A glimpse into the workflow of a digital investigator – David Cowen


I recently attended CEIC in Orlando, Florida and had the opportunity to meet David Cowen from G-C Partners, LLC. It was great to finally put a face to a name that I have known for a while through his blog and books. I have a huge interest in file system forensics, so I have been following his Tri-Force blog posts and was anxious to hear his scheduled talk on the NTFS Logfile Forensics/Tri-Force during CEIC.

I had recently seen a tweet from David where he mentioned using Internet Evidence Finder during the initial stages of his investigative workflow and I wanted to ask him a few questions about his overall workflow and where IEF fit within that workflow. I know the workflow that I am comfortable following, but I really appreciate hearing other examiner’s perspectives and reasons for using certain tools at certain times during the examination process.

Below is an informal email ‘interview’ that I recently had with David:

  1. Lance Mueller: Career background – how did you get started in digital forensics, when did you start?

    David Cowen: I got started in digital forensics in 1999, I was working at the time as a penetration tester and I had a client ask if we could assist with an investigation. They had an executive who they suspected was keylogging other executives in the company and then dropping information he learned in meetings to guide them to his decisions. It was a new challenge for me and once we compiled a small novel on this suspect I knew I was hooked. I proceeded to keep doing information security work and try to get as much forensic work as could until 2002. When I got to testify for the first time and convert my career to full time digital forensics from that point forward.

    David Cowen: From that first testimony experience in 2002 I passed the Catch-22 of the testifying expert (Attorneys don’t like to take a risk on an expert who hasn’t testified before) and started to get more of the work. I co-wrote Hacking Exposed Computer Forensics in 2004 which led the founding of our company G-C Partners in 2005. Since then we’ve put out additional editions of the book (2009 2nd edition and now working on the 3rd edition) as well as writing a new book, Infosec pro guide to Computer Forensics, for beginners and contributing to other books, Anti Hacker Toolkit 3rd edition. With the second edition I also started blogging and then tweeting as I found the digital forensic community growing and sharing more information outside of walled off private forums and conferences.

     

  2. Lance Mueller: Current role – Where are you working now and what type of cases are you handling?

    David Cowen: I am currently a Partner at G-C Partners, LLC (I’m the C), we are DFW based computer forensics firm. We only handle civil work but we do assist in non-litigation investigations as well as provide expert testimony in civil court. Our cases range the civil spectrum but the majority of our work is the theft of intellectual property and trade secrets both from the plaintiff and defendant. Otherwise we handle antitrust, patent infringement, employment, breach of contract and other claims that have some computer evidence involved. David Cowen: We do limited incident response and information security work for clients but it’s not something we advertise widely as we are picky about who we do that work for.

     

  3. Lance Mueller: Workflow – How do work through a new case? What’s your typical process or workflow? What tools are you using (routine and one-off tools)? How does IEF fit into your process?

    1. How do you work through a new case?

      David Cowen: When a new case arrives we ask questions of the client relating to key actors, claims, background and dates of interest that we use as analysis points. Once we receive the evidence to image and analyze we focus on those artifacts most likely to be contain relevant information for what we are looking for. Depending on how many pieces of evidence and the timeframe of the case we may have one or more investigators assigned to the case. We then break the investigation up into milestones, assign hopeful dates of completions and work to assist each other in overcoming roadblocks we encounter on the way to get our clients reliable results back.

    2. What’s your typical process or workflow?

      David Cowen:

      Step 1. Image the drive (chain of custody, task assignment, project scope created)

      Step 2. Run IEF against it to find the low hanging fruit and to quickly assess what common browsers, programs, cloud shared services, etc.. are being used in later stage analysis

      Step 3. Load the image in the tool that has the best strength for the operating system/result we are looking for. (FTK, Encase or X-ways)

      Step 4. Begin looking at artifacts and start combining information

      Step 5. Recover files by signature and begin process of looking for applications who need deeper analysis (chrome content databases are a good example)

      Step 6. Determine if we have the facts necessary or if we need to generate a timeline to find what we are missing

      David Cowen: That’s a very high level look, lots of work in between and after but that’s the basic workflow.

    3. What tools are you using (routine and one-off tools)?

      David Cowen: Everything we can get our hands on that fits the needs of the case.
      IEF, FTK, Encase, Xways, Paraben, Oxygen, Regripper, plasco, tzworks utilities, HstEx/Netanalysis, Blade, etc… If it generates reliable output and provides a function another tool does not we’ll buy it/find it, test it and use it.

    4. How does IEF fit into your process?

      David Cowen: For us IEF accomplished three goals:

      1. Quickly identifies the usage of popular cloud storage, communication and webmail services
      2. Allows us to cleanly parse out webmail JSON fragments for our clients to review
      3. Fast triage of communications for later deep analysis

     

  4. Lance Mueller: The Future of Digital Forensics – what challenges/opportunities do you see emerging in the world of digital forensics? What does this mean for forensicators and what do you think the forensic community needs from companies like Magnet in future?

    David Cowen: The biggest challenge I think we face is an ever increasing amount of digital storage available to individuals whose computers may end up in our possession in the future. Small cases used to be 40gbs a few years ago and now an average case is a terabyte in size. Combined with backups, cloud storage, mobile and external storage it can be pretty easy to get overwhelmed with the amount of data in front of you and you need to make a process and a plan to get through it successfully or get lost in the weeds.

    David Cowen: The biggest opportunity I think is a deeper exploration into journaled filesystems, but I may be biased ☺. The ability to recover past states and changes to a file will allow entirely new artifacts and signatures to be created to discover facts we never knew about before.

    David Cowen: The biggest thing vendors like Magnet can do is to keep the tools focused on what they are good at but expand the scope of what the can process at once. What I mean by this is make the features you already have developed faster, take the time to research changes to your artifacts by OS version to make them more thorough and support the automation of time staking processes like merging the data from the live system, backups and shadow copies/time machine/etc… into a single view of the OS and the users actions.

 

I want to sincerely thank David for his time, candid responses and willingness to share his ideas and perspectives with others.

As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com