first installment was that the modern threat environment is such that pulling the plug on a running computer is not only undesirable but may inadvertently destroy any chance of obtaining the information needed from the computer.

This, the second installment of the series, will address the issue of defining incident response. Although the term incident response appears self explanatory, its meaning within the field of computer forensics and cyber-based investigations is anything but clear. The purpose of this article is to define the incident response space, in an effort to enable forensic professionals, law enforcement and responders to better prepare for the inevitability of responding to a scene with a running computer. To fully define incident response it must be differentiated from the terms with which it is often used interchangeably. Therefore, this article will examine the terms, forensic preview, triage, and incident response and the characteristics that constitute them.

Forensic Preview

The process of viewing files on the subject’s computer in it’s native environment constitutes a preview. A forensic preview is one which uses forensically sound bootable media on the subject’s computer to view the files on the computer without making any changes to the data (Lewis, 2008). The process of using bootable media to conduct a forensic preview indicates that if the computer is running, it must be restarted with the forensic media inserted. Forensic Preview’s are often conducted in eDiscovery or administrative environments.

Characteristics of Forensic Preview

The Forensic Preview process can best be characterized as a sterile environment. The environment is made sterile by booting from a forensically validated media source that contains trusted tools or an entire integrated user interface. Typically Forensic Preview tools provide features for viewing, searching, hashing, exporting and reporting. Therefore, there is little risk for the responder to inadvertently change or alter data contained within the target machine. In addition, the Forensic Preview is designed to provide a speedy, albeit relatively cursory, insight into the whether or not the allegations are supported and further action warranted. Lastly, the Forensic Preview does not require a high level of computer expertise or in-depth training for the responder to perform.


Triage is the process whereby time sensitive evaluations (made so by an imminent danger or threat) are conducted resulting in the establishment of work priorities (Lewis, 2008). The most critical of tasks is promoted to the top of the priority list and so on in descending order. It is this critical nature of triage that is the most overlooked aspect in differentiating terminology in the field of computer forensics. Therefore, many processes for the responder are termed as triage, however, upon closer examination, triage for the responder to a running computer occurs only during the initial contact, whereby the destruction of data, either intentionally or unintentionally, is likely to occur and immediate action to counteract the destruction must be taken.

Characteristics of Triage

The environment for triage is stressful in that every moment of indecision can have disastrous consequences. Given the time sensitive nature and severity of the situation, responders must be well versed in the methodologies for interrupting data destruction as it is occurring on a running computer. However, additional specialized training is not a requisite for the responder to be successful. Traditionally, the method of pulling the plug on a running system is the fastest and safest way to stop destructive activity, however, there are a number of alternatives that may be warranted in other situations. Lastly, there are no specialized tools for triaging a running computer to stop destructive activity, therefore, manual procedures are the only viable alternative.

Incident Response

For the purpose of this article, incident response is defined as those actions taken on a running computer to obtain volatile and critical data and to prepare it for further forensic examination (Lewis, 2008). In other words, incident response is an approach, containing a series of actions, specifically designed to capture data that will become unavailable once the computer is powered off.

Characteristics of Incident Response

Incident response is characterized by a dynamic environment that requires a high level of technical skill to successfully negotiate. Responders performing incident response must be versed in triage methodologies, be prepared to act according to the status of the computer, transition smoothly into data capture, provide documentation of findings and prepare the computer for possible removal from the scene and transport to a forensic laboratory for an in-depth analysis.

There are two methodologies for incident response, which are not entirely mutually exclusive, manual and automated. The capturing of volatile and critical data manually can be time consuming and prone to errors. Likewise, the automated approach cannot possibly account for every scenario that will confront the responder. Therefore, the responder should ideally be well versed in the manual procedures and have access to a variety of automated tools.

As discussed in Part 1 of the series, the threat environment is substantial. The training of the responder should be inextricably linked to the threat environment. The well trained responder therefore should have a base understanding of computer networks, encryption, computing processes, various operating systems and much more.

