SANS SEC401 – Comprehensive Review

To get started in InfoSec, One must drink from the fire hose eventually 

First, I want to apologize for the very late and posts over the last month or so. My life has been a little chaotic bouncing between a few different things and I went on holiday for a few weeks and was told no laptop :). But alas. For this post, I wanted to jump into something that has been very near and dear to me: SANS courses. I’ve done a lot of them…20 to be exact. This is something I am humbled by through various employers and military benefits to put me through many of these classes. In that retrospect, I want to pass on those courses I’ve taken recently in order to provide some semblance of reassurance (or not?) if the class is actually worth it to you and potentially your employer. Let’s face it, these are not cheap courses to attend. But there are reasons to that, that I will not get into now. Just realize there is a lot that goes on behind the scenes to keep SANS as the most up-to-date InfoSec training going full steam ahead. 

With that said, the first course I wanted to touch on is the one that is the most foundational one SANS puts on. Yes, there is a 300-level course but I have not taken that…nor will I probably ever. But you may be asking then, “Tony, why did you take the 401 level course then?!” And I can tell you why, the SEC401 course is part of the 3-5 courses you must take in order to sit for the GIAC-GSE (Global Security Expert) certification. As such, because that cert renews all of your other certs from GIAC — it is something near and dear to me to obtain in order to save a serious amount of money. 

So What is SEC401?

SEC401, or Security Essentials Bootcamp, is essentially a middle ground between CompTIA’s Security+ and ISC2’s SSCP certifications. Make no mistake from the 400-series numbering convention though. This is a class you are going to learn by a fire hose. What you already know within Information Technology will predicate how well you are going to grasp some of this information as it is getting thrown at you. If you want to see a full listing of what you’ll learn, please click this link to redirect over to SANS and you can read what each day entails. Also note, that SANS now tells you what the labs are as well for the class too! Extremely helpful if you want to see if a class is more lecture heavy or exercise heavy. Just note, this course/cert are just like its peer certifications I’ve mentioned above: You will learn a miles worth of information but you’ll only scratch the surface of what it really is. Meaning you will get a very concise overview of the specific topics and maybe a little in-depth depending on the instructor. Don’t expect to walk out and start dissecting TCP Headers and writing python scripts to parse the MFT. 

A big thing to remember with this class: It is what SANS calls a Bootcamp. What does that mean? These are 10-11 hour days, not 8 like you get with something like FOR508 or even SEC560. That also means if you are attending in person, you will get a normal break around 1500 local time and that is it. When everyone else is packing up at 1700, you are going to be sitting in class still for another 2-3 hours. Tie in NetWars or Night Talks and you can seriously be in for a rough week. Plan your dinner accordingly and don’t be afraid to bring a few snacks (and caffeine) in with you in the afternoon. Oh and if that isn’t enough…this is SIX (yes 6!!) full days of course lecture. There is no Day 6 challenge. That means you are in class for close to 60 hours…be ready for that! 

Book 1 

Book 1 is going to get your feet wet in the deep end of the pool quicker than green IT/Management folks are going to probably want. In my opinion, the material is sound but the fact you are going over it in such a rapid succession can be overwhelming on the first day. I’m not going to regurgitate what SANS has already provided on their own website, but be prepared to go over things like Network Architecture/Topologies, Cloud Services, TCP/UDP and Wireless. This is the day you are going to find out if you are prepared for the material or not. Because it is only going to get harder as the week progresses on ya. I liken this day to ISC2’s SSCP in that multiple domains are covered from an IT Security standpoint. Meaning Sys Admins and others outside of say a SOC/CSIRT would gain immense benefits from this day. 

Book 2

Book 2 is what we would call a “Blue Team” book. It is all about Defense and Hardening. Things you’ll be going over consists of the Critical Controls that SANS is well-known for. Along with that you can expect to finally see the CIA (Confidentiality/Integrity/Availability) being explained in-depth. This will scratch the surface for things like Active Directory/Domain Controllers + passwords. You’ll spend so much time on passwords and rules during this book that you’ll feel like a SME when you get back to your office. Lastly, the scary “APT” will be defined in-depth and will go over specific examples. This is the book that most closely resembles what you would see in CompTIA’s Security+. 

Book 3

By this point in the class, your head is going to be absolute jelly. Largely because you’ve just sat through 20 hours of lecture and you’re only going into the third day. But this is probably my favorite day out of the week as it is Threat Management. This is your Red Team introduction day. You’ll see tools like nmap and other vuln scanning type tools that can help an analyst understand what is going on within the network. The day is laden with Pen Testing examples and methodologies. 

The other half of the day is focused on Endpoint and Perimeter defenses, so Firewalls and HIDS/NIDS. Snort is looked at and given to the student to play with in a lab. This is largely because it is free and many of the other classes will focus on that software (SEC503 being the big one). 

Book 4

So if that isn’t enough, day 4 is the infamous cryptography day. What makes it infamous? Largely that you’ve now gone through 30 hours of course lecture and you STILL have 2 more days of this class. 

So half of this day is set aside for your Incident Response portion of the course. The other half is for all things crypto. For the IR side, it is looking at hashing/password cracking + stego. The crypto side is going in depth with things that will look familiar to anyone who has taken an IT college course or certification: Symmetric/Asymmetric, Public/Private Key, Full Disk Encryption, Certificate Authorities, etc. What you may not have seen from other courses is VPN’s and GPG encryption. Largely from what I’ve seen is other certifying bodies like CompTIA or Cisco do not focus heavily on those technologies. 

 Book 5

This is the largest book for the entire course. I just looked at mine and it was close to 400 pages. That is a lot of material. Moreso than most other 5 day courses combined! If you are a Sys Admin, or have played in a Sys Admin role before, this is going to be a very quick and easy day for you. If you have not been one, this is a day that will have you feverishly wanting to write notes. This is literally everything to do with Windows Security. From things like NTFS Permissions, Domain/Group Policies, Password Enforcement, Windows Firewall setup, AppLocker, etc. Seriously go look at the SANS syllabus and see what is all listed — extensive isn’t the word  I would use for it! At the end of the day there is a claim to be going through Forensics. As someone who does forensics, this isn’t forensics moreso that it is making sure proper logging is activated for Event Logs and other aspects on the machine in order to recreate an incident if you are compromised. This is a very essential day if you interact with Windows machines at all in your environment. 


