Say Uncle

You have all run into this dreaded case, I’m sure. Maybe a few times. I am talking about that case where you are asked to prove or disprove a given action of a user, but the evidence just doesn’t give in. You poke, you prod, you turn it inside-out. Nothing you do seems to be getting you any closer to a conclusion. These are the cases that haunt me for a long time. I still have some rumbling around in my head from over 10 years ago.

What am I missing?
What haven’t I thought of?
Are my tools parsing this data correctly?
Am I using my tools correctly?
Does this user know about forensics and cleaning up?
Did this user really clean up that well?
How can I call myself a forensic examiner?
Should I have eaten that entire tub of ice cream with gummy bear and potato chip toppings while pulling my hair out and questioning my mere existence?

Building Myself

I tend to form an attachment to my cases. Maybe you do to? I take it on as a personal challenge. A challenge to prove that I am capable. A challenge to learn something new. A challenge to use a new tool, or an old tool in a new way. A challenge to take a step towards being a better investigator.
When I run into these cases that present no artifacts of activity, I end up spending a ton more time on them. I try to find something in the obscure areas. Sometimes it works and my perseverance pays off. I finally find that one little hint, and it unravels the rest of my case. I put that hint into my bank of things to look for in the future, and I have just improved my skills as an investigator.
Other times, I have to give in and say “uncle”. Because of the attachment I form with the case, it can sometimes drag me down. It feels like a failure to me. I should be able to find something, even the tiniest thing, which can give some kind of hint. But when have I spent enough time on it?

Evidence of Logic

There is a phrase that has been passed around the DFIR circles for many years. As much as it may seem, it didn’t start in our industry. It is a logic based thought and is discussed in probability as a way of forming a hypothesis. Fortunately, it fits for us too, so here it is:
The absence of evidence is not evidence of absence
In the original context, the usage of the word evidence is referring to an event. We base our investigations on the existence of an artifact on disk as a result of a user action (event). If artifact X exists in this data, then event Y must have taken place on this computer. It is a very sound approach, and one that many investigators use, digital or not. The finding of that artifact allows us to build a case with a reasonable certainty about the actions taken on this computer. We can’t always extend that onto the person on the opposite side of the table from us, but that is a whole ‘nother topic.
If we scour the drive and find that it is lacking evidence of artifact X, does that mean that event Y did not take place on this computer? Of course not! Because of the intimate knowledge we, as forensic experts, have about the programs and systems of computers, we could perform any number of actions and wipe the disk of any artifacts, if given enough time. In that scenario, event Y did happen. We know because we carried out the actions ourselves. Looking back at our phrase, we find it to ring pretty true.
This is what makes our investigations so difficult. Science is able to say things so simply: If x then y; if !y then !x. We cannot use this logic structure because there are too many variables at play. The courts accept our tools and findings based on them being a scientific process, but some argue that digitalforensics is not a science while others say it is a combination of art and science. No matter what your opinion is, we can agree on the phrase I highlighted above. Just because I don’t find a deleted file, it doesn’t mean that file didn’t exist.

Going the Distance

How far, then, do you go? How much time do you spend?
Some of you may have the luxury of spending as much time on a case as you need in order to be satisfied with the conclusion. Most of you, however, have someone asking telling you when you will have this case wrapped up.
I used to have more freedom in the time I spent on my cases. It’s not my decision anymore. I have someone paying for every hour I put into my cases, and that can get expensive. I absolutely am doing my best to find even the tiniest little artifact and I am determined to break the case open. My investigation is a direct cost, though. They will get an invoice. The invoice will get passed around to various departments as it gets processed. My forensic report will get passed around various departments as well. Some of those departments will be analyzing the cost of getting this report. If my report cost them $50,000 and simply says ‘no findings’, you can bet there will be some unhappy people.
So, how much time do you spend?

