Each year Lee Whitfield (@lee_whitfield) creates and runs the Forensic 4:cast Awards. This is a great community event created by the community for the community to recognize individuals and organizations that are doing incredible work for digital forensics.
One of the best parts about 4:cast nominations is you can submit as many nominations as you like for each category. Voting is stressful because you are limited to one vote per category and one ballot per individual. But for nominations, nominate ‘em all! There is even a new category for mentor of the year.
As we did last year , Magnet Forensics, is providing the opportunity for some of us to share our personal recommendations for nominations. I tried not to nominate the same people in the same categories as last year, so please check out my nominations from last year as they are each equally deserving this year. This is an incredible opportunity to share my personal nominations and not Magnet Forensics’.
I love this opportunity because I get to share and highlight some of my favorite contributions and contributors to DFIR from 2019. I hope that sharing some of the people I am nominating will inspire some of you to nominate as well or at least introduce you to some awesome DFIR projects and contributions from 2019.
One of the most important things to note is that these nominations are for work done in 2019. This means there are some really cool projects that will have to wait till the 2020 nominations next year like Alexis Brignoni’s ALEAPP, Ian Whiffen’s EPOCH tool, checkm8 integration, and Apple Notes blogs from ciofeca forensics. These are on my list for next year!
Now for the fun, my nominations for 2020 Forensic 4:cast Awards! Consider nominating these folks, projects, and organizations for their great work, or nominate others. Feel free to share why with the community. I won’t cover every category. Just because someone isn’t listed here does not mean that I do not appreciate and love their work. Thank you all so much to your contributions to the community. I am a big proponent of sharing in DFIR. I can’t wait to see what the community brings in 2020!
DFIR Non-Commercial Tool of the Year
iLEAPP by Alexis Brignoni – At the very end of 2019, Alexis rounded up his various iOS scripts he had been sharing with the community and put them into one tool iLEAPP: iOS Logs, Events, and Properties Parser. This tool is incredibly useful as it allows examiners to quickly obtain key artifacts from iOS devices. The initial 2019 release included parsing of several key artifacts. One of the great things about this tool is that it is very accessible and easy to use and can help examiners get more information out of full file system images that are now more commonly obtained from Apple devices.
KAPE by Eric Zimmerman – The DFIR world was taken by storm in 2019 by the Kroll Artifact Parser and Extractor. This freeware tool collects and parses data using targets and modules. It is effective in getting key data quickly from both live and mounted systems. I have been fortunate to have used it in developing some AUTOMATE workflows and it has been handy for presenting rapid results before the imaging and full artifact processing portions of the workflow begin providing quick results allowing for rapid decisions.
DFIR Show of the Year
This Month in 4n6 by Phill Moore – You may be familiar with the weekly roundup blogpost that Phill Moore puts out each month. In addition, Phill puts out a brief monthly round up. These are typically short concise and focus on what Phill assesses are the most important pieces of DFIR information from all the content he has curated for the month. If your time is limited, this is the TLDR of what happened in the DFIR community each month.
DFIR Blog of the Year
The Binary Hick by Joshua Hickman – Josh introduced his blog in 2019 and went on to share 14 articles last year covering a variety of artifacts including Android Auto, Google Assistant, Google Searches, Apple CarPlay, and Snapchat for Android. What is so great about Josh’s posts is that his articles go in depth. Josh has had one of his blogs posted on DFIR Review, meaning that he has had his blog post undergo a peer review process. If you want in depth articles, especially on mobile forensics topics, The Binary Hick is worth reading. In addition to his articles, Josh created and hosts a variety of much needed public Android images on his blog. These additions in 2019 have been critical in several areas including research, testing and validation of tools, and teaching to name a few.
DFIR Article of the Year
“Analysis of the AmCache” by Blanche Lagny – If you do Windows Forensics, this paper from Blanche Lagny is a must read. This paper goes in depth to explain the intricacies of data that is stored in the AmCache. As the AmCache is an artifact of execution and program installation, it can be a critical artifact in a variety of investigations. Blanche notes several instances where there is risk to the AmCache being misinterpreted. This paper explores the details of the AmCache not only on different versions of Windows OS, but different builds and the variance that can exist from build to build. The registry key summary included in the appendix is a helpful reference. Blanches research is both detailed and valuable.
“AFF4-L: A Scalable Open Logical Evidence Container” by Dr. Bradley Schatz – This work from Dr. Schatz presented at DFRWS 2019 US and published in the associated conference proceedings is absolutely critical. As a community we have lacked an open source common logical forensic format. With the acquisition of data from cloud services, there is an added need to be able to store logical content in a format that is appropriate for forensics and usable by the entire community. The format proposed in this paper allows for adapting the deduplication concept in the AFF4 format for physical imaging to the AFF4-L format. There is a community need for an open source logical forensic container and this paper provides just that need.
DFIR Social Media Contributor of the Year
Alexis Brignoni (@AlexisBrignoni) – In addition to sharing his various tools and blogposts on Twitter, Alexis has used his platform to share throughout 2019. He has elevated other programs and tools, raised concerns, and sharing posts of value to digital forensics investigators. He has also used social media to connect people working towards common objectives introducing collaborations of value. Alexis both contributes to and leads the conversation in our field.