Finally, the last book is on Linux Security. Shockingly this is probably the one day that I think students get the MOST out of the entire day. The other 5 days, most folks probably know 1 or 2 of the modules through experience and/or research. This is an area where most folks just don’t have the “hands on” knowledge of how Linux works and its intricacies. This makes the day really beneficial in my opinion. It also is going to lay a great foundation of knowledge to anyone who plans on taking future SANS courses, regardless of Blue Team/Red Team/DFIR. Why? Well dang near every class comes with a Linux VM where you are doing things within it. This class is going to make sure YOU know what commands to use and where to go for certain types of files that will make you successful in those classes and in the real-world. It also will save you from like a 2-3 hour bootcamp course they give on Day 1 at any SANS Event where they crash course you through Linux to get you up to speed. 

 My Thoughts? 

Overall, this is a great class for those who are just breaking into either IT Support or InfoSec. There is now a manager course that crash courses through most of this material, so if you are going to be a manger of an IT group — take that class instead. That is mentioned in the syllabus provided on the SANS website and that I linked earlier. If you are someone who has 4+ years experience of a Bachelors in this field already — much of this class is going to be trivial to you is my guess. That doesn’t mean you won’t learn something from it though! Heck, even I learned some good stuff in this course I didn’t know before taking it. But if you are planning on taking this more as an elective through your employer, I would tell you to probably find something different. If this class is required for you (DoD I’m looking at you…), then be ready to suck it up and get your thinking cap on. 

Lastly, I feel I need to bring up the three different options that SANS provides for prospective students. Sometimes travel isn’t possible to a location where training is being put on, or duty calls and you’re not able to leave work because of something that is going to keep you in the office. 

LIVE: This is the type of training that almost everyone and their brother are going to tell you to take. Reasons always include: “you get to network” “you get to do NetWars” “you get to listen to Night Talks” and of course my favorite “you to get to go somewhere on the companies dime!” 

Overall, the live training is certainly worth it. However, networking is at your leisure, not SANS’s. If you are an introvert, it is going to be hard for you to really make new friends in this environment. While in class, you most likely are not talking to other students on break anyways. These are literally 8+ hour days of hard-nosed lecture from the foremost experts in the craft. Everyone is there for a crazy amount of money, so they are not going to interrupt or miss classes just to network and hopefully find a new job. The night talks are good, but most get published online in some facet of webcast anyways. Just remember, you are on a schedule when you attend in person. You don’t access to material online in ways that the other methods provide. 

Simulcast: Probably my favorite. You get the newest material being taught, can still watch the lecture as if you’re in class, ask questions in real-time and you can do it from pretty much anywhere. They use Go-To-Meeting as the method of transmission and its pretty decent if you’re in the region (North America, EMEA, APAC) that the course is being taught in. What makes this my favorite though is if you need to go do something else (or take a call) you can simply turn the speakers off and do whatever it is you need to do. Say you know a module pretty well, well if you elect you can simply go do something else or work ahead. You’ll have the books after all. And you get those books by the way about a week earlier than the live students do. That means you can pretty much have gone through all the labs once or twice before the class has even started. And if you have issues with the labs at all, SANS has people available during the class (and after) to help you out with that. 

OnDemand: Another favorite of mine, and my typical “go to” method of delivery. But why wouldn’t this be my favorite then? Well Simulcasts are only available every so often and are specific to the classes. So say I want to take FOR508 but the next simulcast is in March 2019, I would have to wait until then to get into the simulcast. Where with OnDemand, you are going to get access to the materially literally the day you purchase the course. You’ll get the books shipped to you just as you would with Simulcast and you’ll then get new link too on your SANS portal that gives you access to the OnDemand content. In there you’ll find your class. It is literally a breakdown of a real lecture that was taped at some point of that current year and they’ve broken it down by module. This is fantastic if you know Snort information and want to skip that piece of the lecture, because now you can literally skip it. What makes this great for me is you can pick it up and leave it when things come up. You have 120 days of access to the material online and you can move at your own pace. I typically finish them in about 60 days. What makes it great too is you can always go back and relisten to material that you didn’t get. SANS also has SME’s available to help out dang near 24/7 if you have questions or get stuck on labs as well. This is quite possibly the best option out there if you want to save money on travel and do the class at your own pace so the fire hose learning isn’t near as daunting as what it would be normally. 

For this class, I would strongly advocate either Simulcast or OnDemand for it. Day 6 is the only day that is 8 hours. The rest are right around 10-11ish if the instructor is behind. That means you’re basically pushing 60 hours of class in a week. That is too much in my opinion. With the other 2, this gives you some more latitude to get up and move around or go and get food whenever you’re hungry/thirsty. With simulcast, you even get access to the recordings after the day is done as well. So if you need to step away for even a long duration, you can always go back and watch it later. 

Hope this helped anyone who may or may not have thought about taking this class!


Dissecting Official Reddit App, What Your Tools Don’t Tell You

Sometimes, Some Light Reversing is in Order!

Reddit in general

So this is probably not new to much of the readers of this blog, Reddit is kind of a big deal at this moment in its lifespan. For those who do not know though, Reddit is a social media platform that touts itself as the “Frontpage of the Internet” 

What makes this social media platform so much different than say Facebook or Twitter — is the platform is designed around mini sub forums where like minded folks can get together to discuss current event topics or other random thoughts. And just how many are there? And why is this little internet space considered a hot-topic for your investigations? 

According to 10 Jan 2018, there are 1.2 million subreddits. That was also 7 months ago…

As far as how many members are currently on the site is quite arbitrary from what I could find. But it appears the consensus is there is roughly 250 Million active users on the site at any given time. 

Okay, so how does it work? 

For the longest time, Reddit did not require you to register with an email address. The thought and theory most likely behind this was 2-fold I’m sure, even if this subliminally only thought of it. The first, is if they ever were breached there was minimal exposure of the user-base towards directed attacks towards them based on posts/topics being attributed to a specific person. This came to light 4 days ago when Reddit finally announced they had been breached and data from a 2007 dump was lost to the attacker(s).

Link To Reddit Article

The second was to keep the site anonymous if the user chose to, without fear of being exposed. The goal has always seemed to be for Reddit to maintain that Privacy Advocacy, as seen with recent movements with EFF, ACLU and directed lobbying attempts at issues such as Net Neutrality.

