Attaching ear pro directly to your helmet offers several benefits and makes the whole system more comfortable. Today on Gear Tasting, Bryan shows how he adapted the Unity SARA Mounts and Peltor ARC Adapters to attach his MSA Sordins to his helmet.
Bryan also takes a couple Questions Over Coffee, including the differences in our Lapel Daggers and his thoughts on secure communications. Continue reading
In the first part of this series on caches, I provided an overview of various kinds of caches and their purposes. The goal of this second part is to provide more detailed information about how to prepare a weapons cache for decades in long-term storage. I’ll also be providing suggestions for specific types of weapons and related technology. Electronics have unique storage requirements that merit a separate discussion and those will be addressed in a subsequent article on caches.
Caching lethal weapons and ammunition together is serious business. If possible, it’s always best to remove a part of the weapon necessary for it to fire and place that part in the spares container co-located with, but separate from the weapon. For an M4 carbine, the firing pin is a logical disabling item and the lack of it will render the weapon safe. It can be fired again only by disassembly, insertion of the missing firing pin in the bolt carrier, proper reassembly and loading of the weapon. These actions are beyond the capacity of most children and adults who aren’t experienced with weapons.
Caching weapons and ammunition provides a secure place to store any surplus and if done correctly, is not only better for the weapon and ammunition, but more secure than any gun safe. Cached weapons and ammunition are hedges against future shortages, even in the face of state-sponsored confiscation. In particular, items cached for the latter purpose should be free of latent fingerprints and biological material that may lead to identification of the cache owner. It probably goes without saying, but caches with weapons shouldn’t contain anything that is database linked to the owner.
The highest ethical and moral obligation I can impart to anyone clandestinely caching weapons and ammunition is to ensure that the cache is secure from inadvertent discovery by children or adults. Various different cache containers were discussed in Part I and included PVC tubing, Monovault commercial cache tubes, which are offered in a variety of sizes and plastic buckets of the five to seven gallon variety with Gamma seal or regular snap lids.
Obviously there are many other containers suitable or even specific to unique items. Food properly canned in Ball or Mason jars, especially with reusable Tattler plastic lids and gaskets under partial vacuum seal are useful to store and preserve food.
Atmospheric pressure differential tightly seals the gasketed lid or ‘flat’ to the jar making the ring redundant after the seal is ‘set’. The combination of glass jar and plastic lid makes for a rust free, albeit fragile container, which is suitable for preserving a variety of materials (including small caliber ammunition) for long term storage.
Larger containers such as aluminum US Military medical containers are useful for caching more bulky items. These medical containers are made of rust free aluminum with ammunition can like rubber seals and are watertight. They do, however, suffer the liability of having steel clasps that are guaranteed to rust. These larger metal containers also load easily in a trailer for quick evacuation.
Although the focus of this article will be on PVC and Monovault commercial cache containers, there are a plethora of special use containers suitable and perhaps even specific for special purpose caches.
Most modern firearms, including those advertised as being made of stainless steel, usually contain small parts (like springs) that aren’t composed of stainless and given the presence of oxygen and moisture, will corrode or rust over time. In fact, even stainless steel will rust given the proper environment.
Machinists have long recognized that some people leave a body moisture that’s particularly corrosive and these people are usually referred to as “rusters.” In most locales, the atmosphere has sufficient water content that will eventually rust many unprotected metals. For these reasons, most people carefully clean and wipe the surface of their weapons with an oily rag to remove fingerprints and leave a film of oil that serves as a moisture barrier.
Those familiar with weapons understand that WD-40 isn’t a gun oil and it’s recommended that weapons being cached be treated with a high quality preservative lubricant such as Birchwood Casey’s Barricade. Some advocate filling the bore with grease, however it’s my opinion that in a properly prepared cache, this practice is redundant at best. If grease is used in the barrel bore, the weapon should be appropriately tagged against the possibility of a future firing without first removing all traces of grease.
Well designed weapon caches will include, at minimum, a kit of small user replaceable parts, cleaning supplies, ammunition, additional magazines, holster or sling, weapon maintenance multi-tool with telescopic sight mount wrenches, a chest rig and/or ruck with water bladder as appropriate, fixed blade knife and a folding bag in which to carry everything away from the cache.
Other related items might include high quality binoculars such as any by Leica, which are available with range finding options, a first rate water filter such as the Katadyn Pocket Filter, maps or charts of the area of operation, a best quality compass such as the Brunton Pocket Transit and several methods of starting a fire.
Particular attention must be paid to where the weapon cache is hidden. In part one, I mentioned a shallow weapons cache buried on the author’s land, with the express purpose of providing ready access to the tools necessary to retake the residence by force if necessary. Further away from the residence in public or national forest property for instance, other weapon and ammunition caches could be buried more deeply so as to help defeat metal detectors.
There are several other countermeasures you can take against inadvertent discovery, including salting the area with bits of metal such as old welding rod stubs, junk bolts and nuts or by transplanting thorny bushes to the cache area. In particular, look for non-food bearing thorny plants and go to great lengths to secrete the cache where it will be protected from the casual passerby due to the presence of these plants. A game camera is useful for observing any traffic in a proposed cache location.
