You dont like it - ...
 
Notifications
Clear all

You dont like it - but you should

10 Posts
4 Users
0 Likes
401 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

We in LEO are bound by secrecy about our cases and content in general. I know that best by myself. But there is one thing you should consider. We all win the battle against all sort of data theft or crime only if we increase the level of collaboration. Dont switch channel now!

I know you dont like it - but you should.

Only by extending our out-of-institution collaboration you get gamechanger ideas. You say you have top people in your team. Right. How many do you maintain top connections for top tech?
Only a few I guess. Geniuses are rare - and to be clear

None of us is smarter than ergo sum.

Hackers collaborate more than we can dream of. HITBSecConf has the motto Hackit ergo sum.

You say I cannot collaborate by corporate guideline and because I am working for LEO. So do I.
You say I am not that generation of 'sharing'. So do I.
You say I do not have the time. So do I.
You say I cannot trust anybody. So do I.
You say I have peers enough. So do I.

So what. You should think about the advantages of collaboration HERE in an open forum. Its good that its open, so you do not trust anybody. Just try to take out 'the worth sharing'.

Lets share ideas - not content -)

 
Posted : 02/01/2018 9:03 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm game…ideas, such as what?

 
Posted : 02/01/2018 10:44 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Ideas like what made you the last time suspicious (Indicator of Decpeption IoD) to not believe the obvious. Experience youngsters don't have - but they want to learn. Not technical-only but what was the 'invisible dot' you (2004 - 2017 huge experience) did catch up to solve a case.

 
Posted : 03/01/2018 8:59 am
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
 

Rolf,
I'm probably one of the guys on here that has been most vocal in regard to some of your postings. That being said I believe you are 100% correct, to a point.

Law Enforcement is a fairly closed group and in my experience largely arrogant. i.e. "That's our case. We can't discuss that with you. We can't share our data." Due to their sensitive nature, political angles, or technological aspects many cases have often become a departments "Golden Egg" where its sort of like Fight Club. Remember the first rule?

If I have any strength it would be in U.S. cellular networks and criminal investigations that might result from that. In my trainings I always tell students (Law Enforcement) that when they call a telecommunications provider they should consider providing the call taker with some information about the case. The telecoms don't provide you with a list of the questions to ask, SO IMHO, by providing the telecoms with some limited case information you essentially empower the Law Enforcement Response Team member and possibly get them interested in helping you.

Several years ago I wrote an endorsement for a private company that was assisting in helping to find some missing kids. The company who specializes in cellular tracking was having an issue in obtaining the cellular data from the law enforcement agency working the case. Even at the request of the family the agency wouldn't budge. Type A personalities don't like to admit that they don't have all the answers. My letter for what it was worth was of some assistance in the private sector obtaining the data and finding these missing persons.

To some extent that would be the limit of what I would consider safe sharing in an un-vetted forum.

What else should we collaborate about?

How about identifying an individual utilizing a NAT (Network Address Translation) without a port assignment?

Lets talk about fugitive apprehension when the individual has gone dark and dropped their mobile device?

Lets talk about triangulating approximately 95% percent of cellular devices in the U.S. from your computer, or mobile device. "With judicial authorization mind you." )

Maybe we can talk about the specific tracking capabilities of the telecoms? Who pings and who doesn't?

Collaborate maybe, but not about that stuff? If not that then what? What's safe?

My reservation in any collaborative effort is I have no idea on earth who you are. I also don't control who reads the posts. I can honestly say that I can only vouch for about a dozen people on this forum.

If you are truly interested in collaboration (regarding subjects that I "and I'm essentially nobody" would consider law enforcement related why don't you consider joining HTCIA? They have a healthy mix of members that are LE and Private Sector. I'd venture to say that many members of this forum are also HTCIA members.

Your thoughts?

 
Posted : 03/01/2018 9:06 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Ed, you are soo right. Understand exactly what you mean. On a digital platform like FF we digital-only handshake. Trust can only be extracted from text and content, reading between the lines which requires a learning-phase to really understand the between the lines.

Lets be honest if you meet a sworn-in officer with badge, do you really trust him? Empathy works stronger. To refocus on how to increase collaboration we always have people never met. There has to be a new digital-only way of collaboration based on no-trust. And exactly there LEO go silent.

We lose the war. Believe me.

