DFIROnline – Rajewski is presenting on Crypto

Jon Rajewski cryptology

I’m going to be giving a talk on basic cryptology/cryptanalysis on February 16, 2012. Here is a link to the event.

Some expectations that I want to set –

1) I’m not a mathematician and I won’t melt your brain
2) You will need a pen and paper
3) We will be focusing on historical cryptology
4) We will be breaking cyphers by hand – in the spirit of these meetups being “bring your own beverage” this could get interesting.

I hope to see everyone there!

Mike Wilkinson sent out a tweet earlier today with the ROT13 encoded title of the presentation

Mike Wilkinson
Next #DFIROnline Feb 16, topic by @jtrajewski : “N unaqf ba (cra/cncre) rkrepvfr va onfvp pelcgbybtl/pelcgnanylfvf” first to decode gets … 3 hours ago via web · powered by @socialditto

Book Review – Steve Jobs

Jon Rajewski Book Review

Full disclosure – I received this book as a gift for Christmas and I didn’t read it – I listen to it on CD J. If you’ve never done this before and you have a busy lifestyle I highly recommend it. 

My intention in this post is not to provide a spoiler with regard to all of the details in the autobiography, but I wanted to share what I learned from this book and how its lessons could be applied to the Digital Forensic & Incident Response industry. Below are three reflections after reading the book:

This quote really resonated with me

“We’ve always tried to be at the intersection of technology and liberal arts, to be able to get the best of both, to make extremely advanced products from a technology point of view, but also have them be intuitive, easy to use, fun to use, so that they really fit the users – the users don’t have to come to them, they come to the user.”

digital computer forensics is a science jonathan rajewski

What I learned from this quote is a tech company shouldn’t focus solely on the technology. When you have pure technologists with no management skills running companies you typically will have issues. Steve Jobs wasn’t a genius programmer or hardware engineer – he was more of an innovative and demanding leader. He focused on the products, not the bottom line. When you read the book you will quickly learn about Steve’s upbringing and education which you will draw parallels to how/why he ran Apple the way he did.

It’s ever important to have well rounded / articulate employees. In the Digital Forensic & Incident Response (DFIR) industry we have many tools, methods of doing business, and ways of producing work product – to compare that to Steve’s quote – DFIR tools, operating procedures and work product should be – intuitive, easy to use, fun to use, so that they really fit the users – the users don’t have to come to them, they come to the user. “Users” in Steve’s quote is a relative term and the concept could molded into a systemic way of doing business – keep everything in flux from internal employees, management, vendors, legal teams etc.

Steve Job’s was a demanding leader
One of the aspects that made this autobiography a great one was that Walter Isaacson (author) had full authority to interview anyone he needed for this book. We quickly learned that Steve wasn’t “loved” by all of his employees/management/partners. Steve was known to often belittle ideas of employees and demand that products be redesigned.
In my experience, belittling an employee is rarely a good idea. That said effective management techniques such as Appreciative Inquiry and fostering/promoting innovation are. A happy DFIR professional is going to “work that extra hour” or “do the extra research” necessary to service your organizations goals without question. If the work environment created by management both demeaning and demoralizing (one could compare this to how Apple employees felt after product meetings with Steve) the issues could become systemic and travel outside via work product /client-facing products. 

Steve had passion

Although cynical at times, Steve was very passionate about his products. In order for you to be “great” and not just “good” at something, you need be passionate about it. It’s clear after reading this book that Steve, even when his heath was aggressively dwindling, still pursued his passion of leading Apple to success.

As a DFIR professional I can easily say that I’m passionate about what I do. I hope that if you’re involved in DFIR that you share the sentiment. In order for us an industry to effectively combat threats or investigate cyber events, the secret recipe isn’t just playbook with the best incident response plan or a team of experts with special knowledge – but a unified / qualified team with PASSION.

Overall – I would give this book a 4/5 stars. I enjoyed learning about Apple’s history through such an accomplished researcher/author – Walter Isaacson. I look forward to reading more of his work in the future. 

