Always wear cargo pants…

This is practical advice for a lot of situations, but particularly when I found myself at the SANS DFIR Summit and Forensics 508 this past June in a facilitator role. Never having volunteered for SANS before, I carefully packed my best tan and black dress pants and headed off to Austin. Once there, I realized quickly the need to be carrying around my own personal junk (wallet, cellphone, room key, SHINY NEW LETHAL FORENSICATOR COIN!!!) as well as all the stuff required for my day with SANS – pen, sharpie, yellow cards, etc) but for the most part had no pockets to carry it in. There were also a few times when I wished I had something like a small pocket knife for opening boxes but had to run and search for some scissors instead.

Now, to get all existential on you, I learned about a number of great forensic tools, some of which have similar functions (Mandiant Redline and Volatility) and some of which are unique (log2timeline).  As well, I learned to appreciate some of the basic skills that should be acquired prior to using these tools. I have only just begun my journey as a forensicator but it occurs to me that we should be prepared to handle an incident at a moment’s notice. That means we should be ready and wearing our metaphorical cargo pants packed with as many useful tools and skills as we can carry. Each incident is unique but having pre-packed “pockets” can help us react more nimbly and effectively.  For example, while having two tools that basically do the same thing may seem redundant, the skill part of the equation lies in knowing the tools well enough to understand that each tool may give you slightly different, but complimentary results to assist you in finding your answers. Some tools might seem intuitive to include but just like a pocket knife, may come in handy in ways you don’t expect. What if the MBR is corrupt on the drive you are working on and your usual go-to tools can’t see any partitions? Do you know enough about the basics of file partitions and where to start looking for them on a drive image using a common hex editor?  I do now, thanks to Rob Lee and SANS FOR508.

The point I’m trying to make (and I assure you I do have one) is that just like being a Scout, being prepared is the lesson I took home from SANS DFIR Summit 2012.  I am planning to practice new skills, find new tools and learn from and contribute to my new-found DFIR family until next year…when I will definitely be wearing cargo pants.


One Comment

  1. Google Chrome 20.0.1132.57 Google Chrome 20.0.1132.57 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11

    Congrats on the RMO! Your point is perfect, and one that needs to be heard. There are some great tools out there, but none of them can do everything. I need to take FOR508 now so I can get the goods on the hex editor partition recovery!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.