Travel: It Is Not Just For Airline Status Pt. 2

In my last post, we were merely discussing things very pre-planning stages. While much of that was most likely already information known by the masses, it is still very important information for anyone who has never traveled abroad before for business. It is a different animal than when you do it for personal leisure.

For the continuance of this, we are going to look at what is in my carry on bag when I am traveling to these places. While technology has changed, some things will always remain the same. Remember that you are most likely going to a location where you are working anywhere from 8-16 hours while there. After all, they didn’t send you to another country to sight see!

Back in the public sector days, I was always told to “over prepare” because what you will need may not be available when you need it the most. I still have this mantra but to be perfectly honest — things like write blockers and power strips are going in my checked bag. My carry on is designed to be as lightweight as possible so it doesn’t feel like I’m carrying an 80lb child on my back while walking from concourse A to concourse F in ATL (which by the way is about 1.5 miles).

Laptop

Get a laptop that is going to be lightweight and be able to handle everything you’ll need it for while away from your lab computers. Does that mean you need a Dell Precision Laptop with 17″ screen and 64GB of RAM? Probably not. If you’re doing anything remotely that intensive, then you’ve got other nightmares to handle. I’ve never needed that much RAM or that big of a screen while working. Remember, lightweight. You are most likely bringing evidence back with you anyways.

So for me, it is a Macbook Pro that was built in early 2016. 1TB internal hard drive and 16GB of RAM. Just a plain old Macbook Pro. And it works. It does everything I need it to do. Namely because of the software that is installed on it: which is mostly within the VM’s.

Dongles

Oh yes, we wouldn’t be in digital forensics if we didn’t have to carry dongles around. Sigh. There are only 3 dongles I ever have with me: X-Ways, Cellebrite Physical Analyzer and Blackbag. Why just those three? X-Ways is super robust and if I am going to need a GUI to dig into a laptop or image, it is going to do it for me without needing a ton of resources. Physical Analyzer is still the de facto standard for cellphone acquisitions. When going to countries out of the United States, you just don’t know what you’re going to run into. Having this software is basically a foregone conclusion that you need it. Additionally, if you are still using Cellebrite Touch, ditch it and get 4PC already. For starters, it comes with Physical Analyzer within the dongle so you’ll be able to do both software from the same dongle. And most importantly it is one less bulky thing to have with you while traveling. We won’t even get into the discussion that Touch is running on an Intel Atom processor and is slow as all get out. Using 4PC/PA on your own laptop will allow you collect and/or process MUCH faster. And Blackbag is my “in case of emergency” software since it run on both Windows and MacOS.

I’ve started to use Axiom a little bit more because the program allows me to send a license key to the VM so I do not need to authenticate with my license server. However, I’m still skittish for using it as a replacement for the above tools. Although the tool did work amazingly while I was in Argentina and Cellebrite wouldn’t dump an Android phone for some reason. Magnet’s Acquire software got me at least a dump of the phone, just missed the key file needed to decrypt a specific database sadly.

Cables

If you don’t have one of these cables in your bag, go buy 3 of them right now. If you’re private sector, you are already going to know what type of phones you will most likely be collecting, but this one cable alone almost wipes out the need to bring any of the cellebrite cables, but possibly Cable 133.

 

Battery Packs

I typically travel with 2 of these things, depending on my travel time. The obvious reason for these is nothing new. They are great if you need to charge multiple phones at the same time, and are super slick if you’re in a place where you only have one international adapter and to charge would require either no laptop power or no phone power. The one pictured here is the same one I own. It will last me all week with keeping two iPhones charged the entire time. So this is perfect if you’re sitting in the back of a cab and your phone is eating away at your battery as you play Candy Crush to waste time till you arrive your destination.

International Adapter

This is seriously something you just need to have in your bag and not your checked bag. In the event your luggage is lost (which knock on wood, has never happened). This is basically going to be your lifeline for power. Make sure you have one that can either convert properly as many countries have a little bit more power going to their outlets than the US does. That could mean you destroy your electronics if you’re not careful. Also, make sure you bring an adapter specific to your laptop maker. So if you have a Macbook, go get one from Apple. If you have a Dell, go get one from Dell. While your adapter will work just fine with your laptop — you and I both know that laptop is probably going to be the primary asset you’ll be using. It will make life easier to not have to get that adapter out every single time you want to use your laptop while traveling or sitting at the airport or hotel.

Paper

Thanks to Phil Hagen, I went and bought one of these and have been very impressed by it. The company is Rocketbook and here is their website. Not going super in-depth on it because there are videos for it, but you can reuse the paper within the notebook and also has the capability to scan the pages and send them to a desired location (Cloud, OneNote, etc). This thing is absolutely perfect if you are drawing schematics or taking notes and sending them your case notes for safe keeping. The fact you can get it in a pocket size is even more of a perk since it doesn’t take up a lot of space.