Series Introduction: Spring 2012 Digital Forensic Tool Evaluation

Jon Rajewski SP2012FOR260

This will be the first of many posts during the Spring 2012 term for this class. The course audience is Sophomore Digital Forensic Students and fortunately for me it’s a very full section. The rational in my mind for offering this course is: In the real world forensic examiners, like mechanics, have many tools to use on projects.

While a pipe wrench is an effective tool, it doesn’t work for every job

I dislike the idea of digital forensic programs blurring the lines between analysis and forensic tool usage. Not to single out any program in particular, but when I review other colleges in the world they often combine many digital forensic topics into one course. At Champlain College, the undergraduate computer forensic curriculum has 10 courses focusing on digital forensics – so dedicating one class to use hardware/software tools will educate students on how to properly use them and result in preparing them for upper level courses which dive into advanced topics.

Mistakes happen – Learn from them

Jon Rajewski computer forensics, mistakes

I’ve had this blog post brewing for some time, but in light of Harlan Carvey’s “Uncertainty” post and Christa Miller’s Book Review “Uncertainty” I felt it appropriate to release it.

In light of the recent press into several “mistakes”

I wanted to quickly post up a blog post about learning from mistakes. But first, perception and reality should be discussed. You will see a lot of “shock media” when incidents relating to technology are presented to the general public. Sometimes the perception is there was a major problem, but in reality the damage caused was minimal. However – perception is (almost) everything. Perception is what causes a company’s stock to drop and customers to go elsewhere. We must always have our eye on perception.

It’s critical to have someone at the helm of an investigation that is seasoned and experienced. Information flow and vetting said intelligence is equally as important.

In the Water Pump “hack” someone reviewed logs from a SCADA system and saw an IP address from Russia that authenticated with credentials 5 months prior to the water pump failure. Then someone wrongfully linked that event to the ultimate failure of the water pump.

digital computer forensics is a science jonathan rajewski
Jim Mimlitz with his family in Russia – He connected to the SCADA system while on vacation (Photo from Wired.com)

In the CarrierIQ situation a YouTube Video was posted by Trevor Eckhart claiming that Carrier IQ was sniffing typed keys and https url’s on Android devices. Dan Rosenberg, a few days later, conducted some interesting research and demonstrated Carrier IQ’s current transmission capabilities. This research showed that only a finite amount of information could be transmitted back to the mobile phone carrier. The larger issue that Trevor (and the media) was pointing out was phone carriers could read content of messages/emails etc – this just wasn’t the case according to Dan Rosenburg’s research. Another point to mention is the insecurity of applications on smart phones in general – but this will be a future blog post.

In the alleged CIA drone capture, we might not ever know the details, but it should be assumed something went wrong. Unless of course this is all a ruse by Iran to point fingers at the United States but that’s another conversation for the conspiracy theorists. (For the record, President Obama did publicly request for it back..)

digital computer forensics is a science jonathan rajewski
Iran in possession of CIA Stealth RQ-170 Sentinel

The reality is, mistakes happen.

To circle back to the theme of this blog – Perception outside of the digital forensic / incident response (DFIR) industry is blurred by things like the CSI effect. The reality is people are in positions to make decisions that could impact the lives of few or even many. Practitioners base their decisions on years of training and the situation that’s presented to them. Variables are ever-changing and you’re rarely presented with the same technical problem. And therein lies the issue at hand – there isn’t a “play book” for every situation. With that, people are inevitably going to fail from time to time. One way to mitigate “mistakes” is to promote Peer Review and collaboration.

I really love to hold people accountable for their work. Meaning, in an organization we expect to help everyone and to contribute where we can, but at the end of the day, everyone has their role and responsibilities. At times, those accountable for particular activities fail. Sometimes the failure is reconcilable, and other times it’s not. That said, people make mistakes and from those mistakes we learn. However, what is most unforgivable are the mistakes that occur over-and-over-and-over again. These situations typically require some sort of intervention.  

Theoretically, in the alleged water pump hack, if the Fusion Center’s analyst had only a snippet of the information (that Russia logged into the system which directly caused the failure), and they made the decision to broadcast an national alert which ultimately was leaked to the media – and that was wrong – shame on the system, not the person. That person was operating with the variables presented to them. And everyone in that investigation had a role to play. If the investigators that were investigating the logs called Jim Mimlitz to ask if he was the person that logged into the SCADA system, mistakes could have been avoided.(note: This is what DHS/FBI eventually did, but by then it was too late.)