So what? Let time show if I am right or not.

HTCIA I know well and was in Vegas.

 
Posted : 04/01/2018 6:00 am
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

If you are truly interested in collaboration (regarding subjects that I "and I'm essentially nobody" would consider law enforcement related why don't you consider joining HTCIA? They have a healthy mix of members that are LE and Private Sector. I'd venture to say that many members of this forum are also HTCIA members.

Is HTCIA that active? I tried joining in September 2016, and my membership application is still "pending"

I'm also not that convinced about the impartiality of the organisation - it seems almost aggressively focused on prosecution which is a bias I'm not entirely comfortable with. Cases should be investigated "down the middle" so to speak.

It also seems to me that the membership criteria eliminates a huge chunk of expertise available via the private sector, because they do both prosecution and defence work.

 
Posted : 05/01/2018 8:41 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Ideas like what made you the last time suspicious (Indicator of Decpeption IoD) to not believe the obvious.

Given the type of work I've done, I can't really point to much of anything like that. Yes, over the years, there have been a very large number of cases where the client will say, "…we think that this system was infected or compromised, but we don't really have anything specific to point to…". As such, not so much active deception, as just trying to find a starting point.

Almost a decade ago, I was working with a team of folks on an "APT" case, and we were tracking the threat group, and I had enough information on my end to be able to demonstrate two distinct actors, from the same group. Based on timelining of activity, they appeared to be operating on 8 hr shifts, and both had very distinct activities when they'd land on either the main "nexus" system, or when they'd branch out to other systems. One was very interested in Windows Event Logs, and the other always preceded their activities by going to the Powershell console. We were very concerned because both of these actors were getting into the infrastructure with RDP access, and we had no clear indicators of where they were getting in. Asking the client was fruitless…there was no clear understanding of their infrastructure.

Well, the first bad guy had hit the nexus system, and cleared the Windows Event Logs. We had an image of it, so while we were working on some other things, I asked one of the guys to run EVTXtract against unallocated space extracted from the drive image, which he did…and we found our smoking gun. Thankfully, the bad guy had cleared the Security Event Logs at the "right time", and we'd been able to get an image of the system at the 'right time', and were able to recover the _one_ event record that illustrated the type 10 login we needed, and included the IP address and system name of the previous hop. This allowed us to nail down from where they were accessing the infrastructure.

 
Posted : 05/01/2018 11:43 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Thank you for sharing your experience, wish you full recovery related to your health and personal condition.

IoD we collect in crime cases. Can be just by personal impression or emotional. Of course experience helps to get 'the attackers view'. After breaching which is a simple thing getting reconnaissance by lateral movement is predictable if you did before analyse your own 'crown jewels'.

But see if you sharply think about what gave you the hint to look there or there first in your logs or timeline is so important to learn for youngsters like us.

The logic behind the scenes is worthy to learn.

 
Posted : 05/01/2018 2:34 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

The logic behind the scenes is worthy to learn.

This is the basis for my next book, which will be going to the publisher in April.

 
Posted : 05/01/2018 2:44 pm
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
 

Is HTCIA that active? I tried joining in September 2016, and my membership application is still "pending"

I'm also not that convinced about the impartiality of the organisation - it seems almost aggressively focused on prosecution which is a bias I'm not entirely comfortable with. Cases should be investigated "down the middle" so to speak.

It also seems to me that the membership criteria eliminates a huge chunk of expertise available via the private sector, because they do both prosecution and defence work.

I know that HTCIA is very active in the U.S. I have no idea how active they may be overseas? I attended a conference a couple of years ago in Vegas and there were a number of members there from the UK and other countries. If you were looking for them to take action on your application you might consider contacting them through htcia.org and inquiring as to your membership status.

I'm not positive in what you are seeking from the group? My one "Conference" experience with them was positive. The organization as the name indicates is geared to the investigation of high tech crime. Presenters often get maybe 90 minutes to essentially educate the attendees as to "this is where I found the evidence, or this is how X was accomplished." While there is value in demonstrating "We tried 100 things and never could support what law enforcement, or our client tasked us to find" I don't know that line of training would draw folks in to the same degree? They do however have a forum where I'm sure discussions that may not be as "biased" are welcome and do take place.

 
Posted : 05/01/2018 3:08 pm
Share: