So You Want to Get into DFIR? Social Media Edition

Posting 365 days straight is definitely a lot harder of a challenge than you would think! Even with scheduling, time just gets away from you. With this blog, I wanted to at least give my own opinion on something that could have some grave consequences against you as a DFIR specialist: Social Media. This was inspired by a post I saw on LinkedIn from a colleague who is a Senior Forensic Examiner within the public sector. I think many of us understand to not talk about cases that are ongoing. That is beaten into  everyone at a very early time. But what about your personal views and thoughts? That can get dicey and naturally it is completely up to you with what you do and say. I’m not there to judge or police it, as no one should be. While this is geared towards hopefully all my readers, there are differences between what is actually illegal for some to even post about. Public Sector readers, go read your Hatch Act. Private Sector readers, continue at your leisure!


Standard Caveat, I’m not a lawyer (nor do I even remotely pretend to be one) and cannot give you any type of depiction of what you should or should not post. Additionally, as always mentioned when posting things that are of opinion based, these are my own thoughts and do not reflect those of my employers either now or in past and future.


So if you’re in the United States, we are living in some interesting times right now. We have access to a swath of platforms to discuss openly on, and yet it is being squandered on cat memes and gimmicky sales techniques from our friends. Tie some questionable activity condoned by many of these platforms in the last year or so…and it just feels like we are not using it the best way possible. But here is what I want to say about all of this: Remember that someone, or something, has their fate potentially in your hands. I know this seems gimmicky and something that your legal team would say to you (and probably will be?), but you really need to take that seriously in your life. What you post anywhere (to include your text messages) can come back to haunt you harshly. As you can imagine, this is really coming to a headwind in my opinion based on the recent retirement of another Supreme Court judge here in the United States. Many within this field have been voicing concern and displeasure. I’m of the opinion that is not a good idea. If you don’t think your text messages can’t be used against you, then you haven’t dealt with good lawyers yet who know to pull all that information for their case. Yes, this is why I strongly advocate your employer get you your own phone as well…and do nothing with it but work.

Our how about the nuggets in this article?

“Cases in which judges were disciplined for biased social media posts
Supplement to “Social Media and Judicial Ethics: Part I”
Judicial Conduct Reporter (Spring 2017)”

Yes, judges are going to naturally be held to higher standards than what normal folks are going to get. But I am also of the opinion we should hold ourselves to the same level as the courts would themselves. So what does that mean? I understand this will be an unpopular opinion as well, but you need to just not engage in activity that could come back to haunt you 3-4 years from now. Don’t think it’ll happen?

Josh Allen takes responsibility for tweets sent as high schooler

Yeah, a recently drafted NFL player (who is 22 years old currently) had to take responsibility for tweets sent when he was 14-15 years old. You do not understand just how much time folks have on their hands until this type of stuff happens. One of the first things that was taught to us before going through moot court for certification was to Google your name, that way you could see what others would see if they were trying to figure out who you are. Do a little bit of OSINT work on your name and you can find those social media postings on Twitter, LinkedIn, or even Facebook relatively quickly.

Remember, the goal of an opposing counsel in court is to try and discredit you if they cannot get the evidence thrown out!!!!!

So how are they going to do that? Varying ways and depends on even their skill set as well. If your CV isn’t up to task, they’ll probably just hit you on that. But if you’re CV is intact they’ll do whatever they can to make you slip up. Yes, I have personally seen in court someone’s social media postings be called into question as a method of displaying investigative bias. And if you think this doesn’t effect you because you’re private sector and rarely see your legal team, let alone a deposition, take a gander at Craig Bloch’s Corporate Investigative Template. Once again, leaving any bias you may have to the side is crucial. And to be honest, private sector is where this is much more of a problem in my eyes. You may not think your Twitter rant about a social issue will ever come up, but it certainly can. Even if it has nothing to do with the investigation, you will lose credibility. There is no denying that and you must be aware of this.


This also doesn’t even get into the juicy fact that I would imagine a majority of companies who are looking to employ those within our field are going to do their own due diligence on you. That most likely means outside of just a background check, they are probably going to scour for every trace of your name. Once again OSINT comes back to bite you. Not to mention many companies out there openly promote software solutions that will do it all for them to find everything. So say you put something up about how the cops were corrupt in the Making a Murder program on Netflix from 3 years ago on Twitter and you are applying at local law enforcement office. Don’t think that may come back to get ya a little bit? Or that you think that women in the workplace are hazards to productivity…don’t think that might get your application thrown in the trash at a private sector company?

Naturally, 2 extreme examples. But I really hope it resonates with everyone that this is a serious endeavor. We are expected to conduct and uphold ourselves to the highest standards within our field. You’re not applying to be a Sales Rep or Marketing employee, you are applying to become a person who is going to be charged with making tough decisions that could have dire outcomes on a person’s life. Take it seriously is all I offer as my sage advice. Keep yourself out of the limelight and the social media mix by not getting involved with things that could be heavily controversial unless you TRULY believe that you can defend why you said it. Whether it be a lawyer or a hiring manager, you may have to defend whatever it may be.

So You Want to Get into DFIR? Private Sector Edition

So you’ve decided that public sector is just not for you. Nothing wrong with that! We just need to work on getting you ready for different suits. This is a different animal all together! If you have a love for white collar issues, you’ll see there is no end to the work you can do. If you love threat hunting, this will be a joy!