We are not perfect, we are not Borg, nor Cylon (I had to introduce some Nerd Sci-Fi reference) we are Human.

We as an industry are only as strong as the weakest link in our process/investigation. One of the messages I’m trying to convey in this blog post is that we need to be held accountable for our mistakes but given an opportunity to learn and provide a corrective action. For example, every website or organization must assume that they will be one day attacked/compromised – and that doesn’t mean we should immediately terminate employees involved with managing those digital systems when it happens.
Having a post-event debrief to discuss what went wrong and what can be done to prevent it from happening again is a far better productive experience.

It’s very easy to play “Monday morning quarterback” or  to live in the world of “hindsight 20-20” and point fingers – We are in an ever-evolving industry with new threats and risks being presented on a daily basis. We must be ready to learn and be prepared to fail. The healthy balance, of course, is to trying not to fail as often 🙂

Series Introduction: Spring 2012 Anti-Forensics & Network Forensics

Jon Rajewski champlain college, SP2012FOR270

This will be the first of many posts during the Spring 2012 term for this class. I will be teaching this course for the fourth time – and every time we do something new and exciting. 

This year I’ve decided to integrate the book Worm by Mark Bowden (link to my Book Review blog post) into the course. Traditionally we discuss Botnets towards the end of the term and this book is one of the best representations in a traditional “book sense” of how the good guys are trying to mitigate one of the largest threats to the Internet as we know it. 

digital computer forensics is a science jonathan rajewski
Mark Bowden’s – Worm

Another big part of this course is cryptology and steganography – Both will be discussed for a total of 4-5 weeks. We read The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography by Simone Singh and conduct some hands on cryptanalysis – I’ve collected many crypto books and artifacts over the years and look forward to showing them to the class. One of my recent acquisitions was a Kryptos reproduction which can be purchased from the Spy Museum Store. I’m still baffled when people come into my office asking me what it is. I mean, come on – this is the statue that sits in front of the Central Intelligence Agency! Doesn’t everyone know that 🙂

digital computer forensics is a science jonathan rajewski
Simon Singh’s – The Code Book

digital computer forensics is a science jonathan rajewski
Kryptos Replica on Rajewski’s Desk

The final project for this class is an atypical assessment focused on having the students prove they mastered all of the content in the class. And no – this class doesn’t have tests or quizzes per-se. I love to focus on assessment that’s specifically designed to prove to the professor that the student actually understands the content, not just memorized definitions. I won’t publicly discuss the final project here in detail until I release it to the students. 

Every term, as faculty, we get feedback from students on how course went – if you’re an academic you’re used to seeing these. Each and every time I’ve reviewed the comments, the consistent message from students is this is the best course they’ve taken at the college.  I look forward to trying to meet/exceed that expectation of the spring 2012 class. 

Series Introduction: Spring 2012 Advanced Practice in Digital Forensics

Jon Rajewski champlain college, SP2012FOR430

This will be the first of many posts during the Spring 2012 term for this class. I will be teaching the course in a hybrid format – 1/2 in class and 1/2 online. The course audience is Senior Digital Forensic students at Champlain College.

The one element that I’m going to have fun with this term is we’re always updating courses. This course is now considered to be a special topics class by the college and I’ve decided, based on the knowledge level(2008 undergrad digital forensic curriculum) we will be focusing on electronic discovery (theory for the first two weeks, then / practice for at least four) then shifting to advanced digital forensic topics – possibly cell phone chip off or memory/malware analysis. Melissa Augustine has been giving me some great ideas 🙂

It’s noteworthy to mention – for those that are experienced DFIR professionals – these are undergraduate students taking a predefined (yet ever-evolving) curriculum. What you, they and I feel are advanced topics is relative to our backgrounds. However based on the knowledge these students currently have, these topics are considered “advanced” and will best prepare them for their near future jobs.

I encourage everyone to please comment and make suggestions in this blog. I look forward to sharing how things are going this semester.

Are you a Digital Forensic / Incident Response Professor/Adjunct/Instructor?