In addition, the cache should not be located in an utility right-of-way. Future digging in a right-of-way for repair or increased service capacity should be expected and such excavation poses a direct threat to a cache. The same holds true for road right-of-ways and even unimproved public dirt roads will have right-of-ways located some distance from either side of the road itself.
So what should be done to preserve weapons and other equipment from rust and damage when placed in long term storage? The weapon should be zeroed at a known range and sighting data should be recorded. The weapon is then disassembled and all parts are carefully cleaned. The bolt face and/or revolver cylinder face should be scrubbed until all traces of carbon are removed. A 1/4″ diameter brass rod with one end flattened into a screwdriver shape is useful to scrape away carbon. Brass is a soft metal and won’t scratch harder weapon metals.
Then, the barrel bore is cleaned until it’s bright and shiny, lightly oiled and then set aside for a day. The following day, the bore is re-cleaned until no trace of carbon and/or fouling is detected; then the weapon can be coated with preservative. The remaining parts are carefully inspected, cleaned and coated with a preservative and the weapon is reassembled, leaving out a part or parts necessary to fire ammunition.
I generally wear linen gloves of the type favored by document examiners, rare and forensic, when cleaning and handling a weapon or its parts. This practice ensures no latent fingerprints will be left on the weapon that might cause rust and future owner/handler/shooter identification, should a third party discover the cache.
After the weapon is verified unloaded and with muzzle pointed in a safe direction, the trigger is pulled, releasing tension on the springs. For Mauser type bolt-action rifles, pull the trigger while closing the bolt. The weapon zero information is then recorded on a tag tied to the trigger guard and the weapon is placed in a Z Corr bag and set aside. Each magazine should be completely disassembled, cleaned, oiled with Barricade and placed in the bag.
An aluminum tin containing dried desiccant should be added to the protective bag and sealed. If a Z Corr vacuum bag is used, remove the air in the bag with a vacuum cleaner following manufacturer instructions. The zip lock seal on the vacuum bag is robust and may require a set of pliers for mechanical advantage when sealing.
The weapon and magazines (and telescopic sight if used) are now stored in their own protective environment with minimal moisture. This style bag should also serve to protect its contents from inadvertent water intrusion into the cache due to mechanical breach or seal failure.
Wearing document examiner gloves, carefully examine and wipe every round of ammunition and place inside an appropriately sized heavy gauge plastic bag. A tin of desiccant should be added to the bag before it’s impulse sealed. Repeat this process with subsequent lots of ammunition until all of the ammunition intended for the cache is bagged and sealed.
While you may be tempted to use a cheaper container (paper or cloth) of desiccant, remember that the purpose of the desiccant is to absorb moisture and by so doing, it will eventually wet the packaging material. If that material is in contact with metal or your ammunition, it may cause corrosion.
The higher quality aluminum desiccant containers won’t rust and the moist desiccant is contained within the can safely away from the preserved items. The last two items added to the cache should be a large container of desiccant and a bag or ruck with which to transport the cache contents.
To seal a Monovault cache, spread a coating of grease or silicon lube on the o-ring and place it in the groove around the lid. Screw the lid into the container using moderate force. Grease the inner circumference of the protective cap and place it over the lid. Wipe away any grease that may have squeezed out from under the cap.
Where the joint of the protective cap meets the vault body, wrap with several turns of high quality plastic electrician’s tape then overlay this tape with Gorilla tape. Wear appropriate gloves when handling the cache tube and particularly when taping as biological materials and latent fingerprints are easily transferred to adhesive tape.
Tie a six-foot length of polypropylene rope (highly resistant to water) to the circumferential notch just below the protective cap and wrap the remainder into the notch; tucking in the last wrap under the previous preventing it from unwinding. The purpose of this rope is to aid in recovery of the cache tube by tying a loop in the free end and placing it over a Hi-Lift jack tongue. The cache tube is now ready for clandestine burial.
The biggest threat to successful recovery of the long term cache isn’t inadvertent discovery by a third party, but simply forgetting where the cache was emplaced. Read that part again for emphasis.
Take a photo of the completed cache that’s ready to be covered. Take another photo from further away. Note at least three bearings from the cache to geologically and temporally invariant objects. If trees or large immovable rocks are in the area, measure the distance from the cache to at least three of these objects. If necessary, these distances and bearings can be easily encoded by doubling or transposition, but whatever mechanism is used, it should be unforgettable.
Reference trees can be notched on the side away from the cache and witness rocks can be marked with cold chisel. Be sure to photograph all reference objects from the cache. Plan a logical approach to the cache and shoot a bearing line along this approach. Photograph this approach both from the cache and from a logical point along the approach. Describe the cache location in writing along with each reference point and witness mark.
Draw a map of the relationship of the cache to references and witness marks. Your goal is to provide such a clear description of the cache location that an heir you’ve never met could locate it decades later. Transcribe the written description of the cache and its contents to an electronic document and drop in all photos, identifying each. Carefully recreate the hand drawn map of the cache on this reference sheet.
Revisit the cache seasonally and take photographs as appropriate. Incorporate these subsequent photographs into the cache description. An example of this can be seen in this PDF file. Laminating these cache location descriptors will keep them waterproof and aid their long life in the cache recovery tube.
