In our interview with Harlan Carvey, computer forensics expert, well-known in forensic community, he speaks on his career, books on Windows forensic analysis and, of course, his famous RegRipper tool.
Harlan Carvey is DFIR nerd living and working in the Northern VA/Metro DC area. After in the military, Harlan started his infosec career, first in vulnerability assessments and penetration testing, and then making the logical move to digital forensic analysis and incident response. While a member of the IBM ISS ERS team, Harlan responded on-site to a number of incidents, in a wide array of disparate environments. He has provided a number of open source tools to the community, most notably RegRipper. Harlan has given a number of presentations and written several articles, and is the author of “Windows Forensic Analysis” (now in its third edition), “Windows Registry Forensics”, and the co-author of “Digital Forensics with Open Source Tools”. Several of his books have been translated into foreign languages. He continues to conduct DF research, develop innovative analysis techniques and tools, and he will always program in Perl.
Yuri: Please briefly describe your current occupation. What organization are you working for?
Harlan: I am currently the Chief Forensics Scientist in the Proactive Security Division at Applied Security, Inc. (http://appliedsec.com). I and my team perform digital analysis of systems and mobile devices, as well as provide training via unique course materials.
My approach to digital analysis is self-taught
Yuri: How did you become involved in computer forensic field? Do you have any related education? What field do you have a degree in?
Harlan: Like many in the field, I was involved in information security and even digital forensic analysis well before there were any courses available on the subject. I was involved in security (physical, communications, etc.) while in the military, and when I got out of the military, my first job involved vulnerability assessments, penetration testing, and “war-dialing”. My degree is in electrical engineering, and my approach/process to digital analysis is self-taught, through self-study and engaging with others in the field.
Yuri: You are author of a number of books. Which one was the best accepted by the community? What is your motivation to write books?
Harlan: It’s very hard to tell which of the books I’ve written is “best accepted” by the community, simply due to there being very little feedback. Based on sales numbers so far, and the limited feedback I’ve received, I would think that “Windows Forensic Analysis 2/e” is the “best accepted”, but my hope is that “Windows Forensic Analysis Toolkit 3/e” will fare as well or better by the time it’s been out as long as the second edition.
I’ve started keeping notes of subjects to add to Windows Forensic Analysis 3/e
Yuri: Are you working on a new book now?
Harlan: Not one of my own at the moment. I’m conducting a technical review of someone else’s book. However, I have started keeping notes of subjects that I want to add to or update in WFAT 3/e. While I do continually ask for recommendations from the community regarding how to go about improving the book…my writing, the content, anything to support the content, etc…I don’t often receive anything along those lines.
Yuri: Please describe your working day. When you get to work, what do you do first? What do you do most of the time?
Harlan: I don’t think that my work day is really any different from anyone else’s. I am an early riser, so I am often at my desk prior to 7am. I start by clearing out my inbox…when it’s quiet that early in the morning, it’s easier to focus on things like not hitting the “Send” button until I’m ready, or correctly interpreting what someone has sent to me. From then on, it’s a matter of prioritizing what needs to be done. I learned a long time ago to not get caught up “chewing on” a problem for a long period of time, but to instead reach out to others who may be able to provide assistance.
I may have half a dozen blog posts in draft form, and I may end up deleting all of them
Yuri: How do you combine commercial work, research, books writing and blog posting? Is 24 hours in a day enough for you?
Harlan: Very few folks see what goes on behind the scenes when it comes to all of this. For example, at any time, I may have as many as half a dozen or so blog posts that are in draft form, and I may end up deleting all of them. Twenty-four hours is more than enough time in the day…the key is prioritizing and time management. I learned an important lesson about asking for assistance on a tough problem while in graduate school and putting that lesson into practice makes a world of difference. My research projects are often very focused, and with book writing, if I don’t feel up to writing, I’ll work on something else, as it’s better to put in 15 or 20 minutes of dedicated writing than it is to spend two hours staring at a page.
Yuri: Do you teach computer forensics? If so, what can you say about today’s students? Are they smarter than you in their age? Are they future forensics stars?
Harlan: Yes, my organization provides training in digital forensic analysis. I don’t really think that those attending the courses can really be categorized in the manner you suggest; it’s more of an issue of the various challenges that we’re all faced with, on a daily basis. In most cases, the folks performing digital forensic analysis do so as one of several hats that they wear, and more often than not, they do not have access to significant training budgets, nor to focused, functional training. However, these analysts encounter dedicated, focused attackers, or individuals who are very adept in their use of technology. It can be very hard to keep up with all of the technology that is available, particularly when your organization doesn’t support specialization in any one area.
