Cheat Sheets and Quickstart Guides
Information in this chapter:
Introduction
The field of digital forensics grows continually as interconnectivity of businesses and people continue to increase. The ability to determine the who, what, when, where, why, and how becomes more important holistically as an investigation rather than solely conducting a forensic analysis of a computer system. As this encompasses a wide range of forensic artifacts, processes, methods, techniques, and knowledge, it is easy to become lost and overwhelmed to the case objective; placing the suspect behind the keyboard.
This chapter intends to demonstrate the use of reference materials as constant reminders of staying the course in a case in placing the suspect behind the keyboard. There are instances where a small reminder will spark an Eureka! moment and all of us can use those moments on any case. The tips in this chapter are in hopes that you will have more of those moments, even if you are only walking through your office hallways and subconsciously using the tips presented in this chapter.
Cheat Sheets and Quickstart Guides
The use of “cheat sheets” for test taking is wrong, but for the use of the forensic examiner, the use of cheat sheets is a helpful source of references for specific topics. Scaled down guides of full manuals, such as quickstart guides, are also helpful to save time during an investigation or as a refresher of information when specific information is quickly needed. As an example, researching information on Windows shortcut files, also known as “link” or .lnk files, could result in an hour or more looking through different digital forensics books and websites, only to look for one tidbit of sought-after information.
By having a cheat sheet showing link file information in an easy-to-read format not only saves research time, but it also helps to be an easy study guide. Although a link file is just one electronic file that points to another file, it contains a wealth of metadata, more than what can be probably memorized. A cheat sheet on link files helps to show examiners the context of the metadata as it relates to any forensic analysis without having to memorize every detail. One nice example of a link file cheat sheet can be seen below in Figure 8.1.
Figure 8.1 Portion of a Link Files Cheat Sheet from http://www.lowmanio.co.us/blog/entries/link-files-forensic-cheat-sheet/.
There are many online sources of cheat sheets directly related to digital forensics and others indirectly related with Information Technology topics that can be freely downloaded and used as your references. Although I personally do not prefer the word “cheat” in reference material, in the manner these references are used do not imply any cheating on the part of the examiner. Flow charts, check lists, and other means of ordering information are also not “cheating,” but merely aid in helping examiners do their job as basic guides.
Other examples of cheat sheets are shown in Figures 8.2 and 8.3. Figure 8.2 is a report writing cheat sheet, in which one of the most important notations is “Include Analysis—What does it mean?” Sometimes, a simple question such as this can give the examiner an important reminder or hint that can make a big difference in their case.
Figure 8.3 Memory Forensics Cheat Sheet, SANS Institute, http://www.sans.org.
Another example, seen in Figure 8.3, shows the first page of a two-page Memory Forensics Cheat Sheet, from the SANS Institute. Generally, if there is a complex subject, there just may be a simplified cheat sheet to help understand, remember, and reference the most important information.
Other examples worth mentioning include the SANS cheat sheet for USB Device analysis, as well as several references guides from https://lockandcode.com/.
Turnover folders
One of the many good ideas I’ve taken from my days in the Marine Corps is that of the “Turnover Folder.” As Marines generally move around duty stations and jobs on a regular basis, Turnover Folders exist to make the move into a new job that much easier. Turnover Folders contain just about everything you need to know to be effective in your new job after a few days, rather than trying to figure out how everything works in the new office.
Specific to the job, a Turnover Folder contains templates of forms, examples of orders, flow charts, contact lists, and anything of pertinence that is required for that position. A Turnover Folder for a forensic analyst can contain anything you feel is necessary to help you in your job and help with your cases. Besides the basic information, such as contact lists, cheat sheets and quickstart guides can be stored in the folder. Organized by topic, a Turnover Folder can be created that is specific to how you prefer to work containing the information you need to reference the most. Figure 8.4 shows one example of a folder containing printed copies of cheat sheets. This type of work aid can be put together as easy as it looks, yet can be one of the most used reference binders in your office.
Figure 8.4 Example of a “turnover folder” containing cheat sheets, templates, forms, and information relevant to the job of a forensic analyst.