General Response Strategies

Triage Phase

It is imperative that some form of incident response be performed on-scene whenever there is a running computer. As such, broad guidelines can be established. Assuming officer safety has been accounted for, the on-scene assessment must be made to determine the necessary course of action. This is similar to emergency medical personnel arriving at the scene of an accident. The medical personnel use the “ABC” (airway, breathing and circulation) acronym to assess injuries and establish priorities of work (triage). In a digital crime scene, the priority of work is focused on preserving potential evidence. By following the acronym “STU” responders of the digital crime scene now have an approach to effectively control the situation – stop destructive activity, take volatile and critical data and unplug the system for removal to a lab for further analysis (Lewis, 2009).

The actions the responder takes to stop the destructive activity (triage) depend on the type of activity taking place. If the destruction is intentional, the only viable option may be to pull the plug on the system. If the destructive activity is unintentional, it may be as simple as stopping running processes, removing a network cable or even removing liquid spilled on the computer. Once the destructive activity as been stopped, and if the computer is still running, the responder has a chance to capture volatile and critical data.

Incident Response Phase

Capturing volatile data on a system can be accomplished manually or through automated tools. As previously mentioned both manual and automated responses have their achilles heel. A combination of automated tools and manual processing, provides the best chance for successfully capturing volatile and critical data in the digital crime scene. However, tools and techniques for capturing data should coincide with the expected lifespan of data chart (Farmer and Venema, 2004, p. 6). By considering the Order Of Volatility (OOV) Farmer and Venema (2004) have created a template based on the likelihood of the data remaining viable for capture. Aside from network and system processes, additional data should, depending on the circumstances, also be captured. Generally, data that resides on the hard drive is left for the in-depth forensic examination likely to occur in a laboratory environment. However, organizations and responders thereof, should consider the potential that the data on the drive may become inaccessible once the drive is powered off. Two major reasons data can become inaccessible after a drive is powered off is encryption and hardware malfunction. Therefore, if during the incident response data capture process, the responder can capture data that would be considered critical to the case, it would be prudent to do so. For example, if the case centered around a set of images, it is possible to capture the images or the entire folder containing the images, for use as best evidence should the hard drive later become inaccessible. Lastly, there should be a procedure in place for the responder to formalize a report and prepare the computer assets for transportation to forensic laboratory.


In this article the terms Forensic Preview, Triage and Incident Response have been defined and characterized. The differences between these terms and what constitutes them should enable organizations to plan for education and training of their responders, purchase necessary tools, and develop appropriate response strategies. By being prepared for the modern threat environment, responders will enable organizations to achieve a greater success rate in obtaining the requisite information to move their investigations forward.


Farmer, D, & Venema, W. (2004). Forensic Discovery. Addison-Wesley, Upper Saddle River, NJ.
Lewis, A. (2008). Hybrid Theory Forensics. High Tech Criminal Investigator’s Association (HTCIA), Atlantic City, NJ.
Lewis, A. (2009, July-December). Digital Smoke: The Art of Incident Response. The Informant, 6(2), 26-27.


Computer Forensic Training

October 1, 2010

If you are looking for a good place to check on computer forensic training options, head to the Wiki site; Training Courses and Providers. It’s organized in sections; On-going / Continuous Training; Non-Commercial Training; Tool Vendor Training and Commercial Training. It’s cross-referenced to the training link found on the side bar for this blog; Computer Forensic Training List.


Adobe PDF Portfolio

September 14, 2010

At the recent DSI conference, I was asked to give two presentations, “Even Geeks Can Speak” and “$0 to $700 in 60 Minutes”. As with most conferences, they wanted student material and a copy of my slides to hand out to the conference attendees. I have been experimenting with Adobe Portfolio on computer, audio/video forensic reporting this past year and thought it would work great on this project.

What is Adobe PDF Portfolio?

Think of PDF Portfolio as a container. This container can hold numerous formats, such as Word Docs, Spreadsheets and of course PDF files. In this case, I used the container to organize my two class slide’s (which I had converted into pdf’s) and student resource material. As with normal PDF operations, the creator can open, read, edit and format each file individually. Another nice benefit (that has been in PDF files for a while) is the ability to secure my files. For example, I could have given the students permission to view the files but not copy or print them. Adobe PDF Portfolio was included in Adobe Acrobat 9 or Acrobat 9 Pro Extended.