What am I going to work? 

This is going to be entirely dependent on your company and most likely location as well. However, a good indication will be how involved the digital forensics is within the Legal entity of said company. You could be working things like HR complaints. You could be working complex white collar crime cases. At the very least, you’ll most likely be working intellectual property (IP) theft. All three are very important and will range in how much of an operations tempo you’ll have by working this stuff. I personally have found a newfound enjoyment with working white collar issues for some odd reason. It must just be that I was just done looking at evil images!

How do I get a job in it? 

Again, I caveat. There is a lot in play here. And my experience is probably more against the grain than what many would see. However, I would tell folks to move cautiously with trying to get into these roles. For some companies, this may be really easy to get into. Others, almost impossible on anyone with entry level experience. And that is what I am trying to address this as. Those who have a 2 page resume with loads of certs and degrees and experience don’t need my help getting a job.

If you are just coming out of college with minimal IT experience (like official IT experience, not helping grandma get her computer set up), I would almost solicit folks to take a role on a SOC instead or Legal IT at first. While I would always take on someone junior level to work with me and mentor them, it is a hard sell to most legal operations to have someone who could be roasted in a deposition or court based on minimal experience. If you can find a junior role doing this, I would just solicit you to make sure the job isn’t eDiscovery in nature (aka, just email) or button monkey (aka, just push a button and let someone else look at the output). To me, that doesn’t seem fun — and this is a job you’re going to for 40+ hours a week!

Now if you go the SOC route, I think you’ll gain some useful experience if you really want to put the IR in DFIR. You’ll understand what hardware/software are in place at the company and can help make sure it is working like it should be. Additionally, if the company is small enough — this probably one of the best ways to get your foot in the door to build up a forensics position anyways! You’ll probably see these jobs posted as “Security Analyst.” It isn’t official unless analyst is in the name.

The Job Postings

Caveat as well, you’re experience may differ. I cannot foresee every company in the world. BUT. What I can provide is insight to hopefully make you the best candidate.

Things you’ll just need to have. 4-year degree in some facet of IT. That can be IT Management, “Cyber Security”, Information Security, etc. The big thing here is employers are going to wanna know that you have more advanced understanding of technology outside of “put this button and get email.”

Certifications are iffy in my opinion. Namely because HR doesn’t know what to have and hiring managers just copy and paste. But yes, things like CISSP are always going to be a “shoe in” for any IT application since it is predominately the only thing I swear HR employees know for IT certs. Another issue with certs is they tend to not be very cheap. Even as a big advocate for SANS, I cannot demand someone pay out of pocket for the cost of the courses. With that being said, seeing things like GCFE, GCFA, GCIH, GNFA, etc, are going to be intriguing to me. Namely because I know how difficult those tests are. However, if this is for entry level type forensics, if I see the CCE I am more likely to get these folks into an interview. I do not agree with how up-to-date the material is, but there are forensic techniques and processes there that are still very relevant. Hopefully in due time, they’ll update and I can start really championing this cert again.

The CFCE is another one if I see I’ll probably jump for joy. But it also isn’t cheap to take and the process is pretty painful as well. I’m not really expecting many out of college to be taking this.

Job Experience

Optimally having some semblance of IT Security or Legal knowledge is going to go the furthest. You want to establish to the hiring manager that you can do the job without hand holding and are not scared of lawyers. This can be anything from just blog reading to formal education.

Personally, that is it! Private Sector has some great opportunities to it. You’ll find the jobs probably pretty rare, but even if you get into IT Security within a company I think you’ll be able to pivot to doing Digital Forensics if that is your jam. Many just do not know how much money can be saved by keeping this role within the company as opposed to seeking 3rd party.

So You Want to Get into DFIR? Public Sector Edition

So you’ve decided to go into the Public Sector for your Digital Forensics job? That is you’ve passed the rigorous background checks and the long awaited clearance background if you’re going to a Federal entity. Awesome! What you’ll probably see is that you’ll already have some sort of training program put into place to get you going. On top of that you’ll be working closely with folks who have “seen it all, done it all” as well. How cool is that! But my word, they don’t let you touch anything!

Yes, depending on what agency you would elect to go to — you are most likely in law enforcement as the reporting entity. And things like legal jurisdiction and 4th Amendment are going to come up so much in your first couple years, you’ll be able to recite the exact language to comply with it.

The Darker Side of Life

I’m not going to mince words here: this is the real reason why I said you need to have a good head on your shoulders and a strong moral conviction. You’re going to be seeing a lot of nasty stuff in your day-to-day activities.

John Irvine wrote out it in his blog which can be found here.
And Lee Whitfield spoke about it at the DFIR Summit in 2015 here.

This is not a pretty world to be in. I feel that my time in the military and dealing with coordinating our wounded and deceased brothers and sisters in arms prepared me very well for how to compartmentalize and leave this stuff at the office when I walked out the door. It will never be a time where you are not disgusted by it. And this isn’t just the dirty pictures. It is the videos of someone being beheaded. It is watching animal abuse. It is watching someone be literally buried alive. In fact, as one ICAC member told me, “if you ever reach a point in your career where it doesn’t disgust you what you’re seeing, it is time to find a new job.” You’ll never get used to see it. All I can offer from my experience is keep a clear head, talk to someone if it starts to do anything to you mentally/physically/spiritually and don’t beat yourself up too badly about it. Do not hesitate to seek help if you feel it is getting to be too much.