If several caches are all located in a general area, you might wish to prepare a cache of recovery tools and equipment. These might include a short sharpshooter shovel, hand trowel, nylon tape measure, compass, gloves, a small tarp and copies of the relevant cache descriptive documents. This cache should be especially well hidden with the location indelibly marked in the mind as it holds the key to recovery of all other caches.
Deeply buried cache tubes designed for access through the upper end present unique challenges during recovery, especially if the cache is to be accessed and then resealed and left in place. Imagine a situation where the top end of the cache is two feet below the surface. If the cache tube is four feet long, the bottom of the cache will be six feet deep, rendering any loose small items in the bottom of the cache almost unrecoverable.
In many instances, these small items store best in a temperature equilibrium at the bottom of the cache tube (ammunition for example). A bag containing these small items with parachute cord tied to the hand grip of the bag and the other end to an item near the top of the tube is a most helpful aid to retrieve any small items and pre-packaged impulse sealed plastic bags of ammunition, which can be heavy.
Providing a yard or so of extra cordage per bag, loosely tie the free ends to the Z Corr long weapon bag in the area of the weapon pistol or hand grip and weapon body, just tight enough that it won’t slip down. Leaving extra cordage between the bag and weapon allows you to use the long weapon as an aid to pull up the small bags from the bottom of the tube. Alternatively, the free ends of the cord can be tied to a cleaning rod at the top of the cache.
During recovery of a Monovault cache, dig a 1.5 foot diameter hole, exposing the top end of the tube to a depth of about one foot below the top. If the cache tube is co-located near a thorny bush as recommended, a canvas tarp can provide protection from thorns. Dirt and debris entering an opened vertical cache tube is almost impossible to remove without removing the tube itself from the ground.
Digging a larger diameter access hole deeper than necessary is quite useful, as any debris knocked free during recovery will slide to the bottom of this deep hole and not into the bottom of the cache tube. A hole larger than the cache tube is also helpful when resealing the tube’s protective top with tape..
Plastic pipe presents unique challenges for caching. Over the decades, I’ve tried several methods including threaded end plugs, one end plug sealed only with grease, one end plug seated without sealer and RTV placed around the cap/PVC tube to seal against water and cementing both end caps to the tube.
When using two end caps and large diameter PVC tubing, sealing the second cap can be difficult. This is because as the cap seats on the PVC pipe, the volume inside the tube decreases which creates a high pressure that tends to force the cap off of the pipe. When sealing a cache with two caps, always use the slowest hardening agent possible in order to provide adequate time to seat the second cap.
The most waterproof and strongest PVC tube cache will have two cemented end caps. Unfortunately, recovery of items from inside the cache will likely involve a saw and at best, the PVC tube will require a new cap or union and hence will be either shorter or longer than it was initially.
However, PVC tubing caches are almost optimal for storing ammunition either loose or in US Military ammunition cans. The larger diameters will accept these ammunition cans that alone provide a great measure of protection and permit easy segregation by caliber. Whenever using a hermetically sealed cache, the contents should always be protected by desiccant.
The cut tube in the photo at the beginning of the article will easily hold 2,000 loose rounds of .223 Remington (similar to 5.56×45 Nato) and the larger uncapped tube will hold more than 5,000 loose rounds with both including a large can of desiccant. When two end caps are cemented onto a tube, a PVC tubing hand saw or similar will be necessary to access the contents.
Cache tubes can be backfilled with nitrogen for the very best in long term preservation. Nitrogen in pressurized bottles is available from welding supply dealers, along with threaded valve adapters and hose barbs. Nitrogen is an inert gas and will neither support combustion nor corrosion. However, it should never be used in enclosed or confined spaces, as it can cause asphyxiation by displacement of oxygen.
To backfill the cache tube with nitrogen, place the content-filled tube upright with the hose from the nitrogen bottle near the bottom of the tube. Open the valve on the bottle slightly until the hiss from releasing nitrogen is heard. Place a cover loosely on the open tube end so there’s only a little space around the hose. After a moment, hold a lit flame near the opening around the tube. When the fire extinguishes, the nitrogen has displaced almost all of the oxygen in the tube. Turn off the nitrogen bottle valve, remove the hose and promptly seal the cache tube. Desiccant should always be used in hermetically sealed caches, even when backfilled with nitrogen.
Threaded PVC end caps avoid the pressure seating issue when sealing, however those caps are uniformly thinner and weaker than the PVC tubing. This thinness greatly reduces the mechanical integrity of the cache. If a threaded cap is used on one end of the tube, it should be well greased before screwing into its adapter sleeve that’s cemented onto the PVC tube and the square wrench device should be turned inward for protection.
The outside adapter/cap interface should be coated by RTV or something similar as an additional barrier to water intrusion. Large diameter PVC tubing can be quite heavy, even when empty, so care should be taken not to rest the tube vertically on a cap not completely threaded into the adapter. When buried vertically, the threaded cap should be upright. Layer sand or sifted dirt on top of the cap for a depth of several inches.
This protects the thin cap from rocks. Additionally, a flat rock just larger than the diameter of the cache tube can be placed on top of the sand layer as a protection against hooves, etc.