But now when you try to sign up….

You are greeted with this. So, now your user-base is required to use an email address to gain access to the site. What this means for investigative significance is tracking down all those emails that someone may be using. But what if the user never uses a computer? We, as a global society, are moving much more towards mobile convenience than being controlled by our desktop computer overlords. Additionally, there is nothing stopping any person from making multiple accounts and using them on different machines as well. And Hence…we have an App for that! 

Investigative Significance

It probably goes without saying. If you are talking about a forum where like minded individuals can get together to discuss current topics within a realm of comfort, you are going to get a better understanding of their psyche potentially during a specific moment in time. This may be something that is extremely relevant when profiling an individual on the Who, What, Why and How moments in the latter parts of your investigation. While Reddit has done a terrific job of trying to tame the beast that is over 1M subreddits with a user base that would put it in the Top 5 countries in the world…some things are going to fall through the cracks. 

Applications – iOS 

For the longest time, Reddit did not have its own dedicated app for download through either iTunes or through itself. This left a massive window of opportunity for would-be developers to build something that could be used to traverse Reddit and build up its own user-base. With the departure of one particular dev from the Alien Blue project, things started to go into motion that Reddit was finally building its own official app. And while there are still dozens of other 3rd party apps out there, Reddit having its own to endorse and push updates to makes it a game changer for those users who either: 

1. Only use 1st Party Apps
2. Don’t know about the 3rd Party Apps being available
3. Trust Reddit to secure their data over 3rd party 

So with this being said, I decided I wanted to look at the official Reddit app and see just how it is storing data. This project came to be via curiosity more so than anything. It was also incredibly alarming that one of the largest social media platforms out there right now has effectively ZERO support from 3 of the top mobile device forensic vendors out there. Let me say that again…ZERO. Meaning the only way you’re going to find this data while using these tools is with a Search Function that is scouring these files. Most likely the reasoning behind this, became hilarious to me as I was looking at the files. When we think of files for apps that will maintain data for an app, the first thing we think of are SQLite databases. But you’d be wrong if you thought that with these ones!  

That is right! We are looking at plist files! 

So Lets Break this down 

We definitely need to break this thing down! You’re going to see two different sets of files within the app: plist and sqlite. The SQLite’s to my knowledge do not appear to really bare anything fruitful within them. My take is they are not being actively used by the app to do anything with potentially use later on? My reasoning behind that hypothesis is much of the other information that is user-related (e.g. subreddits subscribed to) are maintained within the plist files. 

When you do an advanced logical acquisition of the phone and then dump out the “com.reddit.Reddit” folder, you’ll be greeted with two subfolders: Documents and Library. The Library folder maintains the Crash Analytics of the application, along with Twitter/IO folders that appear to have merely the database’s columns and rows, but really nothing of relevance within them. 

An interesting folder within the Library is /Library/ folder. This subfolder held a video file that I had saved through the app in the “offline” mode. The video was saved as a ftypisom file with header 20 66 74 79 70. First time I had seen one like that! 

Inside /Library/Cookies/Cookies.binarycookies is a plaintext view of websites that appear to have been visited by the user through clicking on hyperlinks within a specific thread of discussion. 

Outside of these two subfolders within Library, I do not see much more than artifacts relating specifically to the Reddit app and not to the user.

Onto the Meat and Potatoes 

This is where it will get a little more juicy. The /Documents folder is where the user data resides for all user accounts that have been logged into within the application. So I’m going to work backwards here, purely because of how much data there is in here. 


This is the location of a plist file that will show what videos have been saved into the cache of the app. So it is tying directly back to the UserManagedAsset folder we saw in the /Library folder. Within there, you’ll uncover the filename of the files that have been saved. There is one little nugget, I wanted to share a screenshot of: 

That time is what you would guess! Mach Absolute Time. Which, yes that roughly is around when I recalled playing that video for someone while at SANSFIRE in Washington DC. 


These appear to be events related to Reddit that a user would have clicked on to view. Within it, at about Line 578, you will hit the Reddit Username that was logged into the event. Curiously enough, my epoch time for one specific event was 1349812312000, which decodes to 9 October 2012. This is when Malala Yousafzai was shot 3 times in Pakistan, and was certainly an event I was monitoring. Strangely this would have been long before the official Reddit App was released. My own conclusion is this is information that is tied to your account and when you move to different devices is used to correlate to those events if you so choose to review them again. 


The moment we’ve all been waiting for. The accounts location. Within this folder you’ll see all accounts that have been used on the device, to include an anonymous account. This anonymous account appears to be created so a user can traverse reddit without being logged into an account. The other will appear in an hex number, so I’m not including it as I’m not sure if this will be the same for everyone. However, this is where all the user preference settings are stored, to include when the account was created. If also lists if an email address has been supplied or if the person is even an employee of Reddit. 

Line 75 is when we will start getting into the user information. This will provide the user ID.

Line 78 contains a mach absolute time of when the account was created

Other intriguing information pertains to things like NSFW banner popups and other restrictive content being blocked. While these may or may not be relevant to your matter, they are still of interest if you are investigating an individual who is suspected of creating a hostile work environment. 


This is an area of probably the most interesting within the userid folder. This is the location of all the subreddits that a user has gone to through the application. The most intriguing aspect in my opinion is it provides a cached view of what was in the sidebar area of the subreddit. Key areas of interest may be Line 42/43 where the NSFW boolean is located. Line 153 is where the string is located for what the subreddit is called along with its description. 


This is a location of what appears to be actual threads opened by the user. Within the plist file is the subreddit information and title of the thread. There also appears to be a string underneath within this that is a reference point for what is termed cross-posts. Other intriguing information in here are file locations to what a user may be viewing from within the actual thread itself. There are also NSFW boolean locations within this as well to for if the thread has been deemed as potentially offensive. 


As far as the Reddit app itself goes, it is what you think it is going to be. Much of this information is within plaintext and plist files as opposed to SQLite. The only benefit for culling through a plist rather than sqlite is we are not needing to create SQL queries in order to compile the data together. You get what you get in these files. My amateur developing guess is, they found this to be the best way to create and maintain a stable application when they first designed it. If it ain’t broke, why fix it? The good news is, I cannot find the password at all in here so happy to report (as of now) that you cannot get the user password through the app at least. 