The Brighter Side of Life

Many of the cases you’re going to work will have a direct impact on someone’s life for the better. Many of these cases are crimes against someone or something. Finding the evil thing that was committed against them and watching the resolution and the closure they receive can be some of the most uplifting moments you’ll feel. They literally have to say nothing to you, but you will just know you did something amazing for them and changed their life. This is something that I just don’t truly see in the private sector world because you are not going to interact with the kinds of cases you will if you’re working for law enforcement agency.

Prepare for Court

Something both sides will deal with, but you’ll probably see this a whole lot more on the public sector side. Everything you do is going to be scrutinized. Heavily. After all, you are basically holding the fate of another person in your hands when you are working these cases. Court can be really stressful when you first start going. Try to not let it get to your head as that stress can do some nasty stuff to yourself that you don’t need. Make sure you are prepping with your legal team and get feedback from your peers as well. And then do what I have always been told to do, “Just tell the truth.” Be over before you know it!


To me, this will always be the way for someone who is starting out to go. You gain some much needed experience within the role and your knowledge of how legal system and investigations will only make you that much stronger of a person within this field. I don’t slight anyone who doesn’t do this approach, it isn’t for everyone after all. I am just of the opinion that giving back to your city/state/country, even if it is only for a few years, is a noble service and what you’ll get out of it will just make you that much stronger of a candidate when/if you do head to private sector.

So you want to get into DFIR?

For this week, I felt the need to touch on things for those who are looking for their pathway towards InfoSec, particularly with Digital Forensics & Incident Response.  So this will be a multi-part posting through the week with each day a different aspect. My hope is those who are looking to get into it will get something out of it, and for those within it may consider some things they had not yet…especially if you happen to be in a leadership role over these folks.

So as we go into this together, let me first give a shout out to Devon Ackerman, who graciously hosts my blog and also maintains a repository of darn near anything related to the field. Please see for more information relating to Classes, Certs or CTF’s.

The Basics

We need to shore up some stuff quickly first. I delineate a distinct difference between Forensic Examiners/Analyst, Incident Responders and Investigations.  I do this as a matter of my own legal brain as a methodology of separation of duties along with specific job roles for each one of them. While many of us can do multi-roles, that comes with time and experience in my personal opinion. I’m also one of those folks who is a strong advocate of gaining some experience in other realms before jumping into InfoSec in general. This is a hard one for many and something a lot will disagree with me. But my reasoning is just because Infosec is the sexy job titles right now (and the pay is usually higher) doesn’t mean that jumping right into it is advised. A lot can wrong very quickly.


For me, the best pathway to getting into Digital Forensics is through a solid education in Information Technology and going through forensics training. I am not a strong advocate of vendor certifications like Accessdata’s ACE or even EnCase’s EnCE as initial certifications. That is largely due to those certs typically revolving around the tool and not the actual knowledge of Digital Forensics. They are great to show mastery of the tool in court, or a future employer if that is their preferred tool, but have something else that really gets you into the weeds of forensics. If you were to ask me what the best course to take outside of academia, I will be biased and say SANS FOR500. Smiply put, there are a ton of people who contribute to the material of that course on an almost monthly basis to keep it updated and relevant. Something I’ve not seen in other certifications out there that are widely praised. If you are taking practical analysis from a FAT12 floppy or a Windows XP machine, you’re doing it wrong.

Formal Education

As you’ll see from Devon’s website, there are starting to become much more focused training out there for digital forensics specifically. In my opinion, this is good and bad. It is good because the field is getting more recognition out there as being a legit IT field. It is bad because most of what you learned your first year will be irrelevant by the time you’re graduated. This is also my issue with at the US-based degrees. Many of them are not really teaching anything that you can’t just Google and learn from a YouTube video. Because software can be so expensive, they rely much more heavily on use open source tools…many of which are completely outdated because the course material is not updated nearly as often as it needs to be. This inherently lies the biggest issue and something that I’ve noticed between the difference in other countries and how they are taught. Here, even learning the basics of interpreting hex is something that really does not get taught. One thing to look for when determining school is if they are certified by someone to be teaching it. Look for things like the program is certified or sponsored by the NSA, DHS, Cyber Crime, Department of Defense, etc, if you’re in the United States. These programs are at least audited by an outside entity for relevancy in the courseware. Beats just going some place and wasting money on courses that really don’t teach out anything in the field.

Getting Experience – Public v. Private

This is where you’re going to really have two paths in front of you. Do you go Private or Public sector? I cannot make this decision for you. But what I can tell you is that some of the most memorable work I have ever done was under my public sector tenure. You’ll learn very quickly things that private sector, or even your courses, cannot simply teach. But you better have a good head on your shoulders and solid moral footing. More to come on this later in the week.

Private sector will offer its own challenges and experiences that you may never see in public sector as well. But they are much more in-line with corporate strategy and hurdles. Instead of worrying about a person not providing your their PIN, you have to worry about GDPR regulations on an employee who lives in the states but is a citizen of Germany. This is why I normally suggest folks work either with Legal IT or as a SOC analyst before trying to get into digital forensics/incident response/investigations within a company. It gives you much better understanding of the legalities out there and protecting yourself from your employer, or lawyer, from ripping you apart based on not knowing what you’re doing. But more to come on this as well during the week!