Jon Rajewski computer forensics, DFIR, Professors

After some good feedback from Digital Forensic Incident Response the Twitter folk, I decided to formally create the list…

As most of you know, I’m a professor of Computer & Digital Forensics at Champlain College. In my former life I was a Senior Consultant for a large consulting firm. Approximately five years ago my wife and I decided that I should shift careers due to the excessive national/international travel I was required to partake in. I was very fortunate when Gary Kessler brought me in to teach one of my passions at Champlain College. Although teaching is my primary responsibility, I still practice forensics as a forensic examiner with the Vermont Internet Crimes Against Children Task Force and Co-Direct the Senator Leahy Center for Digital Investigation. My contribution to the industry is to help prepare students for the ever-evolving industry of digital forensics/incident response.

All said and done, I know I’m not alone…

There are many other digital forensic professors out there. I’ve collaborated with some of you but considering there are over 60 colleges currently teaching junior/undergrad/graduate programs in digital forensics we should have a central repository of contact information. This would be similar to what Rob Lee did with the Lethal Forensicator listing. I feel that this listing will help identify those that are contributing to the Digital Forensic / Incident Response by teaching in higher education. I’m also willing to bet there are more like me that left the high paying, elite hotel/airline statuses, corporate Amex carrying positions to teach (adjuncts can count here as well).

This is another way for people to seek out professors for questions – think research opportunities / prospective students / collaboration / cross school DFIR competitions etc.

If this sounds interesting to you, I’m seeking other passionate digital forensic / incident response professors. If you are interested in participating please fill out the form below OR email me at rajewski -at- champlain D0t edu the following information:

***** Send this email from your college email account. Please include a hyperlink to your personal college website directory listing with a campus phone number so we can have some form of validation.

Subject of the email: Digital Forensic Professor

First Name
Last Name
Title (Professor/Adjunct/Instructor)
College Name
Link to Website/Blog/Faculty Page
Other – if you want me to include any other field.

Noteworthy information – This is 100% opt in. I didn’t want to scrape college websites and just create a listing without getting your permission.

Please let me know if you have any questions. Loading…

New device this holiday season? How to "erase" your old one

Jon Rajewski computer forensics, in the news

In light of the holiday gift-giving season – I was contacted today by Jennifer Reading (@WCAX_Jennifer), a local news reporter, to give a brief interview on the topic of erasing your old electronic equipment.  This topic is directly linked to preventing identify theft and inadvertently distributing personal / confidential information. Her timely article is focused on what to do with your old digital devices when you plan on just using your new ones.

Before I provide the “how-to reference guides”, I wanted to quickly describe the act of deletion relative to this conversation.

Let’s break this down into three scenarios:

Placing a file in the Recycle Bin

If my mother wanted to delete a file from her computer, she would put it in the Recycle Bin (Trash for Mac users). For her, she just wants to get rid of the file on her desktop. And her act of deletion – putting the file in the Recycle Bin did the job. 

To leave the technology realm and to compare this to an analog situation, this would be like my mother, after reading a few chapter of her favorite book, simply closing it. The words on the page (data) are still intact, but to a passerby – they would have no idea what was on the page. 

Emptying the Recycle Bin/Trash

If my sister, who is a bit more technical when compared to my mother, wanted to delete a file from her computer, she would go one step further. she would put it in the Recycle Bin (Trash for Mac users) and then would then empty it. 

To compare this to the above book analogy – this would be like my sister taking the book and tearing out the Table of Contents for the chapter she was reading. The chapter itself (data) is still in the book, but trying to find it might take some additional steps.  

Wiping a file

If I were to delete a file from a computer with the intention of making sure nobody would ever see that file again, I would digitally destroy the file using a data destruction software/program commonly referred to as “wiping software” 

To compare this to the above examples, this would be like me ripping the chapter itself (data) out of the book. 

To summarize, deleting a file or digital device is relative to what your purpose is for the device after the deletion. For example, if you were to wipe every file that you delete it could be considered excessive. By simply putting files in the Recycle Bin/Trash and emptying it is sufficient for normal computer activities. However, if one intends on donating the device and never using it again – wiping should be considered.