While this is not an overly encompassing look at the app itself, it is merely to point out there can be some very relevant information within this that your tools may not be catching. Things like UserID’s, creation of the account, varying posts/thread traversals are all there to help an investigator understand the person they may be looking into. This is also there to reaffirm the need to always validate your tools to what you are looking for within the data. All 3 of the major tools out there that I use do am immensely powerful job at culling through data and putting it in a friendly format that you can read and interpret. But there are so many apps out there, that you cannot expect them to hit it all. Doing searches through the data may come up with information, but if you do not know what you’re looking for — can you really count on it to lead you down the right path as well? Only YOU are in control what and how you investigate. 

Reddit, Lets Talk About It

Sorry for the very long delay. Between heading out to DC to TA/Moderate the FOR585 class and work, it has been very chaotic! No excuse, but just very busy. One thing though that I have been working on has been reversing the Reddit App that came out about a year or so ago. Now, what really drew me to this is I’m not seeing a lot of support from the main forensic tools out there to parse this bad boy. So I’ll be posting up shortly what the iOS version of it looks like. Hopefully I’ll be able to get a parser created for everyone as well. But if not, a nice precursor is to get our your trusty plist viewer! Not much for databases here…and the data that resides is pretty darn interesting!

Stay Tuned!

So You Want to Get into DFIR? Social Media Edition

Posting 365 days straight is definitely a lot harder of a challenge than you would think! Even with scheduling, time just gets away from you. With this blog, I wanted to at least give my own opinion on something that could have some grave consequences against you as a DFIR specialist: Social Media. This was inspired by a post I saw on LinkedIn from a colleague who is a Senior Forensic Examiner within the public sector. I think many of us understand to not talk about cases that are ongoing. That is beaten into  everyone at a very early time. But what about your personal views and thoughts? That can get dicey and naturally it is completely up to you with what you do and say. I’m not there to judge or police it, as no one should be. While this is geared towards hopefully all my readers, there are differences between what is actually illegal for some to even post about. Public Sector readers, go read your Hatch Act. Private Sector readers, continue at your leisure!


Standard Caveat, I’m not a lawyer (nor do I even remotely pretend to be one) and cannot give you any type of depiction of what you should or should not post. Additionally, as always mentioned when posting things that are of opinion based, these are my own thoughts and do not reflect those of my employers either now or in past and future.


So if you’re in the United States, we are living in some interesting times right now. We have access to a swath of platforms to discuss openly on, and yet it is being squandered on cat memes and gimmicky sales techniques from our friends. Tie some questionable activity condoned by many of these platforms in the last year or so…and it just feels like we are not using it the best way possible. But here is what I want to say about all of this: Remember that someone, or something, has their fate potentially in your hands. I know this seems gimmicky and something that your legal team would say to you (and probably will be?), but you really need to take that seriously in your life. What you post anywhere (to include your text messages) can come back to haunt you harshly. As you can imagine, this is really coming to a headwind in my opinion based on the recent retirement of another Supreme Court judge here in the United States. Many within this field have been voicing concern and displeasure. I’m of the opinion that is not a good idea. If you don’t think your text messages can’t be used against you, then you haven’t dealt with good lawyers yet who know to pull all that information for their case. Yes, this is why I strongly advocate your employer get you your own phone as well…and do nothing with it but work.

Our how about the nuggets in this article?

“Cases in which judges were disciplined for biased social media posts
Supplement to “Social Media and Judicial Ethics: Part I”
Judicial Conduct Reporter (Spring 2017)”

Yes, judges are going to naturally be held to higher standards than what normal folks are going to get. But I am also of the opinion we should hold ourselves to the same level as the courts would themselves. So what does that mean? I understand this will be an unpopular opinion as well, but you need to just not engage in activity that could come back to haunt you 3-4 years from now. Don’t think it’ll happen?

Josh Allen takes responsibility for tweets sent as high schooler

Yeah, a recently drafted NFL player (who is 22 years old currently) had to take responsibility for tweets sent when he was 14-15 years old. You do not understand just how much time folks have on their hands until this type of stuff happens. One of the first things that was taught to us before going through moot court for certification was to Google your name, that way you could see what others would see if they were trying to figure out who you are. Do a little bit of OSINT work on your name and you can find those social media postings on Twitter, LinkedIn, or even Facebook relatively quickly.

Remember, the goal of an opposing counsel in court is to try and discredit you if they cannot get the evidence thrown out!!!!!

So how are they going to do that? Varying ways and depends on even their skill set as well. If your CV isn’t up to task, they’ll probably just hit you on that. But if you’re CV is intact they’ll do whatever they can to make you slip up. Yes, I have personally seen in court someone’s social media postings be called into question as a method of displaying investigative bias. And if you think this doesn’t effect you because you’re private sector and rarely see your legal team, let alone a deposition, take a gander at Craig Bloch’s Corporate Investigative Template. Once again, leaving any bias you may have to the side is crucial. And to be honest, private sector is where this is much more of a problem in my eyes. You may not think your Twitter rant about a social issue will ever come up, but it certainly can. Even if it has nothing to do with the investigation, you will lose credibility. There is no denying that and you must be aware of this.


This also doesn’t even get into the juicy fact that I would imagine a majority of companies who are looking to employ those within our field are going to do their own due diligence on you. That most likely means outside of just a background check, they are probably going to scour for every trace of your name. Once again OSINT comes back to bite you. Not to mention many companies out there openly promote software solutions that will do it all for them to find everything. So say you put something up about how the cops were corrupt in the Making a Murder program on Netflix from 3 years ago on Twitter and you are applying at local law enforcement office. Don’t think that may come back to get ya a little bit? Or that you think that women in the workplace are hazards to productivity…don’t think that might get your application thrown in the trash at a private sector company?

Naturally, 2 extreme examples. But I really hope it resonates with everyone that this is a serious endeavor. We are expected to conduct and uphold ourselves to the highest standards within our field. You’re not applying to be a Sales Rep or Marketing employee, you are applying to become a person who is going to be charged with making tough decisions that could have dire outcomes on a person’s life. Take it seriously is all I offer as my sage advice. Keep yourself out of the limelight and the social media mix by not getting involved with things that could be heavily controversial unless you TRULY believe that you can defend why you said it. Whether it be a lawyer or a hiring manager, you may have to defend whatever it may be.