Stay tuned tomorrow for diving into Public Sector!

Preparing for a GIAC Test….This is not the CISSP

I’m late for the day! Largely because my cities “summer festival” was last night and was out with friends, so blame them…not me 🙂

This is a topic that has been touched on by others such as my good friend Lesley in her article in respects to making a good index for a GIAC exam. Lesley’s template is still something I use, only over the course of my cert attempts I’ve tweaked it ever so slightly to fit into my own study habits. So don’t get it wrong! I find her advice to be very fitting, I’m just giving you Tony’s template. Also, I get that certs like CEH or CISSP are still highly sought after within the field and employers. But I am also an advocate that brain dumping yourself at a test typically doesn’t help a person later in their careers after they’ve gotten a cert. Knowing how to do continue doing something is much more meaningful to me. Hence why I am a strong advocate for GIAC certs over some of the others. People think these tests are easy…but I can promise you (especially if you’re a manager or employer reading this and doubt them) they are not easy tests when you put the confines they have on it!

At the time of writing this, I have 7 GIAC certs (GCFA, GCIH, GPEN, GLEG, GMOB, GASF, GAWN) with hopefully another 3 or 4 coming this year. GI Bill is something that is amazing! I’ve TA’ed for the mobile courses (SEC575 and FOR585 here shortly) and the Legal course. I’ve sat for multiple instances for many of the courses offered as well.

Disclaimer: Don’t ask me for my Indexes or what material is covered in the exams. I should not have to explain why.

So what about the tests? If you have not taken the GIAC tests yet, I’ll give you a quick rundown. They are open book, open note, open text book. You cannot bring electronics into the testing facility and you cannot bring copies of the test or any renditions of the test. This means if you violated GIAC’s notice while take a practice test and took screenshots or anything of the test materials — you ain’t bringing that stuff with ya! The tests are going to range in length and time. I think GSEC is still the longest at 5 hours and the shortest being 2 hours for an assortment of specialty ones. I think the standard for the most popular certs though are usually in the 3 hour, 115 question range. You can always go to the GIAC website though and see exactly how long, how much time and most importantly, what you need percentage wise to pass the test. It changes based on how many are passing/failing, so keep an eye on it if you’re waiting to take the cert! It may change for better or for worse.

First, the books themselves: 

So you took a SANS course, whether live or distance learning, and you’re sitting here staring at your probably 5-6 books…now what?










This feels like a daunting task after you’ve just listened to an instructor talk for probably 46 hours about this material! And you’re still trying to remember that info too!! Take a deep breath, it is going to be okay! Yes, within your books you probably have about 1000+ slides with material on it. The worst part is, while you were listening to the instructor you probably didn’t really notice or read the notes portion to the material within the books.

But lets even talk about that for a minute. If you are attending in person, I would almost urge you to only use the books if you fully intend to take notes while the instructor is talking. Otherwise, honestly — you are probably not going to spend a lot of time staring into these things while they are talking. You will be more engrossed at what they have on the slide on a projector or their own stories of how running Metasploit on a customer resulted in crashing the whole web server down. But again, that is just me. To me the most important book while taking the class is the Workbook one that has the exercises in it. Don’t forget that one!

Now the course is over and you’re at home. You need to get three things before you start looking at the material:











These three things are going to be your best friend for about the next 2 weeks or so. Now, you are going to read all the notes sections to every single one of those slides. You are going to highlight any area within the slide that is defining out things like what a tool does, what an exploit does, what a concept or artifact is, etc. You are going to use the post-it flags to annotate things like Tools, Exploits, Artifacts, etc. Yes, this is tedious. Yes it will make your eyes hurt. But this is probably the most important thing that you can do. Even more than the index we will talk about here shortly. Remember, that the test is timed. In most cases you’ll average 90 seconds per question. If you are looking this stuff up feverishly, you will not have enough time. Period. Being able to use your memory is going to help out more than you know.

Average time to go through 5 books in a “one read and mark pass” will probably take you about 14 days to make sure you are fully absorbing the information and annotating properly. Take. Your. Time. It will be super important here shortly…

Do I need to know the Labs??

YES! You better know the in’s and out’s of the labs you are presented in the class. And no I’m not just talking looking at the answer portion of the labs and running through it quick. Know what the tools are and what you are looking at. Know what you are looking at. Know what it means. For example, if I were to give you a tcpdump output, could you determine what was going on just by looking at it? If not…you better go back to that portion of your class or do external research to have it understood. This will also come into play when we start talking about the index.

So what about this Index you keep talking about? I thought SANS provided one now? 

Yes, in almost every class you’ll get an index that SANS created. However, the reason the instructors and others push so hard for you to make your own is a 3-fold reason.

Reason 1: It gets you into the material so YOU know where it is
Reason 2: Do you really want to trust something that someone else made with how often the materials change for these courses?
Reason 3: SANS does not make the GIAC tests

So yes, make sure you do take theirs with you to the cert attempt, but do not rely on it to be your “end all, be all” index for this. It won’t be in your words and there is probably a good chance it isn’t 100% accurate for page numbers.

The Index:

Time to make the index. Here is going to be the thing before you start. You need to have a plan for this. Because it is going to be more than just what book and page something is going to be on. For the best way to do that, I would strongly urge you to use Lesley’s method of excel and then importing it into MS Word with the rest of my suggestions to your index. Her way is just the best way to do it so I’m not going to try and reinvent the wheel! You are going to break this thing down in sections. Just like a research paper. Remember what I said at the beginning of this post, the tests are open note. You have free reign with what you wish to put into this thing so long as it doesn’t violate the testing center or GIAC’s rules and code of conduct. 










