My job is a busy one; much like everyone else I know. I work for a good company, have a very supportive boss and my team is amazing. But I would like more.
I work as an operational security analyst. That means that while my job includes Incident Response and a little bit of Digital Forensics, a great portion of it doesn’t. So how to I get better at DFIR? How do I learn new tools, get better at ones I already use and become the competent DFIR practitioner I want to be? These are a few ideas that I have and am using to get there.
This was new to me until early 2012. I have generally shunned social media for several years now and I am fairly certain I’m one of the only people in the world without a Facebook profile. I created a Twitter account last year and started “listening” to the feeds of some big names I had heard of in the DFIR field. Then I attended a conference and began following folks I met there. This led me to follow more people recommended or re-tweeted by them, and, like the shampoo commercial, so on and so on.
So aside from the social aspect, since you will be shocked to discover social media is not always used for pure research pursuits, Twitter has afforded me the opportunity to pick up on new tools being released or older ones being updated, ask questions of the Twitterverse if I run into a “learning opportunity” I can’t resolve myself, or find links to blogs, articles or news items that enhance my knowledge. Which leads me to…
I started with some of the “biggies” (Bruce Schneier, Richard Bejtlich, Brian Krebs). These should be considered a must on a DFIR analyst’s daily or weekly reading list. Good big picture overviews (and frequently ALOT more) of what is happening in our field by voices with the street-cred to back up their opinions. Next, I found some amazing blogs by DFIR community members who are either building new tools as they find a need for them (check out the amazing peeps behind Volatility, Plaso and Cuckoo) or writing posts about how they use existing tools in the course of their work. I’ve been helped out more than once by reading a step-by-step guide someone wrote that I was able to apply to work I was doing (System Forensics – Patrick Olsen or JIIR – Corey Harrell). I have lofty ambitions that one day my own blogging will be considered requisite reading for newbies to the field but I have miles to go before then, and several thousand tools to try out.
Virtualization and Open Source Tools
I might have said this before, but it bears repeating: I have a great and incredibly supportive boss.
I am currently building out a small but very functional security lab at my office (this may become a future blog) to help my team in our day to day work, but also to allow us to “play” with tools and technologies to become better than we are now.
I will be using virtual environments to make the most of the hardware we have, and taking advantage of the multitude of Open Source tools out there as our budget doesn’t stretch to commercial DFIR software (and besides, I like some of the Open Source stuff better).
But what about if you don’t have a great boss like me, you say? Well, the Open Source stuff is still the same price at home as it is when you use it in the lab at work. (Although we should try and support the creators of these tools if and when we can!) Secondhand hardware and a little ingenuity can a great little forensic workstation make. I turned my old Dell box at home into a virtual server which I run several virtual clients on. I also regularly acquire old hard drives from friends that may or may not have malware and run tools on them just for the learning of it (but please don’t tell my wife that the box labelled “car parts” in the garage is actually full of hard drives).
So you’re forensicating in your basement, and reading and blogging about your experiences but how else can you gain more exposure to the goodness that is DFIR?
Conferences and Volunteering
Training budgets are limited in any organization. We are lucky to receive any money at all some years, and most years we are limited to one training event or conference. So how do I get my boss to say yes? By taking advantage of the many volunteer or speaker opportunities that are available every year. Last year, I attended a 6-day course and the 2-day summit at the SANS DFIR Summit in Austin, TX. as I was lucky enough to be selected as a facilitator for both events. It was a tremendous experience and with all the great speakers I heard, I was inspired this year to look for opportunities to actually present at a conference. As we speak, I am flying down to attend the RSA Conference 2013 in San Francisco. This is a pretty big conference, and I wasn’t sure I actually had something presentation worthy to talk about as yet. However, I did have some questions I was curious about so I wrote a proposal for a Peer2Peer (P2P) session that was subsequently accepted and now I’m on my way to SFO with a full delegate pass in my hot little hands! I figure this is a great way to experience a (very) large conference at a price my boss couldn’t say no to, get my “presenting” feet wet by facilitating a P2P and take my next steps on the road to DFIR lethality.
To sum this up, there are quite a few articles written by folks smarter than me about how to break into the field and this post is just my take on my journey so far. If you liked it, let me know. If you have some ideas for me to take my journey farther, I’m all ears. If you want to meet my boss… BACK OFF AND GET YOUR OWN COOL BOSS!