So You Want to Get into DFIR? Private Sector Edition

So you’ve decided that public sector is just not for you. Nothing wrong with that! We just need to work on getting you ready for different suits. This is a different animal all together! If you have a love for white collar issues, you’ll see there is no end to the work you can do. If you love threat hunting, this will be a joy!

What am I going to work? 

This is going to be entirely dependent on your company and most likely location as well. However, a good indication will be how involved the digital forensics is within the Legal entity of said company. You could be working things like HR complaints. You could be working complex white collar crime cases. At the very least, you’ll most likely be working intellectual property (IP) theft. All three are very important and will range in how much of an operations tempo you’ll have by working this stuff. I personally have found a newfound enjoyment with working white collar issues for some odd reason. It must just be that I was just done looking at evil images!

How do I get a job in it? 

Again, I caveat. There is a lot in play here. And my experience is probably more against the grain than what many would see. However, I would tell folks to move cautiously with trying to get into these roles. For some companies, this may be really easy to get into. Others, almost impossible on anyone with entry level experience. And that is what I am trying to address this as. Those who have a 2 page resume with loads of certs and degrees and experience don’t need my help getting a job.

If you are just coming out of college with minimal IT experience (like official IT experience, not helping grandma get her computer set up), I would almost solicit folks to take a role on a SOC instead or Legal IT at first. While I would always take on someone junior level to work with me and mentor them, it is a hard sell to most legal operations to have someone who could be roasted in a deposition or court based on minimal experience. If you can find a junior role doing this, I would just solicit you to make sure the job isn’t eDiscovery in nature (aka, just email) or button monkey (aka, just push a button and let someone else look at the output). To me, that doesn’t seem fun — and this is a job you’re going to for 40+ hours a week!

Now if you go the SOC route, I think you’ll gain some useful experience if you really want to put the IR in DFIR. You’ll understand what hardware/software are in place at the company and can help make sure it is working like it should be. Additionally, if the company is small enough — this probably one of the best ways to get your foot in the door to build up a forensics position anyways! You’ll probably see these jobs posted as “Security Analyst.” It isn’t official unless analyst is in the name.

The Job Postings

Caveat as well, you’re experience may differ. I cannot foresee every company in the world. BUT. What I can provide is insight to hopefully make you the best candidate.

Things you’ll just need to have. 4-year degree in some facet of IT. That can be IT Management, “Cyber Security”, Information Security, etc. The big thing here is employers are going to wanna know that you have more advanced understanding of technology outside of “put this button and get email.”

Certifications are iffy in my opinion. Namely because HR doesn’t know what to have and hiring managers just copy and paste. But yes, things like CISSP are always going to be a “shoe in” for any IT application since it is predominately the only thing I swear HR employees know for IT certs. Another issue with certs is they tend to not be very cheap. Even as a big advocate for SANS, I cannot demand someone pay out of pocket for the cost of the courses. With that being said, seeing things like GCFE, GCFA, GCIH, GNFA, etc, are going to be intriguing to me. Namely because I know how difficult those tests are. However, if this is for entry level type forensics, if I see the CCE I am more likely to get these folks into an interview. I do not agree with how up-to-date the material is, but there are forensic techniques and processes there that are still very relevant. Hopefully in due time, they’ll update and I can start really championing this cert again.

The CFCE is another one if I see I’ll probably jump for joy. But it also isn’t cheap to take and the process is pretty painful as well. I’m not really expecting many out of college to be taking this.

Job Experience

Optimally having some semblance of IT Security or Legal knowledge is going to go the furthest. You want to establish to the hiring manager that you can do the job without hand holding and are not scared of lawyers. This can be anything from just blog reading to formal education.

Personally, that is it! Private Sector has some great opportunities to it. You’ll find the jobs probably pretty rare, but even if you get into IT Security within a company I think you’ll be able to pivot to doing Digital Forensics if that is your jam. Many just do not know how much money can be saved by keeping this role within the company as opposed to seeking 3rd party.

So You Want to Get into DFIR? Public Sector Edition

So you’ve decided to go into the Public Sector for your Digital Forensics job? That is you’ve passed the rigorous background checks and the long awaited clearance background if you’re going to a Federal entity. Awesome! What you’ll probably see is that you’ll already have some sort of training program put into place to get you going. On top of that you’ll be working closely with folks who have “seen it all, done it all” as well. How cool is that! But my word, they don’t let you touch anything!

Yes, depending on what agency you would elect to go to — you are most likely in law enforcement as the reporting entity. And things like legal jurisdiction and 4th Amendment are going to come up so much in your first couple years, you’ll be able to recite the exact language to comply with it.

The Darker Side of Life

I’m not going to mince words here: this is the real reason why I said you need to have a good head on your shoulders and a strong moral conviction. You’re going to be seeing a lot of nasty stuff in your day-to-day activities.

John Irvine wrote out it in his blog which can be found here.
And Lee Whitfield spoke about it at the DFIR Summit in 2015 here.

This is not a pretty world to be in. I feel that my time in the military and dealing with coordinating our wounded and deceased brothers and sisters in arms prepared me very well for how to compartmentalize and leave this stuff at the office when I walked out the door. It will never be a time where you are not disgusted by it. And this isn’t just the dirty pictures. It is the videos of someone being beheaded. It is watching animal abuse. It is watching someone be literally buried alive. In fact, as one ICAC member told me, “if you ever reach a point in your career where it doesn’t disgust you what you’re seeing, it is time to find a new job.” You’ll never get used to see it. All I can offer from my experience is keep a clear head, talk to someone if it starts to do anything to you mentally/physically/spiritually and don’t beat yourself up too badly about it. Do not hesitate to seek help if you feel it is getting to be too much.

The Brighter Side of Life

Many of the cases you’re going to work will have a direct impact on someone’s life for the better. Many of these cases are crimes against someone or something. Finding the evil thing that was committed against them and watching the resolution and the closure they receive can be some of the most uplifting moments you’ll feel. They literally have to say nothing to you, but you will just know you did something amazing for them and changed their life. This is something that I just don’t truly see in the private sector world because you are not going to interact with the kinds of cases you will if you’re working for law enforcement agency.