That is an example of my Table of Contents from one of the courses. And no, that was not all the pages for that one either. It actually went to 60. Now there is a method to the madness for this thing. For starters, I barely even need to use an index when using the methodology because I’ve been so deep into the material I just KNOW where the subject is within the books. At this point, you should have already 1) taken the course, 2) read through it once, 3) done the labs 2 or 3 more times and 4) gone through the books again to start making this index.

Again, remember this is your words and this is open note! So with my example of tcpdump, if you are having a hard time remembering what the flags are within the output from the tool, take a screenshot for an example and make it up and put it in your index! You’ll always be able to refer to it this way. In fact, for classes that are command line heavy…I would say take a screenshot of the output of all those tools and have them in your index. You’ll find it MUCH quicker in this index than you will in the books. Remember most of these SANS books are between 150-250 pages. Your index is going to be between 30-60 pages. Which one is quicker to go through when you’re on the clock?

Also things to consider is to put things like definitions and anything specific artifact locations in an area within the index so it can be quickly referenced. Also, those cheat sheets they give ya (ya don’t forget those!) are typically online via the SANS portal and you can just import them into MS Word and have them included in your index! Easy Peasy! and you don’t have to worry about forgetting them on accident. Additionally, if you’re having issues remember what a tool does, go find the man page online and just add it to the index! I needed this for things like nmap where there are about 100 different options that can be done to get results. And yes, it came in handy!

Okay so you have Index Beta version completed, now what?

Now is when you take the first practice test that GIAC provides to you. And here is where my ideology differs from many….don’t use your books at all. The point of this first practice test is to see what you actually know from the course and the material. You may fail it. But it is a practice test. Don’t stress out about this. Make sure you click to see the answers regardless if you answer it right or wrong. If you end up guessing on a question, make sure you understand why you got it “lucky right” too. For whatever you get wrong, make sure you write a note about things to study. If you are seeing that your SQLi questions are always wrong, make a note that you may need to dig a little deeper into the material to understand it better. This will also help you get used to be under the timed test parameters too.

Once you’ve completed the test, screenshot the results that show you the stars indicating how well you did for each section of the syllabus and close out your browser. Now its time to compare the syllabus from the GIAC site and your results on areas you struggled  on. Go back into the materials and make sure you hit it even harder in your index for those sections. Index every dang word that looks to be important or that you can recall from the practice test. Put in new sections in your index on that material if you were getting something wrong because you couldn’t recall what you were looking at.

Practice Test 2: 

At this point your index should be pretty much shored up. Your books are annotated and highlighted. Now it is time to see how prepared you really are going to be. Take this practice test with all your books and Index. Keep it turned on to give you the answer regardless if it is right or wrong to help you understand why you got it wrong or why you got lucky right. Make notes on what you were deficient on. When the test is over depending on your score, will depend on what you need to do. If you’re scoring in the 80 percentile on the test, you are probably okay to relax a bit and just brush up on some areas. If you’re below that percentile, you’ll probably want to go back through the material and labs on those sections much more in depth to really shore you up. If you want to buy another practice test, you can for like $150 in your SANS portal. But I caution that practice as these are typically retired questions so the odds you’ll see them on your test are going to be pretty darn rare. Don’t memorize answers to this because it’ll only hurt you when you take it.

So you’ve taken both Tests and the Index is ready! Now what?

Do yourself a favor and don’t just print this thing out at home and bring it lose leaf to the testing center. If you’re in the states, go to UPS/FedEx/Kinkos or somewhere and have them actually bind it. I use UPS and it usually is about $20 to do a colored copy of the index. The reasoning for this is because it’ll make it easier to carry and not worry about losing something….and most importantly….you will always have a “quick reference” book at your work place that doesn’t require you to dig through your 6 SANS books every time you are looking for an answer for a real world situation.

And that is it folks! None of this is absolutely revolutionary, but it is something that I feel prepares you much better for these tests than just building an index and going in with that. You’ll understand the material so much better in my experience and it will make you so much stronger in your day jobs because of it. I wish you all the best of luck!

Command Line or: How I learned to stop relying on GUI interfaces and love the syntax

So this is a little later than I thought I would post this, but life gets in the way! This is something very near and dear to me for a specific reason, my mentor was extremely anti GUI software. Not because he didn’t understand (although he was about as G-Man you could imagine), but because he felt that to really understand the data, you needed to get into the weeds. Most vendor software out there were not letting the examiner/analyst/investigator (whatever you wanna call ourselves!) to really cull the data in a way that allowed us to understand it on its own terms. I found this out the fun way while doing my GCFA gold paper. Many tools were only reporting the $STANDARD_INFO attribute and not even showing us the $FILE_NAME one. That last attribute are temporal timestamps according to Brian Carrier and many other people who are much smarter than me. Those are extremely important to those of us who may deal with cases of timestomping. Why? Well, that timestamp “may” not be changed and still reflect the actual timestamps for at least Creation. That is HUGE if a person were to rollback the time.

Now, my caveat. This is not a bash at any software vendor out there. In fact, I have always advocated for using many of those vendors for the quick triage, or if you are going to be giving the case over for someone to review. They won’t know what they may be looking at if you just dump out CLI information to them, depending on the information.