Eight to twelve inch diameter PVC tubing is quite strong and unlike the Monovault, can be buried horizontally. Horizontal burial will help protect any threaded caps. Cut a piece of hardwood into a 2″ square section. This will fit into the square recess in the threaded end cap as an aid for tightening and removing. A one foot diameter PVC cache that’s four feet long will likely require several strong men to maneuver, as the cache and contents may weigh more than 300 pounds. For this reason alone, you should seriously consider the much lighter Monovault cache.
Like many of you, I’ve developed preferences for some brands and types of equipment. Having traveled this world depending upon only what I could carry with little or no hope of resupply, I eventually accumulated the very best quality and most dependable types of portable technology. Caching, which is the very act of preparing against future uncertainty and lack of availability, should include securing and preserving equipment that offers great dependability, long life and maximum utility.
Some of the items I specifically recommended for their characteristics described above, especially when it comes to caching, include:
M14/M1A Main Battle Rifle, Equipped with Leupold Telescopic Sight and Kill Flash Device.
Leupold tactical telescopic sights are among the best, especially when combined with their well designed accessories. These accessories include silent magnetic aluminum lens covers and in the recent past, a Plano (no magnification) lens, both clear and tinted for the very best in eye and objective lens protection. These have been discontinued but are still available in some places.
Both Leupold and Tenebraex make a great quality screw-on reticular objective lens obscurator, often called a kill flash device. A kill flash largely eliminates perceived muzzle flash (from the shooter’s perspective) while at the same time hiding specular reflection from the objective lens (sun reflection) from third party observers. Anyone shooting at night understands the effect of muzzle flash on night vision, so equipping all tactical telescopic sights with a kill flash device is essential. There are plenty of stories of would be snipers given away by the reflection of the sun from their telescopic sight, binoculars or spotting scope.
M4 Carbine or M1A SOCOM, Equipped with Dual Illuminated Trijicon ACOG.
Either rifle is well equipped with a dual illuminated Trijicon ACOG. Decay of radioactive tritium illuminates the Trijicon dual illuminated ACOG, as well as their handgun sights, so no batteries are required. The front post sight on the Springfield M1A (M14 action) SOCOM is illuminated by the same radioactive tritium.
Springfield Operator, Kimber, SIG P220 or P226 or Any of the Glocks.
Pistols should be equipped with Trijicon sights. Appropriate holsters should also be included in the cache.
Hearing Protection.
If the cached weapon(s) aren’t suppressed, then high quality hearing protection should also be included in the cache. This hearing protection should be both headset and earplug type, the latter being the most easily transportable. If eyeglasses are worn, then certainly a set of prescription eyeglasses (along with the prescription) should be included in the weapon cache.
Extra Magazines for Rifle and Pistol in a Chest Rig.
All ammunition for these magazine should be stored with desiccant sealed in plastic bags.
Cleaning Equipment, Spare Parts and Any Needed Maintenance Tools, like the Leatherman MUT.
Binoculars and Eye Protection.
If prescription eye protection is needed, Liberty Sports work great and if not, Revision Goggles are great.
Fire Starting Tools.
These include a magnifying lens, ferrocerium or magnesium rod fire starter and waterproof container of life boat matches.
Navigation Tools.
A good quality compass along with maps and/or charts of the area of operation.
Remember that caching weapons and ammunition is serious business. Extreme care should be taken to preclude such a cache from falling into the hands of a third party. Adults and children untrained in handling weapons may reasonably be expected to come to great accidental grief when discovering cached weapons. That burden will attach to the cache owner. Always deactivate cached weapons by removing a critical part. This action alone will reduce the potential for great grief and agony.
Editor-in-Chief’s Note: Steve V. retired from a tri-letter US Government organization and has been elected to the bench. He’s flown ski planes onto glaciers high in the Swiss Alps and landed in the grassy meadows on cliffs near La Dame Blanch; hunted lion and other dangerous game in the hot plains of equatorial East Africa, stag in Scotland and bear in the Aleutians. He’s peered into a cradle of mankind at Olduvai Gorge in the Great Rift Valley, danced with Maasai and walked with curiosity throughout much of the world.
There are many things to consider when looking into camouflage and today on Gear Tasting Radio, Bryan and Rob discuss the main factors involved in effective camo. While camouflage selection is regionally dependent, other factors determine whether you’ll blend in or stick out like a sore thumb.
In addition, we also answer a Question Over Coffee, dealing with the best fabrics to wear in a humid environment that sees a lot of rain.
During the last half of the 20th Century, the Fabrique Nationale FAL earned the nickname “the right arm of the free world” and became a symbol of the struggle against Communism. It’s little wonder why it earned that name. Name a war, revolution or revolt during the Cold War that involved the British Commonwealth, Western European nations, or their allies and you found the FAL in the hands of the soldiers fighting the battles.
Created in the years immediately after World War II, FN eventually produced 2 million FALs (Fusil Automatique Léger or “Light Automatic Rifle”) that were used by the militaries of more than 90 nations. At one time, the FAL was the official battle rifle of most NATO-member countries and was even considered by the United States.
In many ways, it was the West’s answer to the ubiquitous Kalashnikov. Albeit, an answer chambered to fire the heavier 7.62 x 51 mm NATO round instead of the AK’s 7.62 x 39 mm intermediate round.