WiFi Adapter

This is more for my own fun than anything, but you never know when you may need it in a pinch. Typically I’ve only used it for scanning for hotspots when doing wireless assessments. It is lightweight enough you won’t really notice that you have it anyways.  The one I have can be bought on Newegg

Hard Drives

Normally just two of these things with me. I elected for hardware encryption over software since it is quicker to decrypt and doesn’t require me to install anything on a computer to utilize it. Bitlocker is fine until you have to use FOSS to decrypt it on a Mac or Linux system. Save yourself a lot of stress and make sure you get 3.0 ones. Don’t just use regular hard drives with no encryption. Cannot stress this enough. You never know when your bag may be stolen, or worse, you are detained.

Miscellaneous 

The last bit of stuff I typically bring is something that may not have crossed your mind. Things like Bandaids, cough drops, aspirin, tums, pepto and sore throat drops. You will never know when you could come down with something, and there is low odds you’ll be able to pick this stuff up right away if you’re in a place that doesn’t have stores nearby. I’ve been to some austere conditions and came down with travelers sickness (those who travel know what that means!) and thankfully I had something to help alleviate it.

As I’ve said, this isn’t meant to be the encompassing list of everything you would need for an engagement. But this is pretty much everything I need whether it be a foreign or domestic travel. My bag is light enough that I can wear it comfortably everywhere, and small enough that I can put it under the seat on the plane if need be.

 

 

Travel: It Is Not Just For Airline Status Pt. 1

I elected to make this my first “real” posting to not only elaborate on the amazing work of my friend Lesley’s post back in November, but to also provide my insight as someone who does it quite a bit. First, I’m not going into the “do’s and don’ts” of a particular region or how to have proper OPSEC. Your security folks should be properly preparing you if you’re going to austere conditions…not a blog. I will try to keep it as generic as I can, but let’s face it…I’m American and my experiences are going to be as such.

To get the caveats out of the way, I have lived in Europe for a number of years and I’ve been on 5 continents (6th coming this fall!). Many of the countries I have been to are not what I would consider to be “friendly” nations towards United States citizens. On top of that many of these I was in an official capacity and I can only guess how many were watching me closely while we were walking through the park to the local coffee shop! Not fun, regardless if you want to believe you are in a Jason Bourne movie.

So you got your sweet new DFIR gig and the boss has just told you to get on a plane and head to Rio! You are excited but nervous at the same time. This is what you’ve always to do after all, but you’ve never traveled outside the country…except that one time you went to Cancun, but your parents don’t know about that time.

Here is where I see a distinct difference between public and private sectors in the United States. When I was public sector, we had people who’s job it was to prepare us for abroad travel. They got everything in line for us, to include the most important thing: VISAS. I cannot stress this enough, regardless of where you reside as you read this: if you are going to be traveling outside of the country the #2 thing you need to do is make sure you check on the type of Visa you’ll need to gain entry to the country. And many do not just have a blanket one you just sign up for and you’re golden. No, no, no! They’ll have one for tourism, business, or even conferences. Each one will have a different length of time, and speaking with Brazilian officials the last time I was down that way…you don’t want to ever get caught using the wrong one! Yes, I have 2 different visas for Brazil for that specific reason. Depending on my type of travel will depend on which one I present. Do not listen to coworkers who tell you to just use the conference visa (if it applies) to get into a country for 72 hours. Speaking with officials in India, if they even think you’re there for official business on that visa they will arrest you. The process to get one of these is not nearly as bad as you’d think it would be. The longest part is just waiting for your passport to be shipped back to you with the visa put inside of it. Additionally, make sure you check the expiration date of said visa when you receive it back. Some countries will only give you a 3  year pass, others 10. This will become important as you get older because you’ll need to present your old passport to custom officials if that visa is still valid. Hence why you’ll see folks carrying two passports with them. For those in the United States, please refer to State Department’s site for more information relating to threats and visa requirements. It is a great resource and is updated daily by the US Government.

So that was the 2nd most important thing, what is the first? Well the obvious…your Passport

When you are traveling abroad, this is your lifeline. Another country is not going to recognize your US Drivers License. They are not going to care about your Global Reentry card. They are not going to care about your fishing license either. So don’t bring them with you. In fact, go on amazon and get yourself a passport holder with RFID blocking with room for currency and credit cards and call it a day. It’ll cost you around $10-$20 and you can completely forget about bringing your wallet with you. Leave your Lowes rewards card at home and just bring the required cards you’ll need for your travel. For me that is my personal Amex, Visa and my company’s credit card. That is it. I don’t even bring my debit card with me while I travel. Depending on your length of stay, just take out a nominal amount of cash (hopefully your bank can support currency exchange, if not get it before you get to your destination) and only use it when you absolutely have to.