A little about me quickly as well. When I first got into forensics, I really didn’t know too much. My first Masters didn’t really hit on a lot of things I would consider to be enlightening. We were not knee deep into any type of software. So when I first got started, command line really intimidated me. And remember, my mentor was very command line savvy.

So where am I now? I could almost do everything in command line for a DFIR case at this point. I will send the shout outs at the end of the blog w/ links to those I do endorse as great folks to do business with along with learn from.

Here is the reason for the change. Many of the best tools in my experience have been Open Source material. Yes, AccessData and X-Ways are amazing when it comes to just pushing a button and letting the software do the work for ya. But it is a completely other realm when you can roll your sleeves up and do it all from a command line prompt and either get the same results, or maybe even more. For example, Eric Zimmerman, who is a SANS Instructor, and a fellow mentor of mine, has designed some of the most comprehensive tools out there in my opinion for Windows Analysis. And they are free. I’ve yet to honestly see a tool that will do what his tools do.

This is how you can save THOUSANDS of dollars in your office. And if I were to talk about one vendor that will charge ya, but is worth it: it is TZworks.  I will not post photos up of the results of that tool because I have not checked with them in advance for permission, but I can attest to their accuracy and speed. They are great and very responsive to your requests.

And it goes without saying that the SANS SIFT is the bees knees. If you have not taken FOR508, you should! I don’t even care if you take the cert or not. But you’ll learn so much about what you can do in that VM environment that you could justify your training just by removing some of the software tools you’re relying on now. Not to mention that while FOR526 and FOR572 have some tweaks to that environment, it is all still pretty much the same at its core.

But here is the whole premise to this post: you don’t need to rely on some fancy GUI tool to do your job. We, as forensic folks, need to be able to understand what we are looking at. Things like EXIFTOOL will tell you more about metadata than almost any other tool I’ve even seen. Yet its free. The issue comes that it feels like folks are afraid to use options to get the desired function. As such, I’ll most likely start with Eric’s tools and work down…but my goal is to help everyone feel much more comfortable as they walk around in command line. I assure you, it is not as nearly as scary as you think it is. And my hope is, by the end of the year EVERYONE who reads this is using command line to do their investigations.

UPDATE 26/6/2018

I forgot to get the list in here of folks I do owe a lot to for my command line affection! Because some of these folks are not actively blogging, I’ve elected to add their twitter handles instead. This folks I considered integral in my ability to learn command line either through their own tools or explanation of methods that can be done via commands that are much faster or cleaner than GUI interfaces:

H. Carvey

Phil Hagen

Rob Lee

Eric Zimmerman

Dave Cowen

Jared Atkinson

Playing Nice in the Sandbox Together

Tell me how many of these you’ve heard of: Blue Team, Red Team, Purple Team, Green Team, Sprinkles Team

…okay that last one I just made up. Also, why doesn’t DFIR ever have its own “team?”

I’m not going to explain them all to you, but yes, these are in-fact terms of explanation of the many facets of IT Security in some way. In the mil days, they were a way of distinguishing who would be Good and who would be “Evil” when I was first hearing them. Now they have been indoctrinated into corporate life.

They are all integral to a company, but for some reason so much emphasis has been put on Red Teaming.  Why? Ya, we all like to break things…but is it really that much better than doing DFIR work? In my opinion, it isn’t any better. But there is a big difference between those folks and us in DFIR.

Travel: It Is Not Just For Airline Status Pt. 2

In my last post, we were merely discussing things very pre-planning stages. While much of that was most likely already information known by the masses, it is still very important information for anyone who has never traveled abroad before for business. It is a different animal than when you do it for personal leisure.

For the continuance of this, we are going to look at what is in my carry on bag when I am traveling to these places. While technology has changed, some things will always remain the same. Remember that you are most likely going to a location where you are working anywhere from 8-16 hours while there. After all, they didn’t send you to another country to sight see!

Back in the public sector days, I was always told to “over prepare” because what you will need may not be available when you need it the most. I still have this mantra but to be perfectly honest — things like write blockers and power strips are going in my checked bag. My carry on is designed to be as lightweight as possible so it doesn’t feel like I’m carrying an 80lb child on my back while walking from concourse A to concourse F in ATL (which by the way is about 1.5 miles).


Get a laptop that is going to be lightweight and be able to handle everything you’ll need it for while away from your lab computers. Does that mean you need a Dell Precision Laptop with 17″ screen and 64GB of RAM? Probably not. If you’re doing anything remotely that intensive, then you’ve got other nightmares to handle. I’ve never needed that much RAM or that big of a screen while working. Remember, lightweight. You are most likely bringing evidence back with you anyways.

So for me, it is a Macbook Pro that was built in early 2016. 1TB internal hard drive and 16GB of RAM. Just a plain old Macbook Pro. And it works. It does everything I need it to do. Namely because of the software that is installed on it: which is mostly within the VM’s.