Yuri: Do you often travel for business? What conferences/exhibitions/other events do you speak at? Which ones do you like best?
Harlan: Yes, I travel for business, most often to meet with customers or provide the training courses that we offer. I speak at several conferences, and to be quite honest, I enjoy them all. Part of speaking at conferences is getting out and engaging with peers in the community, and being able to talk with them about those things that have been obstacles to our analysis.
Yuri: What do you like about your job most? Less?
Harlan: I’m very thankful to have a job and be able to support my family. I’m also very thankful that my job is doing something that I really enjoy, as I don’t think many people can say that.
Incident response can be very expensive and time-consuming when an organization is unprepared for an incident
Yuri: What is special about your organization/tools?
Harlan: Nothing whatsoever. I think that what’s different about the organization I work for is the approach we take to security, in general. Our position is one of a proactive nature, and this is a position that I’ve always supported. My time performing emergency incident response for ISS and then IBM showed me time and again how expensive, time-consuming, and inconclusive incident response can be when an organization is unprepared for an incident, and the incident itself goes undetected from weeks or months.
Yuri: What is the most interesting/unusual thing a customer has ever said about your organization or your solutions?
Harlan: I really can’t think of anything “interesting” or “unusual” a customer has said, but I have done pro bono work for law enforcement on the side, and as a result of that work, I have received some very interesting gifts of thanks.
Yuri: What is about your job which you are proud of?
Harlan: Over the years, I’ve found some pretty interesting artifacts and indicators, due to the analysis process I have developed and use. This has been very validating. I think that the one thing, more than anything else,that makes a difference in the work I’ve done is the approach and process I have developed for myself.
Yuri: What are your immediate plans with regards to your organization/solutions?
Harlan: To provide the best analysis services, most timely response, and effective training options to our customers that we can.
Yuri: Have you ever done any forensic or corporate security investigations yourself? Did you appear in a court to present your findings?
Harlan: While I’ve never had to present my findings in court, I’ve performed a great deal of examinations myself, and assisted others, particular some in law enforcement.
Methods used by the attackers were extremely effective, but also extremely simple
Yuri: What is the most interesting or unusual investigation you have ever been involved in?
Harlan: There have been a couple of investigations that I’ve been involved in where the methods used by the attacker(s) were extremely effective (not only in gaining access, but also remaining persistent), but were also extremely simple. Like many, I’ve seen malware dropped on systems that was not encrypted nor obfuscated in any way, but was not detected by AV products, and was not easily detected through other means.
I use RegRipper on pretty much every case that I get
Yuri: What every computer forensics investigator should know about your tool RegRipper?
Harlan: First, my hope is that anyone performing digital forensic analysis, particularly of Windows systems, is aware that RegRipper is available. I have received emails from analysts who have said that RegRipper has reduced days of work to minutes. To me, that sounds as if someone has found it to be useful.
Second, RegRipper is an open source tool…which means if an analyst has any questions about what the tool does, or can do, it’s simply a matter of opening a file, such as a plugin or the user manual (or the book, “Windows Registry Forensics”). More importantly, I have attempted to make myself available to answer questions and to provide plugins to meet specific needs, but I can only do so if an analyst can articulate their need in a concise manner, and provide some sample data for testing the plugin.
Third, the most powerful aspect of a tool like RegRipper is the intelligence that can be included in the tool itself. I have no allusions that the vast majority of analysts who use RegRipper do so because they heard good things about it, and don’t really have a solid understanding of what the tool does, or what it can do. Tools like RegRipper allow for the retention and sharing of “corporate knowledge”…one analyst finds something new after 8 or 16 hours of focused, dedicated analysis, and shares it with 2, 10, or 100 other analysts, none of whom now have to spend those same number of hours to find those same artifacts in future analyses.
I use RegRipper on pretty much every case that I get; there are, of course, notable exceptions. For example, if I’m asked to extract metadata from documents, there’s no need to use RegRipper. However, in instance where the goals or parameters of the examination are not clearly defined, tools like RegRipper allow me to cull out the “low-hanging fruit”, allowing me to quickly extract a wide range of information in an automated manner. The result of this is that I’m then able to focus my analysis, and not spend an inordinate amount of time re-doing data collection and analysis.
Social media has had a significant negative impact on communication within the community
Yuri: In your opinion, what is the current state of computer forensic science in USA? Of legal computer forensic practices there?
Harlan: My view of these areas is extremely limited. I do not have a view into what others in the community are doing. I will say that one of the biggest issues within the community is communication. In my opinion, the use of social media has really had a significant impact on communication within the community. There are simply some things that cannot be addressed in 140 characters, and yet this seems to be first route that the few analysts who do choose to communicate opt to take. There are a very few folks within the community who realize that such a limited medium does not allow for context or clarity, and instead opt for another medium.
