Posts tagged ‘DFIR’

SANS DFIR Summit 2014 Slides

June 12, 2014

Here is a pdf of the deck I presented at the SANS DFIR Summit 2014 in Austin last week.

Check out all the great presentations from the Summit here.

The Road to Lethality

February 25, 2013

My job is a busy one; much like everyone else I know. I work for a good company, have a very supportive boss and my team is amazing. But I would like more.

I work as an operational security analyst. That means that while my job includes Incident Response and a little bit of Digital Forensics, a great portion of it doesn’t. So how to I get better at DFIR? How do I learn new tools, get better at ones I already use and become the competent DFIR practitioner I want to be? These are a few ideas that I have and am using to get there.

Social Media

This was new to me until early 2012. I have generally shunned social media for several years now and I am fairly certain I’m one of the only people in the world without a Facebook profile. I created a Twitter account last year and started “listening” to the feeds of some big names I had heard of in the DFIR field. Then I attended a conference and began following folks I met there. This led me to follow more people recommended or re-tweeted by them, and, like the shampoo commercial, so on and so on.

So aside from the social aspect, since you will be shocked to discover social media is not always used for pure research pursuits, Twitter has afforded me the opportunity to pick up on new tools being released or older ones being updated, ask questions of the Twitterverse if I run into a “learning opportunity” I can’t resolve myself, or find links to blogs, articles or news items that enhance my knowledge. Which leads me to…

Industry/Peer Blogs

I started with some of the “biggies” (Bruce Schneier, Richard Bejtlich, Brian Krebs). These should be considered a must on a DFIR analyst’s daily or weekly reading list. Good big picture overviews (and frequently ALOT more) of what is happening in our field by voices with the street-cred to back up their opinions. Next, I found some amazing blogs by DFIR community members who are either building new tools as they find a need for them (check out the amazing peeps behind Volatility, Plaso and Cuckoo) or writing posts about how they use existing tools in the course of their work. I’ve been helped out more than once by reading a step-by-step guide someone wrote that I was able to apply to work I was doing (System Forensics – Patrick Olsen or JIIR – Corey Harrell). I have lofty ambitions that one day my own blogging will be considered requisite reading for newbies to the field but I have miles to go before then, and several thousand tools to try out.

Virtualization and Open Source Tools

I might have said this before, but it bears repeating: I have a great and incredibly supportive boss.

I am currently building out a small but very functional security lab at my office (this may become a future blog) to help my team in our day to day work, but also to allow us to “play” with tools and technologies to become better than we are now.

I will be using virtual environments to make the most of the hardware we have, and taking advantage of the multitude of Open Source tools out there as our budget doesn’t stretch to commercial DFIR software (and besides, I like some of the Open Source stuff better).

But what about if you don’t have a great boss like me, you say? Well, the Open Source stuff is still the same price at home as it is when you use it in the lab at work. (Although we should try and support the creators of these tools if and when we can!) Secondhand hardware and a little ingenuity can a great little forensic workstation make. I turned my old Dell box at home into a virtual server which I run several virtual clients on. I also regularly acquire old hard drives from friends that may or may not have malware and run tools on them just for the learning of it (but please don’t tell my wife that the box labelled “car parts” in the garage is actually full of hard drives).

So you’re forensicating in your basement, and reading and blogging about your experiences but how else can you gain more exposure to the goodness that is DFIR?

Conferences and Volunteering

Training budgets are limited in any organization. We are lucky to receive any money at all some years, and most years we are limited to one training event or conference. So how do I get my boss to say yes? By taking advantage of the many volunteer or speaker opportunities that are available every year. Last year, I attended a 6-day course and the 2-day summit at the SANS DFIR Summit in Austin, TX. as I was lucky enough to be selected as a facilitator for both events. It was a tremendous experience and with all the great speakers I heard, I was inspired this year to look for opportunities to actually present at a conference. As we speak, I am flying down to attend the RSA Conference 2013 in San Francisco. This is a pretty big conference, and I wasn’t sure I actually had something presentation worthy to talk about as yet. However, I did have some questions I was curious about so I wrote a proposal for a Peer2Peer (P2P) session that was subsequently accepted and now I’m on my way to SFO with a full delegate pass in my hot little hands! I figure this is a great way to experience a (very) large conference at a price my boss couldn’t say no to, get my “presenting” feet wet by facilitating a P2P and take my next steps on the road to DFIR lethality.