This blog post will not go into deeper conversations as to why you should/shouldn’t “wipe” all of the time and it’s noteworthy to mention that its not always a good to do so. It’s also noteworthy to mention that just because you “wiped” a file that forensic practitioners with the proper education and expertise couldn’t uncover the file using advanced forensic techniques.

If you have personal information on a digital device and you plan on donating/recycling/disposing of it, you should take the steps necessary to ensure your personal/confidential information is destroyed from it. Below are references (I do not endorse any of them, I’m just listing them for the purpose of this article) to methods for “wiping” digital data.

Apple Computers
Windows Computers
Files from a Mac Computer
Files from a Windows Computer 

Please note that there are many file destruction / deletion products. Due care should be taken to ensure that a proper “wipe” took place. If you are concerned and need additional help, seek out a competent digital forensic professional and request them to assist you. It is also a good idea to have them provide you a certification letter that they properly wiped the device.

Book Review – ReWork

Jon Rajewski Book Review, TED

On a long car drive back from Boston after watching the Buffalo Sabres lose to the Bruins…I had an opportunity to read Jason Fried and David Hansson’s book ReWork.

digital computer forensics is a science jonathan rajewski

This won’t be a spoiler review, more so a reflection of how the books topics could be applied to the Digital Forensic / Incident Response (DFIR) industry.

Before I get into my review, I will share with you why I decided to read the book. Mike Wilkinson sent me a link to Jason Fried’s TED talk which is focused on workplace productivity and suggestions on how to avoid distractions.

I will break my review into sections to make it easier. Please note that these reflections are based on the book and how I feel it applies to the digital forensic / incident response (DFIR) industry.

  1. Having a solid management team is critical
    • If your organization doesn’t have a good balance of a technical/business management team (which could be a single person if the team is small enough) you’re not in a position for success. It’s important that DFIR teams are given the opportunity to engage in both professional duties as well as development/research into their area of expertise. Google does this. The concept sounds elementary, management 101, but to actually implement and sustain the environment where this is actually happening could be difficult. Having a productive and capable DFIR team is both cultural and systemic and requires a management team that fosters innovation and knows what is necessary to be ready to respond to events. 
  2. Stop interrupting/disrupting your day
    • Sometimes we are wired and “plugged in” far too much. Let’s think about this scenario, you’re conducting a highly technical analysis into a malware investigation. You’ve started looking into the initial infection vector (IIV) and you find that an executable file was created seconds after the user visited a website, then that executable quickly deleted, two files were then created and then several registry entr… “[co-worker walks into your office screaming] HEY DID YOU SEE THAT EMAIL FROM THE CLIENT ABOUT HOW [insert distracting topic here]”. This is somewhat of an exaggerated scenario, but compare this to sleep – there are multiple cycles in ones sleep – the most important being REM.. When you actually get into REM, you are really sleeping/dreaming. This is where you are getting the most rest. Same is true and you can draw parallels to analysis or investigations. If you start digging into a case and you get disrupted by Meetings, Chat, Facebook, Twitter, Email, Text, Youtube, Co-Workers (or D all of the above) you could fall into the trap of being victimized of your productive work time. To bring this back to context with reality, I’ve been guilty of “walking around the office” after an Analysis REM session. Or sometimes randomly checking social media while working on a project. THIS IS NORMAL. This keeps people productive. I think we’re all been there, you worked for X straight hours on something and you need a break. Personally I need to disengage from the machine/project, and then at a point, re-engage with the analysis. These deliberate breaks from the mental focus on a project is healthy and keeps us sharp.. But if someone disrupts/interrupts the productive “Analysis REM session”, examiners can fall into a non-productive cycle and have difficulties getting back on track. This is starting to tie back to what was mentioned in the above “management” section where it’s cultural and systemic in the DFIR industry. DFIR groups that are structured and tasked in dealing with threat analysis/mitigation/remediation need to be given time to do work. Now, don’t get me wrong, all of the disruptions or interruptions mentioned above have their place in the business place, but they need to be properly used in a non-disruptive way. 
  3. Fire the workaholics
    • This was an interesting section in the book which stemmed from talking about “never having enough time to do work” and “always being at work before everyone and after the last person leaves for the day”.  This creates a sense of “needing to work all the time” which in affect creates stress for everyone. I’m a firm believer in hard work and completing what needs to be done on a project in a timely manner. I also believe in working smarter. There are lots of DFIR professionals out there but the really good ones know how to do things smarter/faster. For example this was an interesting blog post where Corey mentioned doing things in parallel to speed up analysis. Another perspective is working to remove obstacles that are hindering your team’s productivity. Why should your team work 15 hour days when they could be working 8 if you (as a manager) were to get them the proper access or workflow approved? Also how many mistakes occur from a tired employee over a rested one? (no citation but we’ve all been there). Or if the company should hire another team member – how is the company tracking metrics to be able to justify it to upper management? Now I know reality always comes into play, and there are “crunch time” circumstances where we need to work 15 hour days – but I don’t like to see teams spinning their wheels trying to get up the hill of getting the job done. Having a culture that understands what systems / processes are necessary for DFIR success is important. 
  4. Personalities
    • As members of a rapidly changing industry, that literally changes daily as technology is ever-changing it’s important for everyone to try to keep things into context and be what I like to call “realists/optimists”.  As being members of an industry that is commonly called upon in situations that are bleak, we must be ready to have conversations with management/clients that are realistic: “this is what we are seeing” “this is how long it will take” “this is what is possible/impossible” “I don’t know” “this is the impact on company” and optimistic “We are here to help” “There is a problem here, and we’re working on it””we will help remove obstacles”. To change perspective, let’s visit the medical doctor. When one visits the doctor for an annual physical, they are going to hear how things are going with there body. Do you as a patient just want to hear lies or negative things relating to your cholesterol? Or would you rather hear the reality – you have high cholesterol and this is how to fix it? DFIR has a lot of “big-ego” personalities which is the last thing a team should be dealing with during an event. I feel that DFIR teams that “check egos at the door” and understands the strengths of team members and uses the realistic/optimistic approach will stay productive. 
Overall I give this book a 4/5 stars. I try to switch it up about one every other book – read a technical then a business book – then repeat. This helps put things into perspective and provides nice insight into improving how we do things as professionals. The ReWork book is one of those works that might help you change your ways for the better. Now, will all of the concepts discussed in the book and in this post apply for every company – 100% no. A companies culture is something that one cannot quickly change,
but if you’re able to apply some insightful/innovative techniques into your workplace.. Think of the possibilities. 