Acrobat has a good tutorial on the individual steps. In my case, the students saw the following splash screen when they double clicked on my class Portfolio;

Clicking on the “Get Started” button gave the students access to the material in my Portfolio.

The slides for the class were easy to access and follow.

For more information on Adobe PDF Portfolio: About PDF Portfolios



Preparing to Teach

August 31, 2010

Giving presentations or talks can seem like a daunting task and many struggle with how to get started. There are a couple of techniques I have developed over the years that help me get off the starting block. The first and most important for me is to set aside the PowerPoint in favor of good old fashion pen and paper. When researching for a brand new class, I start by brainstorming and just jotting notes onto a pad. The following graphic is from a single page of notes as I was preparing to teach a class called “Even Geeks Can Speak”.

After I have reached a point where I think I have enough (or way) too much material, I will then start breaking what I have found into topic blocks. Again, pen and paper work for me.

This gives me a good visual on different areas I can cover and a good starting point for organizing my thoughts as I start to develop my slides and student material. Using the topics, I can then create topic slides in PowerPoint. In the example below, I used a large red circle to make the topic stand out.

These topic slides will eventually be hidden from the actual presentation but as I put the class together, I can easily scan and edit my topics.

As you can probably see from the slide examples, I shy away from using bullets in my presentations. In upcoming blog posts, I will expand on how good clean and simple visuals can be used to make your presentations “pop”.



Upcoming Engagements

May 20, 2010

I’ll be presenting the material found in the exFAT paper at:

Summerlin, Nevada
26 May, 2010 1400 hrs
* This will include a hands on exercise throughout the presentation to help illustrate the behavior of the files system.

SANS Forensic and Incident Response Summit 2010
Washington, DC
9 July, 2010 1050 hrs
* This will be co-presented with Robert Schullich, ISO



Google Copy Write Help

March 4, 2010

Being in law enforcement or in support of law enforcement and for those of you that have sat in my class on Train the Trainer know my thoughts on “stealing” files, quotes or photos for your classes without properly representing the source. You also know that my slides primarily contain images and very few words. What you may not know is that Google has a very good tool for searching through images to use in your presentation (or research papers for that matter) that will filter for material that is not copy write protected and/or has been specifically labeled for reuse with no (or some limited) restrictions.

For example, in the Google search window, click on the “Images” link.

Next to the Google search box, click on “Advanced Image Search”.

In one of the “Find Results” boxes, type in a word or phrase related to the image you are looking for. In the “Usage Rights” drop down box you will be presented with several options. Click on the “labeled for reuse” (or the “labeled for commercial reuse if you plan on making any money on your paper or presentation) and then click the Google Search button.

Hopefully you will be presented with a page of pictures related to your project, all of which you can feel free to use without fear of copy write issues.

Hope this helps – Steve


Digital Forensic Certification by DFCB

March 4, 2010

New certification process;

Professional certifications in digital forensics are something the community has needed for years and it is now a reality. The Digital Forensics Certification Board (DFCB) professional certifications are truly independent and community driven. The DFCB certification program was developed with National Institute of Justice (NIJ) funding. The terms for the development of this certification program by consensus were followed. The DFCB will eventually be applying for recognition by the Forensic Specialties Accreditation Board (FSAB). which is currently recognized by the American Academy of Forensic Sciences.

Applications for the “Founders” process will be accepted March 1, 2009 through August 30, 2009. Beginning September 2009 those seeking DFCB certifications will be required to sit for a comprehensive certification exam.

There are (2) types of forensic certifications offered, Digital Forensic Certified Practitioner (DFCP) and the Digital Forensic Certified Associate (DFCA). The Founders process offers those of you, who have been active for years in the digital forensic discipline, the opportunity to become certified by demonstrating your expertise and experience. The process is outlined below. Once the Founders process concludes, those seeking certification will be required to sit for a comprehensive exam.

For more, visit their web site: