In this series, a few forensics experts within Magnet Forensics are sharing their suggestions for nominations in this year’s Forensic 4:cast Awards. In this second installment, Jamie McQuaid, Forensics Consultant, highlights people in the DFIR community who are making valuable contributions. You can submit your nominations (including Magnet AXIOM for DFIR Commercial Tool of the Year) here. You can also catch up on the other installments here: Part 1, Part 3, Part 4.
As many of you might have noticed, we’re taking a different approach to the Forensic 4:cast awards this year. Lee Whitfield decided he wanted to make some changes to the awards and formatting, which I think is a great way to get more community involvement and inclusion. With that in mind, a few of us at Magnet Forensics are going to each select a few categories and suggest a few of our own personal favorites that we really enjoyed throughout the year.
For myself, I picked a few categories for things that really stood out for me this past year or something that I used frequently enough that it deserved more recognition. My colleague Jessica Hyde provided some of her favourite picks here in Part 1, so if you haven’t seen those take a look. I have not seen or discussed picks with her before writing my own, so I have no idea if they will be completely the same or overlap at all. Without further ado, my picks:
DFIR Non-Commercial Tool of the Year
For me, this one is an easy choice. I probably use Volatility more than any other open source tool in my toolbox and I’m sure there are many other examiners out there who feel the same. If analyzing memory was required in an investigation, Volatility has been my primary tool for years and has consistently found relevant data needed to solve my case. Last year, we integrated Volatility into Magnet AXIOM to enhance the memory analysis capabilities which meant I ended up using it even more than before.
DFIR Resource of the Year
I usually read a lot of books, blogs, and other online resources in my own personal time, but that has really been limited this past year with the birth of our second child. Anyone with small children will attest that finding some quiet time to read up on file systems and system internals really takes a hit.
So Phill Moore’s This Week In 4n6 gets my nomination for the Resource of the Year, not only because it’s a great consolidated source of information in the DFIR space but even more for me this year because it has allowed me to get a high level summary of everything going on in the industry without needing to take the extra time to search and find anything that might be interesting or relevant.
DFIR Groundbreaking Research of the Year
For this category, I had to read the description a little closer to understand if my nomination fit here. The keyword for me here is groundbreaking. What was so innovative that it changed how we conduct DFIR investigations?
With that in mind, I think it’s an easy choice to nominate Grayshift’s ability to exploit iOS devices and crack passcodes with its GrayKey tool. Apple has continued to lock down access to its devices year after year and we’ve generally had to accept it. Prior to Grayshift’s breakthrough technology and methods, we were all stuck with iTunes backups and even then, only on unlocked devices. While its technology is limited to law enforcement only and doesn’t benefit the entire DFIR community, I still think it deserves recognition for having such a huge impact to our industry in such a short period of time. In the year it has been available, I have heard many stories where it has enabled access to devices that saved lives, rescued children and helped solve some of the worst crimes that law enforcement has to deal with on a regular basis and that’s why they get my nomination.
Overall, I have a ton of other favourites (this industry makes it easy) that I will likely nominate and vote for, but these ones really stood out to me for their contributions to our industry and more directly my daily work in this industry.