Although digital forensics analysts primarily use computers for almost all aspects of their work, the printed page still has relevance when placed in a folder for easy reference. Indexed, tabbed, or color-coded, the Turnover Folder can lend a hand in finding material that may help save research time. And of course, for the “new” examiner in the office, handing over a Turnover Folder will help the new examiner get right to work with a handy reference of cheat sheets and guides.
As far as investigative help, when an analyst runs out of ideas during an exam, or just hits a mental block in moving forward, the Turnover Folder can help spark an idea or remind of an overlooked aspect of an analysis. Much like reading a book on digital forensics, but without any excess information not needed at the moment, just visual guides and reminders to re-start the brain.
Visual aids
Cheat sheets may also be used as visual aids in presentations if they are relevant to your presentation and audience. Process flow charts, such as visually showing how a computer virus spreads across a computer network, help the examiner in visualizing their case to create a report just as much as it helps an audience understand a written report.
Other references and guides, such as the chart seen in Figure 8.5, can show an overview of specific and related information sources that pertain to a certain aspect of a presentation. In Figure 8.5, a poster created by Rob Lee and the SANS Institute shows a listing of forensic artifacts with details of their relevance to user activity. The use of a chart such as this for a visual aid can show your audience the locations you searched for evidence, which has already been tested by an entire community of forensic analysis professionals.
Figure 8.5 SANS Windows Artifact Analysis chart, courtesy of Rob Lee, SANS, http://computer-forensics.sans.org.
This same chart, or any such chart like it, can also be used for training purposes and as a constant reminder of forensic artifacts to be aware. Figure 8.6 shows this same poster, plastered across a hallway in a forensic lab. By merely walking between offices, references such as these in the forensic lab can help examiners learn material, refresh what has been learned, and give something to talk about when around the water cooler, other than office talk. Locations to hang cheat sheets, posters, and references are limited only by your imagination. Generally, any place where examiners may be standing around would be a good place to hang a reference guide.
Figure 8.6 An enlarged SANS Windows Artifact Analysis poster in a hallway of a forensic lab.
Investigative aids
Every investigation is different, just as every investigator is different. Therefore, the manner in which someone conducts their analysis will be different from someone else. However, many aspects of an analysis are constant with guidelines for evidence control and commands used in software applications. Cheat sheets can be used to save research time and spark reminders of artifacts to examine.
Cheat sheets are also helpful for those times an examiner may not have someone to bounce ideas or ask questions. There are forensic exams where evidence to place the suspect at the scene of a digital crime isn’t being found. Hours can be spent digging and digging without success. Having someone at your side to ask is the quickest and easiest method to have a question answered. When there is no partner, sometimes flipping through cheat sheets may be your best bet to come up with a solution to a problem.
Other benefits of cheat sheets include lists of software commands and software tips. Forensic software applications that are command line driven, or have a command line option, may have more than what can be remembered by an examiner. Without referencing a list, commands can be forgotten, and data that would have been collected, now will be missed. Process flow charts can help visualize simple aspects of computing, such as the boot process, to more complex aspects, such as the effects of malware on a system. Any of these types of cheat sheets and guides may hold that one tidbit of information that helps seal the case with a simple reminder or showing context of what a certain datum means.
Study guides
Yes, cheat sheets can be used for studying, whether it is studying for an exam, a certification, a deposition, or trial. These can be used as reading material during lunch, a long bus ride, or anytime you are free. However, the purpose of mentioning cheat sheets as study guides in this venue is not to pass a test. As a forensic examiner, studying cheat sheets and looking at process charts should be done with a different goal.
The goal is asking yourself, “How does this information help me place the suspect behind the keyboard?” Link files are great forensic artifacts, but without asking yourself how this helps fulfill your objective, it is of little value. The same can be said of collecting thousands upon thousands of individual artifacts, displayed in a spreadsheet. Without having a reason for data carving and creating lists of files, the time is wasted if each piece of information doesn’t serve a purpose to assist in the investigative goals.
As electronic evidence recovered from an analysis is simply electronic data, the analyst needs to be able to place the information into context in relation to other evidence. A link file may be meaningless by itself, but a separate artifact or piece of information, such as a link file created by use of a flash drive that was owned by the suspect becomes pertinent. Now, the time you see a cheat sheet or chart, ask yourself, “how can I use this to help me place the suspect behind the keyboard?”
