You can tell a company isn't prepared for a ransomware incident when the IT provider reinstalls Windows 7 from the original CD without Service Packs... Well, to their credit, at least they could find the CD ๐คท๐ปโโ๏ธ
When you receive 6 computers in this condition it's a sign... that they waited until decommissioning the machines before bothering to undertake a proper investigation. Maybe poor quality. Maybe both. Prepare for one charlie foxtrot after another #DFIRLyfe
100% agree. Don't BS to the people you are meant to be helping. A superior put pressure on me once to make up findings because "the client will wonder what they paid for" ๐ก They don't pay for BS ๐It's ok not to have answers.
That's #DFIRLyfe#professionalintegrity
I'll just add that to my slide-deck for "issues in incident-response". In Art, bullshitting might be harmless, in actual projects, it will lead to distractions.
The latter can derail the project - for years.
Executive Summary: "If you just don't know, say so"
Walk-ins are fun. Dude has 2 cheap cell phones he wants examined because he thinks his "neighbor" is spying on him. Chatty man said he told his neighbor to watch out coz his cuz is hardcore like *name drops local mafia figure*. I'm sure if anyone's spying they have a warrant ๐
Middle of a search warrant. People playing dumb about tech so call the IT provider. They not only mislead us about the location of the email server, they call the news outlets as well. Nice customer service skills putting your client in the headlines.
When the lawyer insists that they want to watch the entire forensic imaging and verification process after they've stalled your work all day. Ok here's the hourly rate for building security and the person that will sit in the lab with you. Pls bring a comfy chair and stimulants.
Stuff you recover when forensicating and need to know more about even though it's not related... just... because... it's random as fuck. It came with a game installation from memory. Too many years ago and I have new rabbit holes to go down.
Employees looking at porn on multiple PCs with generic/shared logins. 9mths later the client wants you to determine who it was based on the unique user account logged into the PC that was physically next to it (or so they think) at the time the material was accessed.
Wondering why my secure package delivery has been intercepted by the Quarantine and Inspection Service at the state border... I don't think I have the right adapters for my write blocker for this ๐ค
When you've been hired to investigate misconduct and you can tell that someone has already tried because they've type in "how to recover chrome history" in the browser on the subject host after the device was meant to be secured...
Flash mob forensics. Need to plug something in to the back of a server, close to the floor. Rack can't be moved. Wearing a skirt. CCTV camera pointed right at me. Barely enough room for an arm and need to find the right port by touch. Turns out hypermobility is useful in DFIR.
In the eradication stage of a major incident the sysadmin nervously asked if someone could check out his pc as the mouse cursor was moving on its own. A while later "uhh I had the mouse in my pocket.. but in my defense it's a really slim mouse". I'm sure some peeps can relate ๐
Offsite acquisition off all-in-one PC required without alerting POI. Of course, there is an arrangement of chickens and post-it notes on the case that need to be in the same place when returned. What have you needed to do to remain stealthy?
Turn up to a search warrant at too early to be awake o'clock. Waiting for the ok to enter the premises and start triage/acquisition/seizure of devices. Receive a phone call advising there are AirBnB guests at the POIs house. #adventureholiday#notstrippers