A hard-hitting, reliable battle rifle, the FAL saw combat all over the planet. For example, consider the Six Day War in 1967. There’s a common misconception that the 9mm Uzi was the weapon of choice for the Israeli Defense Forces, but in reality, Israeli soldiers carried more FALs than Uzis when facing Egyptian, Jordanian and Syrian troops.
In addition, the FAL is practically synonymous with the 1982 Falklands War, due to both sides using the weapon. The Argentine Army carried the full-auto version of the FAL, while British troops had the semi-auto L1A1 Self-Loading Rifle model of the FAL. When captured Argentine troops surrendered their weapons, the British infantry and Royal Marines often retrieved the full-auto FALs so they could spray more lead at the enemy.
How the FAL saw the light of day is a story that combines the tactical realities emerging from World War II and the politics of who would lead who during the Cold War. American and British weapons experts clashed over what weapon soldiers should carry in the post-war world and they turned to the last war for answers.
The success of Nazi Germany’s innovative Sturmgewehr 44 assault rifle convinced ordnance officers and weapon designers that the era of the bolt-action battle rifle was dead and gone. Lighter cartridges in select-fire assault rifles captured the imagination of weapons designers.
Only the United States fielded a heavy caliber semi-auto battle rifle, which was the well-regarded M1 Garand .30-06. A weapon that General George S. Patton called “the greatest battle implement ever devised.” However, the future was a gun that fired full auto, which the Garand did not.
The other question was what caliber the rifle of the future be chambered in? As weapon designers on both sides of the Atlantic toyed with prototype battle rifles, the British tested a 7mm (.280-caliber) round in the new FAL and liked it. In the United States, the Army wanted to stick with the .30-caliber round, flatly stating that no other cartridge could hold its own on the battlefield.
With the formation of the new NATO alliance in 1949, Generals and civilian planners both talked of the necessity to standardize equipment, weapons and supplies, but there was little agreement among the experts. One thing was certain though, the British were impressed with the FAL and were willing to choose it over other weapons.
The FAL was deemed the superior firearm to competitors because it was easy to maintain, field strip and clean. It reassembled without special tools and it was a select-fire weapon that fired a lighter round. The “gravel bellied” U.S. generals would accept nothing but a .30-caliber weapon though, insisting on the superiority of a prototype called the T25, a forerunner of the M-14 that ended up being nothing more than a glorified Garand.
Soon, there was a “Battle of the Bullets” that went all the way up to both the White House and 10 Downing Street. President Harry Truman and Prime Minister Winston Churchill even held a mini-summit, where rumor has it they struck a quid pro quo; the U.S. would adopt the FAL as its main battle rifle if Britain backed NATO adopting the 7.62 x 51 mm round.
NATO did relent and end up adopting the round, but the U.S. ended up reneging and developed the M-14, which fired the NATO 7.62 mm cartridge. The new M-14 was officially adopted as the American Military’s main rifle.
However, in the end it didn’t matter to FN because NATO countries (including Britain) began snapping up the FAL chambered for the NATO adopted round.
Vietnam is often overlooked when it comes to places where the FAL proved a success. The weapon arrived there in the hands of Australian troops who fought as allies of the United States under the Southeast Asian Treaty Organization (SEATO).
More than 60,000 Aussies would serve in the Vietnam War from 1962 to 1972, including the 1st Battalion of the Royal Australian Regiment. More commonly known as 1RAR, soldiers in the regiment fought in many significant battles during the war’s escalation in the mid-1960s.
During those the engagements, they often faced well-equipped Viet Cong who carried new AK-47s supplied by the Communist Chinese and East Bloc nations. Despite its weight and size (the FAL is one of the longest battle rifles of the 20th Century), 1RAR’s troops considered their weapon well suited for jungle warfare.
The powerful NATO round would punch through thick foliage, killing their concealed VC opponents. It was also a far more reliable weapon than the early version of the M-16 issued to U.S. forces. The FAL rarely jammed or misfired, two problems that plagued the M-16 for years.
Many considered the combination of the FN FAL’s design and cartridge to be the quintessential pairing of battle rifle and bullet during the 20th Century. The FAL went into production in 1953 and FN continued to produce the rifle all the way until 1988. Meanwhile, the M-14 fell by the wayside as the main U.S. battle rifle within a few years; replaced by the M-16.
In the end, with millions of FALs manufactured and internationally distributed, the rifle played a large part in making the 7.62 x 51mm NATO round an overwhelming success.
Editor-in-Chief’s Note: Paul R. Huard writes about military history and military small arms for daily newspapers and online publications. He is based in Ashland, Oregon.
Our ITS Logo Morale Patch was the first patch we produced. While many variations have come and gone, we’re excited to release a new limited-edition colorway series.
The first two patches of this series are our Blaze Orange and Moonlight editions. Each edition is limited to a quantity of 250 and when they’re gone, they’re gone. Continue reading
This week on #THEITSLIFE, we were lucky to get an amazing tour of the Fort Worth Fire Department’s Station #2, which wouldn’t have been complete without sliding down the pole.