Prepare for Court

Something both sides will deal with, but you’ll probably see this a whole lot more on the public sector side. Everything you do is going to be scrutinized. Heavily. After all, you are basically holding the fate of another person in your hands when you are working these cases. Court can be really stressful when you first start going. Try to not let it get to your head as that stress can do some nasty stuff to yourself that you don’t need. Make sure you are prepping with your legal team and get feedback from your peers as well. And then do what I have always been told to do, “Just tell the truth.” Be over before you know it!


To me, this will always be the way for someone who is starting out to go. You gain some much needed experience within the role and your knowledge of how legal system and investigations will only make you that much stronger of a person within this field. I don’t slight anyone who doesn’t do this approach, it isn’t for everyone after all. I am just of the opinion that giving back to your city/state/country, even if it is only for a few years, is a noble service and what you’ll get out of it will just make you that much stronger of a candidate when/if you do head to private sector.

So you want to get into DFIR?

For this week, I felt the need to touch on things for those who are looking for their pathway towards InfoSec, particularly with Digital Forensics & Incident Response.  So this will be a multi-part posting through the week with each day a different aspect. My hope is those who are looking to get into it will get something out of it, and for those within it may consider some things they had not yet…especially if you happen to be in a leadership role over these folks.

So as we go into this together, let me first give a shout out to Devon Ackerman, who graciously hosts my blog and also maintains a repository of darn near anything related to the field. Please see for more information relating to Classes, Certs or CTF’s.

The Basics

We need to shore up some stuff quickly first. I delineate a distinct difference between Forensic Examiners/Analyst, Incident Responders and Investigations.  I do this as a matter of my own legal brain as a methodology of separation of duties along with specific job roles for each one of them. While many of us can do multi-roles, that comes with time and experience in my personal opinion. I’m also one of those folks who is a strong advocate of gaining some experience in other realms before jumping into InfoSec in general. This is a hard one for many and something a lot will disagree with me. But my reasoning is just because Infosec is the sexy job titles right now (and the pay is usually higher) doesn’t mean that jumping right into it is advised. A lot can wrong very quickly.


For me, the best pathway to getting into Digital Forensics is through a solid education in Information Technology and going through forensics training. I am not a strong advocate of vendor certifications like Accessdata’s ACE or even EnCase’s EnCE as initial certifications. That is largely due to those certs typically revolving around the tool and not the actual knowledge of Digital Forensics. They are great to show mastery of the tool in court, or a future employer if that is their preferred tool, but have something else that really gets you into the weeds of forensics. If you were to ask me what the best course to take outside of academia, I will be biased and say SANS FOR500. Smiply put, there are a ton of people who contribute to the material of that course on an almost monthly basis to keep it updated and relevant. Something I’ve not seen in other certifications out there that are widely praised. If you are taking practical analysis from a FAT12 floppy or a Windows XP machine, you’re doing it wrong.

Formal Education

As you’ll see from Devon’s website, there are starting to become much more focused training out there for digital forensics specifically. In my opinion, this is good and bad. It is good because the field is getting more recognition out there as being a legit IT field. It is bad because most of what you learned your first year will be irrelevant by the time you’re graduated. This is also my issue with at the US-based degrees. Many of them are not really teaching anything that you can’t just Google and learn from a YouTube video. Because software can be so expensive, they rely much more heavily on use open source tools…many of which are completely outdated because the course material is not updated nearly as often as it needs to be. This inherently lies the biggest issue and something that I’ve noticed between the difference in other countries and how they are taught. Here, even learning the basics of interpreting hex is something that really does not get taught. One thing to look for when determining school is if they are certified by someone to be teaching it. Look for things like the program is certified or sponsored by the NSA, DHS, Cyber Crime, Department of Defense, etc, if you’re in the United States. These programs are at least audited by an outside entity for relevancy in the courseware. Beats just going some place and wasting money on courses that really don’t teach out anything in the field.

Getting Experience – Public v. Private

This is where you’re going to really have two paths in front of you. Do you go Private or Public sector? I cannot make this decision for you. But what I can tell you is that some of the most memorable work I have ever done was under my public sector tenure. You’ll learn very quickly things that private sector, or even your courses, cannot simply teach. But you better have a good head on your shoulders and solid moral footing. More to come on this later in the week.

Private sector will offer its own challenges and experiences that you may never see in public sector as well. But they are much more in-line with corporate strategy and hurdles. Instead of worrying about a person not providing your their PIN, you have to worry about GDPR regulations on an employee who lives in the states but is a citizen of Germany. This is why I normally suggest folks work either with Legal IT or as a SOC analyst before trying to get into digital forensics/incident response/investigations within a company. It gives you much better understanding of the legalities out there and protecting yourself from your employer, or lawyer, from ripping you apart based on not knowing what you’re doing. But more to come on this as well during the week!

Stay tuned tomorrow for diving into Public Sector!

Preparing for a GIAC Test….This is not the CISSP

I’m late for the day! Largely because my cities “summer festival” was last night and was out with friends, so blame them…not me 🙂

This is a topic that has been touched on by others such as my good friend Lesley in her article in respects to making a good index for a GIAC exam. Lesley’s template is still something I use, only over the course of my cert attempts I’ve tweaked it ever so slightly to fit into my own study habits. So don’t get it wrong! I find her advice to be very fitting, I’m just giving you Tony’s template. Also, I get that certs like CEH or CISSP are still highly sought after within the field and employers. But I am also an advocate that brain dumping yourself at a test typically doesn’t help a person later in their careers after they’ve gotten a cert. Knowing how to do continue doing something is much more meaningful to me. Hence why I am a strong advocate for GIAC certs over some of the others. People think these tests are easy…but I can promise you (especially if you’re a manager or employer reading this and doubt them) they are not easy tests when you put the confines they have on it!

At the time of writing this, I have 7 GIAC certs (GCFA, GCIH, GPEN, GLEG, GMOB, GASF, GAWN) with hopefully another 3 or 4 coming this year. GI Bill is something that is amazing! I’ve TA’ed for the mobile courses (SEC575 and FOR585 here shortly) and the Legal course. I’ve sat for multiple instances for many of the courses offered as well.

Disclaimer: Don’t ask me for my Indexes or what material is covered in the exams. I should not have to explain why.

