Special Guest: Aaron Sparling – Portland Police Bureau

In this episode, we are joined by Aaron Sparling, an officer at the investigative branch of the forensic evidence division of the Portland Police Bureau. Aaron is doing a “case walk-through,” the first part of a two-part series. He was given consent to use real data from an actual case to share with the community to help investigators learn valuable information and tactics that could be used in their own investigations.

Using mostly memory forensics, Aaron manages to solve the case.

Here is the case outline based on actual events, (the names have been changed to protect the innocent):

Understanding the Basics —What We Know About the Case

  • It originated as a white-collar crime
  • Payroll fraud or theft
  • Small business
  • “NO” known starting point
  • The team cannot stop or interrupt production
  • (1) server and (5) workstations

Listen to the full episode to hear how the team scoped the incident, collected memory, and triaged images of selected endpoints in order to help them find crucial evidence and solve this case.