In addition, we provide a behind the scenes look at our overhead camera rig and Matt shows off some recent acquisitions in an Art Hut Update!
#THEITSLIFE offers a behind the scenes look at everything ITS. It’s a candid view of the ITS Crew and the shenanigans that take place on a daily basis.
Have you been to a fight where a hockey game broke out? On this episode of Ridiculous Dialogue, the crew discusses the hockey finals and why fighting needs to stay in the sport. Rob told us about his Dad’s new biker gang, which isn’t as scary as you might think.
No episode of Ridiculous Dialogue would be completely without some high brow toilet humor and this episode is no different! In addition to turds on a plane, we highlighted some other notable fecal moments in Internet history.
Today on Gear Tasting, Bryan goes over the “pocket tool” market and what’s available by breaking down the different features, functionality and form factors. You’ll also hear why we ultimately settled on the TPT as the best choice to offer in the ITS Store.
In addition on a Question Over Coffee, Bryan offers his thoughts on using GORUCK Ruck Plates in a plate carrier vs. a training vest to build cardio.
In each episode of Gear Tasting, Imminent Threat Solutions Editor-in-Chief Bryan Black answers your gear-related questions and shares his insight into what we’re currently evaluating at ITS HQ.
For more on the gear we review, check out our GEARCOM category here on ITS.
To have your gear related question answered on an upcoming episode, tweet us using the poundtag #GearTasting on Twitter.
In the 1980’s, computers slowly started to become a part of daily life for the general population. By the mid-1990’s, this was accelerated by the rapid adoption of the Internet by people outside the previous tight-knit circles of academia and scientific work.
Both of these factors saw the introduction of computer evidence in criminal cases because criminals, a subset of the population as a whole, were also starting to use computers in their daily lives. Whether those crimes were “computer crimes” or more traditional crimes, the trail of clues used by Law Enforcement and prosecution teams increasingly included digital evidence.
These days, electronic devices are a part of so many aspects of our lives, that the once tiny field of “digital forensics” has grown immensely. This growth has been both in personnel and in tools and services that provide capability to those personnel. However, many of the basic principles of the field remain the same.
In this article, we hope to cover a broad range of those principles, as well as get a little deeper “into the weeds” with some specific digital forensics tools at the disposal of forensic professionals today. While there may be a psychological association between “digital forensics” and “computer crime,” the reality is that computer-based evidence on non-computer crimes is plentiful. Whether it’s a photograph that proves possession of a stolen item, an email indicating an intent to commit a crime, or any other number of potential pieces of useful information.
In addition to the application of digital forensics in the prosecution of crimes, digital forensics also has widespread applications in the world of “E-Discovery” within corporate environments. An example of this use would be the examination of a parting employee’s computer, in order to search for violations of non-disclosure agreements, development of projects on company time, company resources that the parting employee maintains ownership of, or even the theft of patents and other intellectual property which the company might wish to contest.
In cases where a computer system has been breached, the primary goal of those charged with maintaining that system will be to get that system back up and running as soon as possible. Unfortunately, this can sometimes mean that evidence of the actual breach may be overwritten. It’s preferable, though not always possible, to replace a system that has been breached with a system that hasn’t been, or to make a block-by-block copy (dd is your friend) of the server to an external, removable drive before resolving the breach.
Once you’ve got a copy of the entire disk, you can remove the external drive and later analyze it (after you’ve made sure to put it in read-only mode) to see the exact state the intruder left it in, along with any evidence or trail the intruder may have left behind that might help determine their identity, motivation, or other useful information.
We won’t go too far down the incident response forensics rabbit hole now, as that’s an entirely separate discipline and our main goal here is just to cover some of the fundamentals, as well as to provide a glimpse of some of the modern tools and techniques of digital forensics.
An absolutely key principle of Digital Forensics is the preservation of evidence. As is the case with a physical crime scene, keeping things as the investigator finds them is of paramount importance. With a physical crime scene, an investigator may be looking for footprints of a suspect. If the crime scene is riddled with the footprints of careless officers or investigators, sorting those out in order to find only the footprints of a suspect can make the job of the investigator harder than it needs to be, or worse still, can actually obliterate evidence that existed before the crime scene was secured.
In much the same way, a search for digital evidence on a file system that allows writing by a user or operating system may inadvertently obliterate digital evidence that could prove crucial to the case. Another element to preserving evidence is establishing a chain of custody process. In Law Enforcement environments, this process most likely already exists and you need only learn to follow it.
In corporate environments, it may be less formal, though the benefits of establishing such a process should be obvious; doing so makes sure that the evidence you may produce for use in a court case can be reasonably proven not to have been tampered with at any point.
Active Data is made up of data like spreadsheets, word processing documents, inventories, application and operating system files.
Metadata is “data about data,” meaning file creation dates and times, file editing times, origin data and such.
Operating System Data is data created by the operating system, whether in log form, permissions details, web history data or authentication data (showing for instance, that a given user logged into a system at a given time).
Temporary Files contain data that’s saved by the operating system or by an application, without the user specifically requesting such a save operation. When you open a word processing application and type something out, even if you don’t deliberately save the file you’ve created, the application in question saves changes you make periodically to temporary or “cache” files.