So what about the tests? If you have not taken the GIAC tests yet, I’ll give you a quick rundown. They are open book, open note, open text book. You cannot bring electronics into the testing facility and you cannot bring copies of the test or any renditions of the test. This means if you violated GIAC’s notice while take a practice test and took screenshots or anything of the test materials — you ain’t bringing that stuff with ya! The tests are going to range in length and time. I think GSEC is still the longest at 5 hours and the shortest being 2 hours for an assortment of specialty ones. I think the standard for the most popular certs though are usually in the 3 hour, 115 question range. You can always go to the GIAC website though and see exactly how long, how much time and most importantly, what you need percentage wise to pass the test. It changes based on how many are passing/failing, so keep an eye on it if you’re waiting to take the cert! It may change for better or for worse.

First, the books themselves: 

So you took a SANS course, whether live or distance learning, and you’re sitting here staring at your probably 5-6 books…now what?










This feels like a daunting task after you’ve just listened to an instructor talk for probably 46 hours about this material! And you’re still trying to remember that info too!! Take a deep breath, it is going to be okay! Yes, within your books you probably have about 1000+ slides with material on it. The worst part is, while you were listening to the instructor you probably didn’t really notice or read the notes portion to the material within the books.

But lets even talk about that for a minute. If you are attending in person, I would almost urge you to only use the books if you fully intend to take notes while the instructor is talking. Otherwise, honestly — you are probably not going to spend a lot of time staring into these things while they are talking. You will be more engrossed at what they have on the slide on a projector or their own stories of how running Metasploit on a customer resulted in crashing the whole web server down. But again, that is just me. To me the most important book while taking the class is the Workbook one that has the exercises in it. Don’t forget that one!

Now the course is over and you’re at home. You need to get three things before you start looking at the material:











These three things are going to be your best friend for about the next 2 weeks or so. Now, you are going to read all the notes sections to every single one of those slides. You are going to highlight any area within the slide that is defining out things like what a tool does, what an exploit does, what a concept or artifact is, etc. You are going to use the post-it flags to annotate things like Tools, Exploits, Artifacts, etc. Yes, this is tedious. Yes it will make your eyes hurt. But this is probably the most important thing that you can do. Even more than the index we will talk about here shortly. Remember, that the test is timed. In most cases you’ll average 90 seconds per question. If you are looking this stuff up feverishly, you will not have enough time. Period. Being able to use your memory is going to help out more than you know.

Average time to go through 5 books in a “one read and mark pass” will probably take you about 14 days to make sure you are fully absorbing the information and annotating properly. Take. Your. Time. It will be super important here shortly…

Do I need to know the Labs??

YES! You better know the in’s and out’s of the labs you are presented in the class. And no I’m not just talking looking at the answer portion of the labs and running through it quick. Know what the tools are and what you are looking at. Know what you are looking at. Know what it means. For example, if I were to give you a tcpdump output, could you determine what was going on just by looking at it? If not…you better go back to that portion of your class or do external research to have it understood. This will also come into play when we start talking about the index.

So what about this Index you keep talking about? I thought SANS provided one now? 

Yes, in almost every class you’ll get an index that SANS created. However, the reason the instructors and others push so hard for you to make your own is a 3-fold reason.

Reason 1: It gets you into the material so YOU know where it is
Reason 2: Do you really want to trust something that someone else made with how often the materials change for these courses?
Reason 3: SANS does not make the GIAC tests

So yes, make sure you do take theirs with you to the cert attempt, but do not rely on it to be your “end all, be all” index for this. It won’t be in your words and there is probably a good chance it isn’t 100% accurate for page numbers.

The Index:

Time to make the index. Here is going to be the thing before you start. You need to have a plan for this. Because it is going to be more than just what book and page something is going to be on. For the best way to do that, I would strongly urge you to use Lesley’s method of excel and then importing it into MS Word with the rest of my suggestions to your index. Her way is just the best way to do it so I’m not going to try and reinvent the wheel! You are going to break this thing down in sections. Just like a research paper. Remember what I said at the beginning of this post, the tests are open note. You have free reign with what you wish to put into this thing so long as it doesn’t violate the testing center or GIAC’s rules and code of conduct. 










That is an example of my Table of Contents from one of the courses. And no, that was not all the pages for that one either. It actually went to 60. Now there is a method to the madness for this thing. For starters, I barely even need to use an index when using the methodology because I’ve been so deep into the material I just KNOW where the subject is within the books. At this point, you should have already 1) taken the course, 2) read through it once, 3) done the labs 2 or 3 more times and 4) gone through the books again to start making this index.

Again, remember this is your words and this is open note! So with my example of tcpdump, if you are having a hard time remembering what the flags are within the output from the tool, take a screenshot for an example and make it up and put it in your index! You’ll always be able to refer to it this way. In fact, for classes that are command line heavy…I would say take a screenshot of the output of all those tools and have them in your index. You’ll find it MUCH quicker in this index than you will in the books. Remember most of these SANS books are between 150-250 pages. Your index is going to be between 30-60 pages. Which one is quicker to go through when you’re on the clock?

Also things to consider is to put things like definitions and anything specific artifact locations in an area within the index so it can be quickly referenced. Also, those cheat sheets they give ya (ya don’t forget those!) are typically online via the SANS portal and you can just import them into MS Word and have them included in your index! Easy Peasy! and you don’t have to worry about forgetting them on accident. Additionally, if you’re having issues remember what a tool does, go find the man page online and just add it to the index! I needed this for things like nmap where there are about 100 different options that can be done to get results. And yes, it came in handy!

Okay so you have Index Beta version completed, now what?

Now is when you take the first practice test that GIAC provides to you. And here is where my ideology differs from many….don’t use your books at all. The point of this first practice test is to see what you actually know from the course and the material. You may fail it. But it is a practice test. Don’t stress out about this. Make sure you click to see the answers regardless if you answer it right or wrong. If you end up guessing on a question, make sure you understand why you got it “lucky right” too. For whatever you get wrong, make sure you write a note about things to study. If you are seeing that your SQLi questions are always wrong, make a note that you may need to dig a little deeper into the material to understand it better. This will also help you get used to be under the timed test parameters too.

Once you’ve completed the test, screenshot the results that show you the stars indicating how well you did for each section of the syllabus and close out your browser. Now its time to compare the syllabus from the GIAC site and your results on areas you struggled  on. Go back into the materials and make sure you hit it even harder in your index for those sections. Index every dang word that looks to be important or that you can recall from the practice test. Put in new sections in your index on that material if you were getting something wrong because you couldn’t recall what you were looking at.