Make your own
As much as you may expect someone to have made a cheat sheet for every forensic topic you need, that’s not the case. Although there are plenty available, sometimes, there is a topic that you want, but just doesn’t exist. No problem. I would encourage every examiner to create their own cheat sheets and right afterward, share them. That which you make will probably save other examiner hours of time. As you download and print pre-made cheat sheets, you can almost as easily create and upload yours for the community.
Besides using basic software applications, you can also use online sources for creating a cheat sheet. One great online resource for creating cheat sheets is Cheatography at http://www.cheatography.com. This free resource helps you create a cheat sheet that is stored online, shared publicly, searchable, and can be downloaded in a pdf.
One of the great benefits of having digital forensics books as references is that you can use the books as references in your daily work. Pages can be dog eared, passages highlighted, and your notes written on pages for reminders of some point that was important to you. Another benefit of digital forensic books as references is that you can create your cheat sheet of your reference book, for that material which directly suits your needs. One example of this would be creating a cheat sheet of this book, Placing the Suspect Behind the Keyboard, with annotations to pages or chapters on the cheat sheet.
Checklists
The thought of using checklists brings fear to many forensic examiners. Part of this fear comes from past experiences in testimony where an examiner may not have been able to give a clear answer as to why “step 3” was skipped in their standard checklist. Rather than explain why steps are skipped, many choose to avoid checklists altogether.
Another problem seen by having a checklist is that since every examination is different, one checklist isn’t going to cover all types of situations. There are too many variables in operating systems, computer systems, and types of data to cover in a single checklist. Again, the common answer is to avoid having a checklist.
I’d like to look at checklists a little more differently as a positive aid rather than potential hindrance. To eliminate the fear that a checklist is a negative, consider that your pilot in the plane you may fly uses a checklist to make sure the plane is airworthy. Your doctor that may be operating on you also uses a checklist to make sure you survive your operation. Police reports can also be seen as a checklist, as the form flows through a report by descriptions of persons, incidents, and narrative. Even attorneys use checklists in their cases so as not to miss important deadlines.
The point is that checklists help ensure you don’t forget an important detail and keeps your mind focused on the task at hand. Digital forensics should be included as a field needing a checklist.
As to the granularity of the checklist, that is up to you. Perhaps a general checklist of case workflow will suffice, or maybe a detailed checklist for a specific investigation will be better on a case-by-case basis. A checklist for evidence can be used to keep consistency in how your office handles electronic evidence. Any situation that is repetitive is a situation that a checklist could be helpful to prevent failure.
The answer to the question that all anti-checklist examiners have in regard to how does the examiner explain skipping steps in one case but not another, the answer is simply, “that step didn’t apply in this case.” You can simply give the reason why it didn’t apply. An example to this would be skipping the step of a checklist that advises to pull the plug from the back of a computer to seize it. If the examiner decided to not pull the plug, perhaps it was because physical memory had to be captured first, or perhaps the operating system was encrypted. In these cases, that step gets a N/A marked on the list.
I would say it is better to have to answer the question as to why you skipped a step rather than answer the question as to why you wing it every time. All of us are prone to forgetting something at some point and if we don’t write it down or go through a list, it may be an embarrassing moment when we are reminded by someone else of our omissions.
Summary
There are some cases where hours are poured into forensic analysis with no result of finding relevant evidence. Frustration and impatience are two of the worst enemies in a task requiring patience and a steady attention to detail such as digital forensics. To lessen the risks of mental blocks, overlooking important electronic evidence, and as reminders of evidence to recover, the use of cheat sheets help stay on track.
Cheat sheets can serve more than as a reference, but also as a training guide, study guide, refresher, and visual aid. When referenced regularly, they could be the one thing that creates a spark and connects the dots in a case as you flip through a binder of cheat sheets you printed months earlier.
Checklists help in not forgetting small details that can result in major problems later in a case. Deadlines, evidence handling, and reporting deadlines are items that can be covered in a checklist. The use of checklists can also help in reviewing a case as a supervisor to ensure work is being performed correctly and completely.
Bibliography
1. Cheatography. <http://www.cheatography.com>.
2. Link Files Cheatsheet. <http://www.lowmanio.co.us/>.
3. Report Writing Cheatsheet. <http://girlunallocated.blogspot.com/>.
4. SANS Institute. <http://www.sans.org>.