I enjoy that designers have created every version of the board game CLUE to meet our personal interests. It’s a clear indicator that it is an incredibly successful product. Like the handheld portable device, it feels like everyone has had their hands on the game at one time. You can now purchase the ‘The Office’ version, ‘Disney’, ‘Big Bang Theory’ up to, and including, the seasonal ‘Grinch’. Though I can easily believe the Grinch is a likely culprit, I’m not sure about the cute little sled dog. You may call me old fashioned but I’m still a Colonel Mustard, in the library, with a candlestick, kind of guy. I’m not suggesting that we’re limited to physical games anymore, but there is feeling that comes with holding the solution cards in your hand that seems like you were preserving the evidence for all to see.
It feels like games such as these are what shape our minds to think creatively but objectively, and that’s what’s required when you join the world of digital forensics. Most of us need to know what’s in the solution envelope before we can end the evening. The easy part about playing the game of CLUE is all the suspects are at the table, as well as the evidence related to the threat or activity. In the board game, the location of tragic consequence is often limited to a folding cardboard location schematic. Today the game board has changed, and we all know the internet has expanded well beyond the borders of the kitchen table. We’ve opened our world to playing and working with people throughout the world, but those same digital borders open threat risks. The game I have at home doesn’t have a ‘router’ as a game piece.
[embedded content]
For more information about FOR308: Digital Forensics Essentials click HERE
In digital forensics you need to know who was involved so you can begin your data collection. Best to collect every piece of hardware you can, this will allow you to start your acquisition of data from each device. When you’re at the kitchen table, keep your cards close to your chest, but in the digital world, that means ensuring you preserve the integrity of your evidence. If you aren’t in possession of it, you can’t control its activity. If you end up taking your work to court proceedings, your data integrity represents the quality of your work. Honestly, the same can be applied to corporate work, but I know firsthand in the legal cases, a court demands proof.
Nothing is more important than being able to show your work. Your work on the data analysis may be sound, but if you can’t prove the integrity of your work, you may lose more than just the game. If you are ready to step up your game, spend some time researching ‘chain of custody’. If this isn’t something you’ve become familiar with, you weren’t playing the same game of CLUE I played. As you were collecting information to win the game, you were solely responsible for keeping a record of your activity. Otherwise, it’s a rather boring evening sitting on the couch by yourself after an incorrect accusation (guess). There was always that one individual playing the board game who randomly guessed at the answer and invariably ended up embarrassing themselves. I suspect very few of them have established careers in digital forensics and incident response (DFIR). Maybe they ended up in the bullpen, making hot chocolate and delivering snacks to those of us still playing the game and rounding up the evidence. That was always good hot chocolate they served.
The next time you are working on a forensics case, bear in mind the necessity to preserve the data and the pathway you followed back to source. I suggest you keep a small envelope beside your computer with three little cards inside. Order the cards to say: ‘Delivery’, ‘Threat Actor’, and ‘Impact’. Sure, this isn’t all the information you may need, but in this age of digital forensics you generally get the first card ‘Delivery’ for free. There is no shortage of them in the cyber card pile. Get sleuthing. Keep thinking DFIRently.