Releasing the Burden

My approach to this, in both past and present, is to take the burden of cost off of my shoulders. When a case is starting to head towards the dreaded ‘no findings’, I start preparing myself for it. In preparing, I start documenting my actions instead of just my findings. I prepare to deliver the bad news of ‘no findings’ to the person requesting the case.
When I get to a point of being comfortable with having exhausted all reasonable artifacts, I present my work to the customer. I take a different approach because I don’t have a list of artifacts proving the case. I explain that I don’t have any findings yet. Then I spend some time in education with the customer. I explain the standard processes that we use in forensics. I explain the approach that I have taken and the reasons behind it. I want to make sure the customer understands that they are paying for the work I am doing and not just the result. I want them to feel good about spending the money, and that they are also getting a very thorough review of the evidence.
Then, I give the options. I explain the techniques that I feel might give results, and I am honest about my expectations. I don’t ever want a customer to come back to me, unhappy, because I talked them into paying for a technique that didn’t pan out. This usually results in the customer having an internal chat about moving forward. Sometimes they really want that forensic answer, but other times they are satisfied with knowing the proposed scenario of the case was highly improbable based on the lack of evidence to support that the actions were performed. It’s a balance of cost vs benefit.

Letting Go

This is the hardest part for me. If the customer decides that the ‘no findings’ are enough, then I have to move on. There are more cases lined up and waiting for my time. I want resolution in every case, but it just isn’t reasonable. I can only do my best with the time that I am allowed.
Finding no evidence of a proposed action does not make you a substandard examiner. If you can stand up proud with your report in your hand, then you have done all you can. If you can defend your findings to other examiners who constructively ask if you tried technique A or technique B, then you have proven your skills.
Be proud of your work!

2 thoughts on “Say Uncle”

  1. DFIR is called “both an art and a science” by those who refuse to extend their knowledge or to develop a process for examination. During the time I've been in infosec, those who have said that any of the activity is “more of an art than a science” have also been those who do not document their analysis plan or findings, and rely on the client to not ask questions.

    The key in any case is the goals of the analysis, which (interestingly enough) weren't mentioned in the article. If you start with the goals, as an analyst you should be able to share your process going forward with the “client” in order to clearly demonstrate what will be done. This process should also be shared with other analysts, in order to verify completeness.

  2. I disagree with that to some extent. I do think of our work as a bit of an art with a base on science. We all think differently. My process or plan won't make sense to you. You may disagree, but that doesn't make my process wrong. If that were the case, then we could replace ourselves with robots to do the analysis. The only thing we would need humans for would be the research and reprogramming of the robots to find the new artifacts. We have a lot of tools that can automate a lot of things, but there are a lot of human elements that create these artifacts, which requires a human element sometimes to discover them.

    We have a bedrock of science that defines how we handle evidence. We know that actions cause artifacts because of the research and documentation. Many of our analysis techniques fall right into the science category because of the evidence handling base that we start with. As long as my tool doesn't actually modify the data inside the evidence (dd, e01, smart, etc), then my process is likely repeatable, at least on this evidence.

    The art of it comes in knowing where to look for the artifacts. You could open up one of the forensic suites and mash all kinds of buttons, and then click some more buttons until you find what you are looking for. You could fire up any number of open source tools which drop the output to megabytes of text files, and then spend lots of time reading through all of those files until you come across something relevant.

    If someone is doing an analysis and getting away with no report, then first thing is that I am jealous! I have found my clients to be generally not as technical with the low level details as we are in DFIR, but in no way are they unintelligent. I have explained many technical concepts and they follow and understand perfectly fine. They know what they want, and they would never let someone slip through by trying to avoid answering questions or not providing some documentation of the exam.

    I am curious though as to why you find it so interesting that goals were not included in this article? I don’t recall posting this as a case study. Every case has different goals, so I don’t know what you would expect for me to put up there. I specifically posted this with a ‘notech’ tag because it’s a soft and squishy.

    I do agree with sharing with other investigators though. Not everyone has a team within their company to share with, and we in DFIR tend to be very hush hush about sharing more than generics with the rest of the community. Some will have trouble, but a peer review on your process and findings is an excellent way of helping you to let go.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s