Practice Test 2: 

At this point your index should be pretty much shored up. Your books are annotated and highlighted. Now it is time to see how prepared you really are going to be. Take this practice test with all your books and Index. Keep it turned on to give you the answer regardless if it is right or wrong to help you understand why you got it wrong or why you got lucky right. Make notes on what you were deficient on. When the test is over depending on your score, will depend on what you need to do. If you’re scoring in the 80 percentile on the test, you are probably okay to relax a bit and just brush up on some areas. If you’re below that percentile, you’ll probably want to go back through the material and labs on those sections much more in depth to really shore you up. If you want to buy another practice test, you can for like $150 in your SANS portal. But I caution that practice as these are typically retired questions so the odds you’ll see them on your test are going to be pretty darn rare. Don’t memorize answers to this because it’ll only hurt you when you take it.

So you’ve taken both Tests and the Index is ready! Now what?

Do yourself a favor and don’t just print this thing out at home and bring it lose leaf to the testing center. If you’re in the states, go to UPS/FedEx/Kinkos or somewhere and have them actually bind it. I use UPS and it usually is about $20 to do a colored copy of the index. The reasoning for this is because it’ll make it easier to carry and not worry about losing something….and most importantly….you will always have a “quick reference” book at your work place that doesn’t require you to dig through your 6 SANS books every time you are looking for an answer for a real world situation.

And that is it folks! None of this is absolutely revolutionary, but it is something that I feel prepares you much better for these tests than just building an index and going in with that. You’ll understand the material so much better in my experience and it will make you so much stronger in your day jobs because of it. I wish you all the best of luck!

Command Line or: How I learned to stop relying on GUI interfaces and love the syntax

So this is a little later than I thought I would post this, but life gets in the way! This is something very near and dear to me for a specific reason, my mentor was extremely anti GUI software. Not because he didn’t understand (although he was about as G-Man you could imagine), but because he felt that to really understand the data, you needed to get into the weeds. Most vendor software out there were not letting the examiner/analyst/investigator (whatever you wanna call ourselves!) to really cull the data in a way that allowed us to understand it on its own terms. I found this out the fun way while doing my GCFA gold paper. Many tools were only reporting the $STANDARD_INFO attribute and not even showing us the $FILE_NAME one. That last attribute are temporal timestamps according to Brian Carrier and many other people who are much smarter than me. Those are extremely important to those of us who may deal with cases of timestomping. Why? Well, that timestamp “may” not be changed and still reflect the actual timestamps for at least Creation. That is HUGE if a person were to rollback the time.

Now, my caveat. This is not a bash at any software vendor out there. In fact, I have always advocated for using many of those vendors for the quick triage, or if you are going to be giving the case over for someone to review. They won’t know what they may be looking at if you just dump out CLI information to them, depending on the information.

A little about me quickly as well. When I first got into forensics, I really didn’t know too much. My first Masters didn’t really hit on a lot of things I would consider to be enlightening. We were not knee deep into any type of software. So when I first got started, command line really intimidated me. And remember, my mentor was very command line savvy.

So where am I now? I could almost do everything in command line for a DFIR case at this point. I will send the shout outs at the end of the blog w/ links to those I do endorse as great folks to do business with along with learn from.

Here is the reason for the change. Many of the best tools in my experience have been Open Source material. Yes, AccessData and X-Ways are amazing when it comes to just pushing a button and letting the software do the work for ya. But it is a completely other realm when you can roll your sleeves up and do it all from a command line prompt and either get the same results, or maybe even more. For example, Eric Zimmerman, who is a SANS Instructor, and a fellow mentor of mine, has designed some of the most comprehensive tools out there in my opinion for Windows Analysis. And they are free. I’ve yet to honestly see a tool that will do what his tools do.

This is how you can save THOUSANDS of dollars in your office. And if I were to talk about one vendor that will charge ya, but is worth it: it is TZworks.  I will not post photos up of the results of that tool because I have not checked with them in advance for permission, but I can attest to their accuracy and speed. They are great and very responsive to your requests.

And it goes without saying that the SANS SIFT is the bees knees. If you have not taken FOR508, you should! I don’t even care if you take the cert or not. But you’ll learn so much about what you can do in that VM environment that you could justify your training just by removing some of the software tools you’re relying on now. Not to mention that while FOR526 and FOR572 have some tweaks to that environment, it is all still pretty much the same at its core.

But here is the whole premise to this post: you don’t need to rely on some fancy GUI tool to do your job. We, as forensic folks, need to be able to understand what we are looking at. Things like EXIFTOOL will tell you more about metadata than almost any other tool I’ve even seen. Yet its free. The issue comes that it feels like folks are afraid to use options to get the desired function. As such, I’ll most likely start with Eric’s tools and work down…but my goal is to help everyone feel much more comfortable as they walk around in command line. I assure you, it is not as nearly as scary as you think it is. And my hope is, by the end of the year EVERYONE who reads this is using command line to do their investigations.

UPDATE 26/6/2018

I forgot to get the list in here of folks I do owe a lot to for my command line affection! Because some of these folks are not actively blogging, I’ve elected to add their twitter handles instead. This folks I considered integral in my ability to learn command line either through their own tools or explanation of methods that can be done via commands that are much faster or cleaner than GUI interfaces:

H. Carvey

Phil Hagen

Rob Lee

Eric Zimmerman

Dave Cowen

Jared Atkinson

Playing Nice in the Sandbox Together

Tell me how many of these you’ve heard of: Blue Team, Red Team, Purple Team, Green Team, Sprinkles Team

…okay that last one I just made up. Also, why doesn’t DFIR ever have its own “team?”

I’m not going to explain them all to you, but yes, these are in-fact terms of explanation of the many facets of IT Security in some way. In the mil days, they were a way of distinguishing who would be Good and who would be “Evil” when I was first hearing them. Now they have been indoctrinated into corporate life.

They are all integral to a company, but for some reason so much emphasis has been put on Red Teaming.  Why? Ya, we all like to break things…but is it really that much better than doing DFIR work? In my opinion, it isn’t any better. But there is a big difference between those folks and us in DFIR.