Oh yes, we wouldn’t be in digital forensics if we didn’t have to carry dongles around. Sigh. There are only 3 dongles I ever have with me: X-Ways, Cellebrite Physical Analyzer and Blackbag. Why just those three? X-Ways is super robust and if I am going to need a GUI to dig into a laptop or image, it is going to do it for me without needing a ton of resources. Physical Analyzer is still the de facto standard for cellphone acquisitions. When going to countries out of the United States, you just don’t know what you’re going to run into. Having this software is basically a foregone conclusion that you need it. Additionally, if you are still using Cellebrite Touch, ditch it and get 4PC already. For starters, it comes with Physical Analyzer within the dongle so you’ll be able to do both software from the same dongle. And most importantly it is one less bulky thing to have with you while traveling. We won’t even get into the discussion that Touch is running on an Intel Atom processor and is slow as all get out. Using 4PC/PA on your own laptop will allow you collect and/or process MUCH faster. And Blackbag is my “in case of emergency” software since it run on both Windows and MacOS.

I’ve started to use Axiom a little bit more because the program allows me to send a license key to the VM so I do not need to authenticate with my license server. However, I’m still skittish for using it as a replacement for the above tools. Although the tool did work amazingly while I was in Argentina and Cellebrite wouldn’t dump an Android phone for some reason. Magnet’s Acquire software got me at least a dump of the phone, just missed the key file needed to decrypt a specific database sadly.


If you don’t have one of these cables in your bag, go buy 3 of them right now. If you’re private sector, you are already going to know what type of phones you will most likely be collecting, but this one cable alone almost wipes out the need to bring any of the cellebrite cables, but possibly Cable 133.


Battery Packs

I typically travel with 2 of these things, depending on my travel time. The obvious reason for these is nothing new. They are great if you need to charge multiple phones at the same time, and are super slick if you’re in a place where you only have one international adapter and to charge would require either no laptop power or no phone power. The one pictured here is the same one I own. It will last me all week with keeping two iPhones charged the entire time. So this is perfect if you’re sitting in the back of a cab and your phone is eating away at your battery as you play Candy Crush to waste time till you arrive your destination.

International Adapter

This is seriously something you just need to have in your bag and not your checked bag. In the event your luggage is lost (which knock on wood, has never happened). This is basically going to be your lifeline for power. Make sure you have one that can either convert properly as many countries have a little bit more power going to their outlets than the US does. That could mean you destroy your electronics if you’re not careful. Also, make sure you bring an adapter specific to your laptop maker. So if you have a Macbook, go get one from Apple. If you have a Dell, go get one from Dell. While your adapter will work just fine with your laptop — you and I both know that laptop is probably going to be the primary asset you’ll be using. It will make life easier to not have to get that adapter out every single time you want to use your laptop while traveling or sitting at the airport or hotel.


Thanks to Phil Hagen, I went and bought one of these and have been very impressed by it. The company is Rocketbook and here is their website. Not going super in-depth on it because there are videos for it, but you can reuse the paper within the notebook and also has the capability to scan the pages and send them to a desired location (Cloud, OneNote, etc). This thing is absolutely perfect if you are drawing schematics or taking notes and sending them your case notes for safe keeping. The fact you can get it in a pocket size is even more of a perk since it doesn’t take up a lot of space.

WiFi Adapter

This is more for my own fun than anything, but you never know when you may need it in a pinch. Typically I’ve only used it for scanning for hotspots when doing wireless assessments. It is lightweight enough you won’t really notice that you have it anyways.  The one I have can be bought on Newegg

Hard Drives

Normally just two of these things with me. I elected for hardware encryption over software since it is quicker to decrypt and doesn’t require me to install anything on a computer to utilize it. Bitlocker is fine until you have to use FOSS to decrypt it on a Mac or Linux system. Save yourself a lot of stress and make sure you get 3.0 ones. Don’t just use regular hard drives with no encryption. Cannot stress this enough. You never know when your bag may be stolen, or worse, you are detained.


The last bit of stuff I typically bring is something that may not have crossed your mind. Things like Bandaids, cough drops, aspirin, tums, pepto and sore throat drops. You will never know when you could come down with something, and there is low odds you’ll be able to pick this stuff up right away if you’re in a place that doesn’t have stores nearby. I’ve been to some austere conditions and came down with travelers sickness (those who travel know what that means!) and thankfully I had something to help alleviate it.

As I’ve said, this isn’t meant to be the encompassing list of everything you would need for an engagement. But this is pretty much everything I need whether it be a foreign or domestic travel. My bag is light enough that I can wear it comfortably everywhere, and small enough that I can put it under the seat on the plane if need be.



Travel: It Is Not Just For Airline Status Pt. 1

I elected to make this my first “real” posting to not only elaborate on the amazing work of my friend Lesley’s post back in November, but to also provide my insight as someone who does it quite a bit. First, I’m not going into the “do’s and don’ts” of a particular region or how to have proper OPSEC. Your security folks should be properly preparing you if you’re going to austere conditions…not a blog. I will try to keep it as generic as I can, but let’s face it…I’m American and my experiences are going to be as such.

To get the caveats out of the way, I have lived in Europe for a number of years and I’ve been on 5 continents (6th coming this fall!). Many of the countries I have been to are not what I would consider to be “friendly” nations towards United States citizens. On top of that many of these I was in an official capacity and I can only guess how many were watching me closely while we were walking through the park to the local coffee shop! Not fun, regardless if you want to believe you are in a Jason Bourne movie.

So you got your sweet new DFIR gig and the boss has just told you to get on a plane and head to Rio! You are excited but nervous at the same time. This is what you’ve always to do after all, but you’ve never traveled outside the country…except that one time you went to Cancun, but your parents don’t know about that time.