Communications Data is any type of data pertaining to communications of any sort. This could be recorded data from Skype conversations, email, SMS messages, iMessages, Telegram logs or anything of that sort.
Residual Data is data that may have been deleted, but hasn’t actually been removed from the device by means of overwriting the space it used to occupy.
Slack Space is space on a drive that’s been allocated, but not necessarily used by a given file.
Backup Data is data obtained from backup files, whether compressed or uncompressed, that can be pulled out of backup copies and presented as evidence.
There are basically four phases or stages of a digital forensics examination; Evaluation, Collection, Analysis and Presentation. However, there are two processes which should really be considered in addition to those four stages. Readiness at the beginning (which is to say “preparation before an incident happens,” to include training and process definition) and Review, as part of a [Presentation > Review] loop. Generally, the end user of the presentation isn’t the same person that performs the evaluation.
In Law Enforcement applications, the digital forensics examiner provides a report to the prosecution team. In commercial applications, the examiner provides reports to legal or human resources teams. In both of these applications, the final consumer of the report should provide feedback to the examiner to either prune out unnecessary information in the report or go back and search for additional information that the end user thinks they may need.
Readiness: The “Readiness Stage” includes tool selection, training and policy implementation to maximize effectivity of any digital forensics examination. The best time to implement a policy to make sure auditing data exists is prior to an incident occurring. In commercial examinations, this includes making sure your corporate systems are logging and maintaining backups of data that may some day be pertinent if something requires a forensic examination.
This can be a policy that’s implemented on potential investigation targets, or a policy that sets network-level policies, like keeping logs of who performs LDAP lookups and from what IP address (or some other unique identifier per each lookup). In Law Enforcement forensic examinations, this would mean that tools to perform the analysis have already been selected and that personnel who would perform the investigations would be trained in the use of these tools, as well as the general principles of such an examination.
Evaluation: The Evaluation Stage is where environmental factors would be considered prior to the collection of evidence. If potential evidence is to be “live acquired,” or acquired “in the field,” the safety of a collection site should be considered ahead of time. In addition, the specifics of what should be collected should be determined, either on a case-by-case basis or as a matter of defining general and specific policy.
Collection: The Collection Stage is where data is “acquired.” Ideally, this is done in a controlled environment, but not all situations are ideal. Say a suspect is taken into custody in their own home and his or her computer or phone is found in an “unlocked state.” Let’s also say that person might be expected to be uncooperative in regard to providing his or her passcode or password. It may be expedient then to do a “live acquisition” of the drive while it’s still in an unlocked state. Barring the use of drive-level or user-level disk encryption, this can likely still be done after such a device is brought back into a controlled environment, but some pieces may not be fully retrievable.
Analysis: The analysis phase varies widely depending on the specifics of the case, but these days the first part of the analysis would be the feeding of drive images into the analysis software as evidence, followed by more refined searches for pertinent data by the forensic examiner.
Presentation: The final product of a digital forensic examination is a report. This is the case in Military/Intelligence operations, Law Enforcement operations and commercial operations. A solid final report will contain actionable or court-usable information, presented in a formal document, with all pertinent data and metadata preserved and ready for the end user.
Review: In Law Enforcement and commercial examinations, it’s important that the end user scrutinize the presentation, looking for any holes that may exist in the information, or weeding out any excess information that may not be necessary. With adjustments made, the Presentation stage happens again, followed by another review, until the final user of the report is satisfied with the contents of that report.
My first experience with digital forensics was in the mid 1990’s, wherein the organization I was employed by suspected that a particular employee had violated the acceptable use policies of the organization, by downloading and viewing pornography on his organization-owned workstation.
The basic process for performing the analysis was to clone the hard drive of the device to a read-only volume, after which I had to manually dig through the log files and subdirectories, searching for suspicious images and traffic. The process was painstaking and time-consuming, relying heavily on my own human speed of analysis. The longer I took investigating each nugget of potential evidence slowed down the overall process and in the end, I spent about three solid weeks combing through this user’s device, documenting a lot of information about any individual violation I was able to find.
These days, analysis software makes that process a lot less labor intensive. The basic process is the same; one first “acquires” a device by creating a block-by-block copy of the media, then makes sure that the copy is read-only, so that running analysis tools on the copy won’t tamper with the evidence contained on that copy. The acquisition tools now are significantly faster and more user-friendly, but what has seen the most improvement is the mass analysis of an acquired device.
Tools like Guidance Software’s Encase Forensic and BlackBag Technologies’ Blacklight allow the forensics examiner to add a device copy as evidence, after which the tools themselves run automated analysis processes in order to document every single file on the device. This includes not only the file data itself, but also the metadata, which contains all sorts of useful information, such as the date the file was created, the last time the file was modified, the original location from which the file was obtained (if it was copied from the Internet), the type of file, the author of the data, GPS location data, image resolution data and even a calculated value for the percentage of an image algorithmically determined to be “flesh”.
In Blacklight, each piece of data is cataloged with a unique hash value to describe that file, which allows the examiner to exclude duplicates of the same file, or search for multiple instances of the file. For Law Enforcement use, there’s even a database component which will compare file hashes to known pieces of evidence in other cases (particularly child pornography cases), thus reducing the amount of evidence of that nature that the examiner would have to personally inspect.
