Case_Notes.py - A simple “how to” guide…

            When I first started doing computer and mobile forensics, I used to keep a handwritten log of my case notes and forensic findings. A short time later, I switched to using text editors like Notepad and Notepad++ to keep my notes in a digital format. The basic concept of these notes was and still is considered to be my “work product” and was never my final report that was given to the client. That is still something completely different.

Now this next part is my own personal opinion and some people may disagree with me - and that is okay! I do not like using ANY forensic tool’s “report” as my final forensic report for the client. Some forensics tools reports are better than others. It can be very convenient to provide a pdf or html report from a tool but it lacks the details behind the meaning or interpretation of the artifacts. A forensic report should take highly technical information and translate it to an easy to read explanation of what happened. 

Case_Notes.py Version 1.0 Released

Today, I am releasing Version 1.0 of Case_Notes.py - A cross-platform (Windows, macOS, & Linux) python script to help make the case documentation process easier.

Some of the main features:

• Easy to install and use.

• Lightweight - easy on CPU and memory resources.

• Automatic OS detection.

• Ability to take selective screenshots for case documentation.

• Log file contains notes entries prepended with date/time stamps in UTC or Local Time format.

DFIR Briefly Expained...

  Since we are going to be learning in future blog posts the specifics of Digital Forensics & Incident Response (DFIR), we first need to establish a foundation of basic knowledge from which we will build upon. The easiest way I know how to do that (without writing an entire book) is to define the common terminologies in use and provide additional context as necessary. (If you are looking for a good book on DFIR I would highly recommend this one: [I have no affiliation with the owner/author/seller] Incident Response & Computer Foresnics.)

• What is DFIR?

• DFIR (pronounced: “dē-’fər”) stands for Digital Forensics & Incident Response.

• Digital Forensics & Incident Response is a sub-specialty of Cyber-security that deals with identifying, investigating, and restoring from a security related incident or compromise on a computer network.

• In my experience, typical DFIR teams are usually composed of various key members of the larger business model (IT department, Security Operations Center, Forensic Examiners/Analysts, Legal Department, C-Suite representatives, Human Resources, etc.) The DFIR team can be either full-time or part-time depending on the size and needs of the business.

• What is digital forensics?

• According to NIST, digital forensics is defined as, “In its strictest connotation, the application of computer science and investigative procedures involving the examination of digital evidence - following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.”

Setting up a forensic workstation - Part II

In the last blog post, Setting up a forensic workstation - Part I, we set up and configured a Windows 10 Pro VM using VirtualBox. With this newly built virtual machine we will now setup and install some free forensic tools and applications needed to perform digital forensic investigations. My plan is to show new users they can accurately perform digital forensic investigations using free and open source tools. There is a time and a place for paid commercial tools in the digital forensic community - but you do not have to pay thousands of dollars to practice and learn the basics of digital forensics and incident response. So without further delay, let’s get started installing our forensic tools.

Setting up a forensic workstation - Part I

In order to perform digital forensic investigations, it is important to have a workstation that has been previously set up, configured with your common forensic tools and scripts, and validated to ensure that everything is working as expected. Nothing is worse than responding to an incident and finding out that some tool you installed isn’t working because it is missing a dependency; Or the last update you ran accidentally broke some tool. Being prepared with a baseline system that has been tested and validated to work properly will alleviate these concerns.

First Blog Post…

    Hello, and welcome to the “Everything DFIR…” blog! My name is John Asmussen, and I am a digital forensics practitioner. A little background about myself - currently I am a criminal investigator with the Louisiana State Police and I have over 22 years of law enforcement service. For the past 15 years I have been assigned to the FBI New Orleans Division as a Task Force Officer, where I have investigated various types of cyber crimes ranging from Internet Crimes Against Children (ICAC), business email compromises (BEC’s), computer intrusions, ransomware and malware cases, theft of intellectual property, and sextortion cases. I have successfully completed numerous digital forensic courses and hold several digital forensic certifications including: GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), GIAC Certified Incident Handler (GCIH), GIAC Battlefield Forensics Acquisition (GBFA), GIAC Advanced Smartphone Forensics (GASF), and many more. I have testified numerous times in criminal and civil cases and I have been certified as an expert witness in digital forensics in both the 4th and 6th Judicial Districts of Louisiana.