Here is where I see a distinct difference between public and private sectors in the United States. When I was public sector, we had people who’s job it was to prepare us for abroad travel. They got everything in line for us, to include the most important thing: VISAS. I cannot stress this enough, regardless of where you reside as you read this: if you are going to be traveling outside of the country the #2 thing you need to do is make sure you check on the type of Visa you’ll need to gain entry to the country. And many do not just have a blanket one you just sign up for and you’re golden. No, no, no! They’ll have one for tourism, business, or even conferences. Each one will have a different length of time, and speaking with Brazilian officials the last time I was down that way…you don’t want to ever get caught using the wrong one! Yes, I have 2 different visas for Brazil for that specific reason. Depending on my type of travel will depend on which one I present. Do not listen to coworkers who tell you to just use the conference visa (if it applies) to get into a country for 72 hours. Speaking with officials in India, if they even think you’re there for official business on that visa they will arrest you. The process to get one of these is not nearly as bad as you’d think it would be. The longest part is just waiting for your passport to be shipped back to you with the visa put inside of it. Additionally, make sure you check the expiration date of said visa when you receive it back. Some countries will only give you a 3  year pass, others 10. This will become important as you get older because you’ll need to present your old passport to custom officials if that visa is still valid. Hence why you’ll see folks carrying two passports with them. For those in the United States, please refer to State Department’s site for more information relating to threats and visa requirements. It is a great resource and is updated daily by the US Government.

So that was the 2nd most important thing, what is the first? Well the obvious…your Passport

When you are traveling abroad, this is your lifeline. Another country is not going to recognize your US Drivers License. They are not going to care about your Global Reentry card. They are not going to care about your fishing license either. So don’t bring them with you. In fact, go on amazon and get yourself a passport holder with RFID blocking with room for currency and credit cards and call it a day. It’ll cost you around $10-$20 and you can completely forget about bringing your wallet with you. Leave your Lowes rewards card at home and just bring the required cards you’ll need for your travel. For me that is my personal Amex, Visa and my company’s credit card. That is it. I don’t even bring my debit card with me while I travel. Depending on your length of stay, just take out a nominal amount of cash (hopefully your bank can support currency exchange, if not get it before you get to your destination) and only use it when you absolutely have to.

So you have your Passport and Visa, now what? 

Speaking of Global Reentry…GET IT.

You’ve probably seen these little things when you’ve traveled abroad. They are the wonderful machines that if you’re Global Reentry approved, you use to circumvent the passport control line when you arrive into the United States. This is naturally just for US citizens, but I would solicit everyone to get on board and get this. It is $100 for 5 years and will also get you a Global Reentry card (which you do not need to travel with), which can be used as a second form of ID.  It also will get you TSA Precheck (which is already $85 by itself). Many cards like Chase Sapphire Reserved also reimburse for this, so it is free. The last time I used it in Atlanta, a flight from South Africa had landed just before us. The line was about 300 people long. Because of those little machines, I was able to check back into the country and had my bags and was through the ATL TSA Checkpoint before that line even moved 40 people. Speaking with customs officials, it basically can save you anywhere from 1-3 hours at major hubs (e.g. JFK, ATL, LAX, etc).

So How Can I Make the Flight Better?

Assuming you are like me, you aren’t getting business class no matter how much you complain to your boss. Here is what you will find that can be the absolute worst: the length of time in a plane. Not mincing words, you don’t want to be the person who has sit in the middle seat for a 8 1/2 hour flight from Chicago to Frankfurt. So what can you do to make life a little easier? Honestly, this will go against many folks own convictions but I would tell you to find an airline (which may or may not be your dominate airline at your airport) and stick with them and their partners. For me that is Delta and as such my Amex card is their credit card. Here is the large reason for this — if you are going to be traveling even 10% of the time, accruing miles for a specific airline will get you closer to status upgrades for better seats (and things like their lounges for free) but those miles can be used to just flat out upgrade your seats. The last 3 times I’ve used miles to upgrade (Sao Paulo to Atlanta, Buenos Aires to Atlanta, Amsterdam to Minneapolis) the total was 40k miles each time for a leg that was anywhere from 8-11 hours long. Don’t think that matters?







This was business class from AMS to MSP back in 2015. It was the first time I was able to upgrade to these seats and it was well worth it. The fact it lays out into a bed allowed me to actually sleep on the plane and arrive well rested and able to go about my business that day.

So, who am I?

Many are probably wondering who I am and if this is worth their own time. My hope is that it will be! To start, I won’t go into my background too much…if you want to know it you’ll probably be able to ask around to put the pieces together. Also, I’m not of the kind of person who thinks degrees and certs make the person. Do I have those? Yes, I do. We will leave it at that.

My first, and probably only, claim to fame within the community has been the GCFA gold paper I wrote: It was the first time I really branched out and it was very worth while. I would solicit everyone to do that deeper dive research to further the field. How did I come up with this? It really came to be that I just didn’t understand how timestamps would reflect if it was bouncing around a bunch of filesystems. And low and behold, the paper wrote itself. Seriously…I had this thing written before I even submitted the idea to GIAC for the gold paper. That was just how easy it was!

That is my urge to you on this Sunday…find something you’re passionate about and start researching it! After speaking with many of our peers over the last weekend, I am going back to that paper and revising it. Namely to make it cleaner and much more visual friendly. So be on the lookout!