Both Encase Forensic and Blacklight thoroughly analyze the files found (and in OS X analysis, the sqlite databases that often contain information about files that no longer exist). It then categorizes them into different groupings, like “communications” (text messages, instant messaging application logs, email and the like), web browsing histories and caches, images and video files and “productivity” type data (for instance, word processing or spreadsheet data).
This allows the examiner to browse entire communication histories displayed in their preferred format (hex data, strings, or “Chat view,” in the case of text messages), as well as providing quantitative data on overall communications. For instance, in Blacklight you can see who the person communicated with the most, by what method and you can look at all text messages at once, or drill down to all text messages between the user and a specific contact they were in communication with.
In addition to analyzing the entire contents of an acquired device, Blacklight is able to analyze the data still in RAM of Windows devices. Both Blacklight and Forensic are able to perform analysis on iOS or Android devices, as well. Both also have the capability to “carve” files from sections of the drive that may still contain data the user may have deleted; provided the user didn’t overwrite the drive space with random other data.
On top of “carved files,” when analyzing pre-Windows 10 devices, Blacklight will catalog the “Volume Shadow Copies” of files. Even though a user may have deleted a live copy of a file they wanted to obscure, there are often additional copies of those files created by Windows and stored on the device.
Another interesting forensics vector is the analysis of iOS or Android backup files. Say a criminal has an iPad in addition to a Mac and they’ve synced their iPad to their Mac one or more times. Provided they didn’t encrypt the backup, Blacklight would be able to do a deep dive into the backup image created by iTunes and acquire all the data and associated metadata within that backup.
Both software tools can look at when external drives or devices were connected to the device acquired, with extensive details on those devices. If a user copied files that may be evidence onto a USB drive, evidence of that copy being made may be logged, as well as the manufacturer and serial number of the specific drive. Even if they renamed the drive, the specific identity of the drive is still able to be determined through the serial number. This can be hugely advantageous, as it enables crime scene processors to be directed to look for additional devices (USB drives, etc) that should be collected as evidence and analyzed in addition to the main device image itself.
Additionally, device analysis can determine connections or attempted connections to specific wireless networks. This includes not only wireless networks that the user may have intended to connect to, but also any other networks that may have attempted to establish connections with the imaged device.
Unless you’re interested in entering the field of digital forensics, your eyes may have already glazed over at this point in the article. So long as you obey the law and don’t commit crimes, you have nothing to worry about, right?
Wrong. The flaw in this theory is the supposition that only Law Enforcement, Military/Intelligence, or corporate information security people have access to the tools and knowledge described. In truth, a number of people have this knowledge and while they may not have the financial resources to legally purchase the analysis software described here, there are a fair number of free Open Source tools that can perform a number of similar functions.
What you should consider is just how much information about you is stored on your computer and how that information might not be something you want to share with everyone in the world. Every single electronic communication you engage in, every single web page you browse, every single file you create, even if you don’t save it; all of this is likely present on your personal computer. The passwords you store for your electronic banking, any photographs you took of your passport or your credit cards or your drivers license; all of it is on that drive.
Even the things you thought better of keeping and dragged to your trash can; all of that’s probably still there. Every WiFi network you happened to come within radio range of is documented. Every single USB drive you plopped into that USB port, complete with serial numbers and file histories, is there. Every photograph you took on your phone and for that matter, everything else you had on your phone, which you synced with your computer, is sitting there; ripe for the taking, in a .sparsebundle on your drive.
The digital evidence of your life is on that device and is most likely enough to establish your behavioral travel patterns and reconstruct a shockingly robust picture of what your day to day life consists of. All of that is just sitting there on your laptop.
Not only should you make sure you destroy any and all drives in any computers you decide to get rid of, you should also consider just how secure your device is when you leave it behind. Whether you’re just running into the convenience store and it’s sitting in a laptop bag on your passenger seat of your car, or you leave yourself logged in when you leave home for work, figuring that no one is going to break into your house while you’re gone.
There are things you can do to make that data harder to acquire and I’m not providing these suggestions with the hopes of enabling criminal use, but rather to help protect the law-abiding citizen from those with criminal intent. Encrypt your disk. Password protect your firmware. Use two-factor authentication whenever you can. Keep your system up-to-date. Don’t leave your user account password on a note stuck to the bottom of your computer. I’ve said these things before and they’re extremely important steps to take to protect yourself.
Are most criminals going to know how to assemble an entire life profile from the data on the laptop they yanked from your car with little more than some broken shards of spark plug? Probably not. However, it only takes one to significantly impact your day.
Editor-in-Chief’s Note: Matthew Sharp is a Plank Owner and Life Member at ITS and goes by the username “viator.” He lives in The People’s Republic of Northern California and enjoys long range shooting, carrying heavy objects great distances and fuzzy little puppies.
Whether it’s a nuclear winter or zombie apocalypse, Hollywood has many people believing they should be stockpiling things into a bomb shelter. This week on Gear Tasting Radio, Bryan and Rob discuss taking a realist’s perspective on long term prepping.
In addition to some of the gear they consider, the guys also discussed why your mindset and skills may be the most valuable tools you have when disaster strikes.
Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.