Senator Patrick Leahy visits the Leahy Center for Digital Investigation (LCDI) at Champlain College

Jon Rajewski computer forensics, hands on, in the news

On Monday, November 14, 2011 Senator Patrick Leahy visited the Leahy Center for 

Digital Investigation.

Adopted from Patrick Leahy’s website: 

Since 2006 Leahy has secured $1.15 million in Department of Justice Bureau of Justice Assistance grants to provide educational and technical support to Vermont law enforcement agencies, relating to crime-solving digital enforcement issues. 

After receiving the grants, Champlain College invested additional college funds in building a secure facility and a teaching lab at the new Miller Center.  The project has also received material support from, and maintains operational relationships, with the Burlington Police Department, the Vermont State Police and the Vermont Internet Crimes Against Children Task Force (ICAC). 

digital computer forensics is a science jonathan rajewski
From left to right, Jonathan Rajewski (Co-Director of LCDI),
Patrick Leahy (Vermont Senator) and  Mike Wilkinson (Co-Director of LCDI)

digital computer forensics is a science jonathan rajewski
From left to right, Ali Rafieymher (Dean, ITS Division), Megan Percy (Senior Champlain College Digital Forensic student),  Jonathan Rajewski (Co-Director of LCDI) Dave Finney (President Champlain College), Patrick Leahy (Vermont Senator), and Mike Wilkinson (Co-Director, LCDI)

The LCDI is housed on Champlain College’s campus and offers various services to 
local, state and federal law enforcement entities. Computer Forensic, Cyber
Investigation, Research and related services also extend to the corporate arena.

One of the primary purposes of the LCDI is to give students an opportunity to intern 
with a real world forensic laboratory while studying at Champlain College. This is not
only focused on digital forensic students, but any student that can contribute to the
mission and goals of the Center.

There has been a lot of media coverage on this event – a sample can be
reviewed below: