Foreword

I first met Brett Shavers several years ago at a training event that he had organized. At the time, Brett was a police officer—one of a handful among the local jurisdictions with the training and skill to take on digital forensic investigations. I had no idea then how often our paths would cross or how valuable his support could be. Brett has since become a leader in the digital forensic community of the Pacific North West, presiding over our local professional organization (www.ctin.org), running his own consulting company, writing papers and training materials, and maintaining websites devoted to Windows FE and RegRipper. In fact, that the world knows anything of my little internal project, Windows FE, has more to do with Brett’s work and enthusiasm than my own efforts. I am, therefore, quite honored that Brett asked me to write a foreword to this book.

To best describe the value of Placing the Suspect Behind the Keyboard, I need to put the book in context. When I started my career many years ago, there was only one book available on the subject of what we now call digital forensics. That book was primarily focused on how to investigate certain types of computer crime under the laws that existed two decades ago. Its emphasis was law, with very little presented regarding technical detail, investigative techniques, or, strictly speaking, digital forensics.

In the late 1990s, a few technical books about “computer forensics” began trickling out, and then, slowly, more have trickled out every year since. The early books presented the digital forensics more as a collection of generally applicable tips and tricks than technical deep dives into the varieties of electronic evidence. Over time, however, articles and books on forensics adopted a more solid and scientific approach, and began taking on a broader range of forensics topics with greater detail and systematic focus on particular subject matters. Thus, we have moved from those early books on “computer forensics” to books about the forensics particularities of specific platforms, e.g. “windows forensics,” to books that focus on specific parts of specific platforms, e.g. “registry forensics.” This has been a good thing.

Particularly valuable over the past few years has been the evolving trend of books and articles to focus on distinct “artifacts,” that is, the trace evidence that computer or user activities create in memory, leave on disk, or send over the network. Armed with a good knowledge of artifacts, a competent forensics investigator can develop a surprisingly accurate and detailed account of what has happened on a computer system or digital device. Internet history, file usage, data deletion, program execution, IP addresses, even geolocation of devices, are all facts available to the digital investigator to decipher a blow-by-blow account what has been done with a computer or device. Despite all this, there is a limit to the conclusions that can be supported by digital evidence alone.

Putting a specific person at the keyboard at a specific time, often one of the most critical issues to be proved, just happens to be one of those things that digital evidence rarely can accomplish on its own. This is not as obvious as it should be, since it is deceptively easy to confuse the computer owner or an account name for a real person behind the keyboard when a deed was done. But account names are not people, and computer owners are not the only people who use their computers. Thus, confusion can have catastrophic consequences when it leads to people being prosecuted or punished in error. It can also lead to investigators being sued for defamation. New forensics investigators are therefore frequently admonished to confine their conclusions to what is supported by the digital evidence they know well, and avoid making unsupported assumptions about the person behind the keyboard, about whom they often know very little to nothing.

Placing the Suspect Behind the Keyboard shows how to bridge the gap between digital and physical evidence to “make the connection between the act and the actor” and establish the person responsible for what was found on the computer. As the book illustrates, sometimes this connect can be made by interviewing witness who can place a person at a place and a specific time. Sometimes the connection must be reconstructed from physical evidence, such as other records gathered from the suspect or third parties. Sometimes, establishing the connection may even require surveillance. Non-law enforcement investigators might consider many of these suggestions as out-of-scope, but this would ignore that all these investigative techniques are important tools to understand, as they all have a place in particular investigations. An investigator who limits the world of evidence to the confines of a hard drive is going to miss evidence. To miss evidence, particular important evidence, is to fail at investigation.

About mid-way through the book, Placing the Suspect Behind the Keyboard expands beyond the topic of the title to the all-important program of building a good case. Although there is a research-like aspect to digital forensics, forensics is ultimately about proving or disproving things, not simply dissecting artifacts or building timeline. To succeed at digital forensics, one must be able to do more than pick apart the details. A good investigator must be able to marshal the facts to an end, which involves a bit of organization, an eye for relevancy, and the ability to present technical data to a non-technical audience. All of these topics are addressed, and Mr. Shavers suggestions are practical and useful.

Don’t let the word “suspect” in the title make you think this is a book primarily for law enforcement. Although the burdens of proof and rules of evidence collection may differ between criminal and civil investigations (which includes internal corporate investigation), the burden of finding and making sense of the facts does not, particularly when it comes to placing a person behind the keyboard. Placing the Suspect Behind the Keyboard is full of useful guidance for digital forensics investigators of all types.

Troy Larson

Microsoft Network Security