So you have your Passport and Visa, now what? 

Speaking of Global Reentry…GET IT.

You’ve probably seen these little things when you’ve traveled abroad. They are the wonderful machines that if you’re Global Reentry approved, you use to circumvent the passport control line when you arrive into the United States. This is naturally just for US citizens, but I would solicit everyone to get on board and get this. It is $100 for 5 years and will also get you a Global Reentry card (which you do not need to travel with), which can be used as a second form of ID.  It also will get you TSA Precheck (which is already $85 by itself). Many cards like Chase Sapphire Reserved also reimburse for this, so it is free. The last time I used it in Atlanta, a flight from South Africa had landed just before us. The line was about 300 people long. Because of those little machines, I was able to check back into the country and had my bags and was through the ATL TSA Checkpoint before that line even moved 40 people. Speaking with customs officials, it basically can save you anywhere from 1-3 hours at major hubs (e.g. JFK, ATL, LAX, etc).

So How Can I Make the Flight Better?

Assuming you are like me, you aren’t getting business class no matter how much you complain to your boss. Here is what you will find that can be the absolute worst: the length of time in a plane. Not mincing words, you don’t want to be the person who has sit in the middle seat for a 8 1/2 hour flight from Chicago to Frankfurt. So what can you do to make life a little easier? Honestly, this will go against many folks own convictions but I would tell you to find an airline (which may or may not be your dominate airline at your airport) and stick with them and their partners. For me that is Delta and as such my Amex card is their credit card. Here is the large reason for this — if you are going to be traveling even 10% of the time, accruing miles for a specific airline will get you closer to status upgrades for better seats (and things like their lounges for free) but those miles can be used to just flat out upgrade your seats. The last 3 times I’ve used miles to upgrade (Sao Paulo to Atlanta, Buenos Aires to Atlanta, Amsterdam to Minneapolis) the total was 40k miles each time for a leg that was anywhere from 8-11 hours long. Don’t think that matters?

 

 

 

 

 

 

This was business class from AMS to MSP back in 2015. It was the first time I was able to upgrade to these seats and it was well worth it. The fact it lays out into a bed allowed me to actually sleep on the plane and arrive well rested and able to go about my business that day.

So, who am I?

Many are probably wondering who I am and if this is worth their own time. My hope is that it will be! To start, I won’t go into my background too much…if you want to know it you’ll probably be able to ask around to put the pieces together. Also, I’m not of the kind of person who thinks degrees and certs make the person. Do I have those? Yes, I do. We will leave it at that.

My first, and probably only, claim to fame within the community has been the GCFA gold paper I wrote: https://www.sans.org/reading-room/whitepapers/forensics/filesystem-timestamps-tick-36842. It was the first time I really branched out and it was very worth while. I would solicit everyone to do that deeper dive research to further the field. How did I come up with this? It really came to be that I just didn’t understand how timestamps would reflect if it was bouncing around a bunch of filesystems. And low and behold, the paper wrote itself. Seriously…I had this thing written before I even submitted the idea to GIAC for the gold paper. That was just how easy it was!

That is my urge to you on this Sunday…find something you’re passionate about and start researching it! After speaking with many of our peers over the last weekend, I am going back to that paper and revising it. Namely to make it cleaner and much more visual friendly. So be on the lookout!

Removing the Cloak

So I was basically challenged into starting up a blog in relation to giving back to the community. This was largely pushed by many of the SANS instructors within the digital forensics curriculum as there is a large gap within the field as a whole. Coming from my previous employer, this was just something that couldn’t be done. We are always pushed to err on the side of caution while conducting any activity online as to not be found. That has basically been my mantra for quite some time now after I left. Exposing myself was something that has taken a lot of courage internally for me to do.

But I am doing it!

And the reason’s why I am doing it largely are because I want to give back to a field that has offered me so much. It is the right thing to do. Watching many of those I look up to have no issues using real names and email addresses out there in the wild has made this transition a lot easier. The hope is to provide content that our community finds to relatable and helpful in their own careers and studies.

What you can expect to see in terms of content is going to vary considerably depending on what I feel like would help move this forward. Since I work directly with SANS as a SME, I have been blessed to have taken a considerable amount of the courses. This will most likely be some of the first few postings to hopefully provide one person’s perspective on taking these classes and maybe going over some study tips for the GIAC certs whom many of you have not either done or the preparation you’ve done was not the best.

Expect to read….

SANS / GIAC
Digital Forensics
Incident Response
Legal Issues
Lab Management
Policy Development
Red Teaming
Engagements and Operations Planning
Travel