Further, linking to another source with no additional insight, or simply clicking “+1″ or “Like” has had a negative impact on the sharing of intelligence and thoughtful innovation within the community. There are a great many thoughtful and intelligent analysts within our community who, whether they know or believe it or not, have something of value to share, and for whatever reason, they choose to not do so, and in doing so, the rest of us are poorer for it.
For clouds, be sure to address issues of compliance and security up front
Yuri: Cloud computing is becoming very popular now. Do you think that forensic investigation itself is going to be much more difficult due to the cloud idea implementation?
Harlan: Yes, very much so. I think that many examiners are going to be faced with challenges, as are their customers, particularly when it comes to data collection. I believe that organizations are going to be more interested in initial up-front cost than issues of compliance or security, and when an incident occurs, will be concerned with retro-fitting their “cloud” purchase with security of some kind, after the fact. Issues of compliance and security need to be addressed up-front and contractually. If your organization is pursing some sort of “cloud” solution, for whatever reason, be sure to address issues of compliance and security up front, and include those needs in your contract with your provider.
After an incident occurs, it can be far more difficult to make decisions
Yuri: The same question about social networks, which displace usual evidence such as mailboxes, chats, etc.: does this make investigations more difficult?
Harlan: Perhaps. Most “investigations” are significantly impacted by the time it takes for someone to detect the incident, and then to make a decision regarding what to do about it. I have seen and been involved in a number of examinations that would have gone much better (taken less time, and been less expensive) if the organization had thought about the underlying issue before the incident happened. After an incident occurs, it can be far more difficult to make decisions due to pressures imposed by both internal and external sources. Organizations need to be aware of social media and the issues that they can impose on an organization, and take steps and measures appropriate to the organization, through policies and technical means.
If history has shown us anything within this profession, there will always be something new around the corner that will appear to make investigations “more difficult”. This same thing was said about greater storage capacity, as well as about the release of Windows XP, and the subsequent release of Windows 7.
Yuri: What do you like most about computer forensics? Less?
Harlan: What I like most about digital forensic analysis is the sense of problem solving, discovery, and achievement.
What I like least about this kind of work is what many examiners, particularly those in law enforcement, have to deal with on a daily basis.
Yuri: What forensic resources do you regularly read? What would you recommend to others?
Harlan: There’s really no one resource that I read regularly, because there is not really one resource that is updated with timely information on a regular basis. I have several blogs linked from my own blog, so it’s very quick and easy for me to see which ones have been updated.
Cybercrime is far less mysterious than reported in the media
Yuri: What do you see as major trends in cybercrime?
Harlan: While I don’t have access to the same or similar data that many large organizations (Mandiant, Verizon, Trustwave) have access to when creating annual reports, I do that from having reviewed the reports over the years that cybercrime will continue to be far less mysterious and sophisticated than reported in the media.
Yuri: Please give some predictions of what may happen in the nearest 5 years with computer forensics.
Harlan: I prefer not to make predictions. I will suggest, however, that if communications and sharing amongst the DFIR community does not improve in the future, the sophistication and pervasiveness of technology, as well as the attacker’s ability to abuse and misuse that technology, is going to overwhelm our community even more. For some reason, analysts within the community seem to think that any problem that they’ve encountered, no one else has ever seen, so they won’t ask for assistance. When an exam is over, analysts take the opposite view and tend not share their findings, thinking that everyone else has already seen what they’ve seen and therefore wouldn’t be interested in their findings or thoughts. In the long run, this reticence to engage with the community is going to have a significant, detrimental impact on the community.
Yuri: Can you tell any funny story related to computer forensics?
Harlan: I led the examination of an incident where an attacker had gained shell-based access to an organization. At one point, the attacker was on a system and noticed that an administrator was logged in, so the attacker opened up Notepad, and used it as a visual scratch pad to communicate with the administrator. During the investigation, one of the senior administrators did the same thing to one of the junior technicians, making him think that the attacker had returned.
Not really a funny story, per se, but there have been a couple of times when I’ve discovered the “smoking gun” during my analysis, and I’ve really been quite impressed with how simply and effectively the attacker achieved their goals.
I like to participate in mud runs…
Yuri: Do you do any sports? Which one? What is your preference in watching professional sports?
Harlan: I have found that I like to participate in mud runs that include military-style obstacles, as well as support a charity. I participated in the Mid-Atlantic Tough Mudder in Oct, 2011, and plan to do many more similar events, as long as I am able to do so.
Yuri: Thank you for your interview, Harlan!