To sum this up, there are quite a few articles written by folks smarter than me about how to break into the field and this post is just my take on my journey so far. If you liked it, let me know. If you have some ideas for me to take my journey farther, I’m all ears. If you want to meet my boss… BACK OFF AND GET YOUR OWN COOL BOSS!


August 9, 2012

I recently embarked on my first solo analysis. To say I was nervous was an understatement, but I was determined to get it right. The case involved determining whether files on a rewritable DVD had been tampered with (edited or cut after first recorded) and the files in question were MPEG and text files. Tools used were Encase v6.18 and CD/DVD Inspector. I spent a number of rookie hours (like lethal forensicator hours but longer. 10 Rookie hours = 2 Lethal Forensicator hours) dissecting the DVD in both tools, bookmarking pertinent data, determining file creation, modified and last accessed dates, figuring out where the files in question started and ended on the disc and if there was any indication they had been edited. I also spent a great deal of time researching the file format (UDF) to make sure I had a good understanding of how and when the disc could be written to. This went on for a couple days at which time my boss asked for an update to give to the client. I rattled off my surely impressive analysis and research and, after some consideration, my boss’s only question was:

“Did you watch the video?”


“Uh…no… I was saving that for last…”

“Ok, sounds good so far. So watch the video and let me know, and then I’ll update the client.”

Wait?!?! Did he say I was doing good? YES!

[Insert fist pump moment]

And then I watched the video…

[Insert plane crash noise]

And discovered the content was not what I was expecting at all. The client had sent us the wrong DVD.

What did I learn:

1) Validate your evidence to ensure you have what you think you have… especially when you weren’t responsible for the collection.
2) Plan your analysis before you start. Figure out what steps have the greatest value and how they will lead into other steps.
3) Keep it simple, Stupid! In my case, nervousness over wanting to do well made me overlook the obvious.


This week I received another DVD from the client and the first thing I did was verify the files on the disc by watching the videos. Despite my slight embarrassment from my first run at this case, it was actually a great way to get all my anxiety out of the way. This time I was able to focus more on the case and the tools, and less on wondering if I was doing a good job. In the end, I was able to gather enough evidence to give the client an answer my boss and I were both confident with.

Always wear cargo pants…

July 17, 2012

This is practical advice for a lot of situations, but particularly when I found myself at the SANS DFIR Summit and Forensics 508 this past June in a facilitator role. Never having volunteered for SANS before, I carefully packed my best tan and black dress pants and headed off to Austin. Once there, I realized quickly the need to be carrying around my own personal junk (wallet, cellphone, room key, SHINY NEW LETHAL FORENSICATOR COIN!!!) as well as all the stuff required for my day with SANS – pen, sharpie, yellow cards, etc) but for the most part had no pockets to carry it in. There were also a few times when I wished I had something like a small pocket knife for opening boxes but had to run and search for some scissors instead.

Now, to get all existential on you, I learned about a number of great forensic tools, some of which have similar functions (Mandiant Redline and Volatility) and some of which are unique (log2timeline).  As well, I learned to appreciate some of the basic skills that should be acquired prior to using these tools. I have only just begun my journey as a forensicator but it occurs to me that we should be prepared to handle an incident at a moment’s notice. That means we should be ready and wearing our metaphorical cargo pants packed with as many useful tools and skills as we can carry. Each incident is unique but having pre-packed “pockets” can help us react more nimbly and effectively.  For example, while having two tools that basically do the same thing may seem redundant, the skill part of the equation lies in knowing the tools well enough to understand that each tool may give you slightly different, but complimentary results to assist you in finding your answers. Some tools might seem intuitive to include but just like a pocket knife, may come in handy in ways you don’t expect. What if the MBR is corrupt on the drive you are working on and your usual go-to tools can’t see any partitions? Do you know enough about the basics of file partitions and where to start looking for them on a drive image using a common hex editor?  I do now, thanks to Rob Lee and SANS FOR508.

The point I’m trying to make (and I assure you I do have one) is that just like being a Scout, being prepared is the lesson I took home from SANS DFIR Summit 2012.  I am planning to practice new skills, find new tools and learn from and contribute to my new-found DFIR family until next year…when I will definitely be wearing cargo pants.