DFIR Degree Program or Training Class of the Year
George Mason University MS Digital Forensics and Cyber Analysis Program – Full disclosure, I am part of the adjunct faculty in this program. I teach here because I believe in the program. I earned my MS from this program in 2014 and joined the faculty in 2016. What is so fabulous about this program is that the instructors are all experts in the field with practitioner experience. The adjunct faculty includes David Loveall, Jared Greenhill, Dr. Simson Garfinkel and Tahir Khan to name just few. Some of the course topics that were taught in 2019 include Memory Forensics, Forensic Artifact Extraction, Malware Reverse Engineering, Mobile Device Forensics, Penetration Testing Forensics, Fraud and Forensic Accounting, Digital Profiling, Forensic Deep Packet Inspection, and Registry Forensics. This is a brick-and-mortar program in the Washington DC Metro area, which is also a hub of digital forensics professionals.
DFIR Groundbreaking Research of the Year
Checkm8 by axi0mX (@axi0mX) – This work was truly groundbreaking this year. While this is not directly forensics work, the implications to forensics has been incredible. An associated jailbreak checkra1n was also released in 2019. This jailbreak allowed for full file system images to be created of vulnerable iOS devices. Since this exploit is not patchable, devices can be updated to newer version of iOS and still have a Full File System image without the need for waiting for a new jailbreak. This allows researchers to conduct research on the newest versions of iOS. It also has opened access to full file system images in corporate environments that do not have access to law enforcement only tools. This was the most groundbreaking research to hit our field in 2019.
DFIR Newcomer of the Year
(Treating this category as people who began sharing in 2019 – not necessarily new to the field)
Ian Whiffin (@BlakDouble) – Not only did Ian create five blog posts on his site DoubleBlak Digital Forensics in 2019 covering everything from deconstructing SnapChat Plists to 7 bit PDU, but also created and distributed open source tools like Artifact Examiner, Mushy (a BPlist tool), 7-bit PDU parser, Spoopy for parsing Snap Chat iPhone conversations. Ian has definitely made his public sharing debut impactful. Really looking forward to the 2020 contributions, Ian!
DFIR Mentor of the Year (New Category)
David Cowen (@HECFBlog) — If I were to pick one person who mentors the entire DFIR world simultaneously, it is David. He is truly the epitome of the ultimate forensic teacher and mentor. David has created Sunday Funday challenges to encourage examiners to dig deep into analysis of specific artifacts and then share their results. This has resulted in increased sharing in the community. In addition to the Sunday Funday challenges, David encourages forensic examiners to test their mettle in CTFs. This year he took that mentorship to a new level by having the Digital Forensic Association at Champlain College create the challenges delivered via his platform as host of the Unofficial DefCon DFIR CTF. That CTF also led to a slew of blog write-ups about how to solve the challenges. David also teaches others how to test and how to think outside of the box in learning and understanding artifacts with his Forensic Kitchen episodes he shared in 2019. Dave has truly encouraged us all to be better examiners throughout 2019!
DFIR Resource of the Year
Digital Forensics Discord Server by Andrew Rathbun (@bunsofwrath12) – In previous years, I have always nominated a website, but this year I am happily nominating the Discord forum. Over the last year, the Digital Forensics Discord Server has become the place to ask questions and discuss forensic topics. There are 30 channels covering a variety of topics. This has become one of the most collaborative environments I have seen in forensics. There are plenty of listservs and forums, but this is by far one of the most informative and lively resources in the community.
DFIR Team of the Year
Digital Forensic Association at Champlain College – The Digital Forensic Association (DFA) is a voluntary club at Champlain College that focuses on digital forensics. The group not only runs and organizes challenges and events for students at Champlain College, but this year provided the capture the flag challenge for the Unofficial DefCon DFIR CTF hosted by David Cowen and Matt Seyer. Keep an eye out for these students as they are the future of our industry. Employers take note!
DFRWS – Full disclosure again, I am on the Organizing Committee for DFRWS US. Again, I volunteer for this organization because I believe in it. DFRWS has quickly become the intersection of Academia and Practitioners. In 2019 DFRWS hosted two conferences, one in Oslo, Norway and one in Portland, Oregon. Each event consisted of hands-on workshops, keynotes, technical presentations of academic papers that were published, and more practitioner focused presentations. These events attract both practitioners and academics which is fantastic because academia gets to inform practitioners and practitioners inform academia in this environment. But if it were just the conference, I would nominate it for show. This international body of forensic volunteers also publish and peer-review the technical papers in a free publication allowing for even broader access to the practitioner community. The folks at DFRWS in 2019 also provided support to the DFIR Review project that does peer-review of practitioner posted blogs as a sub-project of DFRWS. This truly has become the intersection of quality academic publishing and promotion of practitioner content.
Digital Forensic Investigator of the Year
Okay, I said I wouldn’t list people from last year here. But in case you still haven’t looked at my picks for 2018, each of my nominations from last year; Alexis Brignoni, Sarah Edwards, David Cowen, Phill More, Yogesh Khatri, Brett Shavers, and Eoghan Casey are all still completely deserving of nominating again this year. On to new recommendations for this year.
Eric Zimmerman – As usual, Eric has contributed immensely to the field. Not only did he introduce KAPE as discussed above, but he provided updates to a variety of his tools including Amcache Parser AppCompactCacheParser, MFTECmd, ShellBags Explorer (and SBECmd, and Registry Explorer. In addition to the tools he builds, Eric created a new SANS course, Battlefield Forensics, that focuses on getting the answers examiners need in the shortest amount of time when that time matters.
Hope you appreciate some of my picks. If you haven’t done so, please make your nominations for the Forensic 4:cast Awards. Remember, you can nominate as many as you like per category, so nominate all of the examiners, tools, classes, projects etc. that you want. I am grateful to everyone I mentioned above and everyone one else who shares for each of their many contributions to our community.
If you have any comments or questions feel free to reach out to me at Jessica.email@example.com.