Reddit, Lets Talk About It

Sorry for the very long delay. Between heading out to DC to TA/Moderate the FOR585 class and work, it has been very chaotic! No excuse, but just very busy. One thing though that I have been working on has been reversing the Reddit App that came out about a year or so ago. Now, what really drew me to this is I’m not seeing a lot of support from the main forensic tools out there to parse this bad boy. So I’ll be posting up shortly what the iOS version of it looks like. Hopefully I’ll be able to get a parser created for everyone as well. But if not, a nice precursor is to get our your trusty plist viewer! Not much for databases here…and the data that resides is pretty darn interesting!

Stay Tuned!

So You Want to Get into DFIR? Private Sector Edition

So you’ve decided that public sector is just not for you. Nothing wrong with that! We just need to work on getting you ready for different suits. This is a different animal all together! If you have a love for white collar issues, you’ll see there is no end to the work you can do. If you love threat hunting, this will be a joy!

What am I going to work? 

This is going to be entirely dependent on your company and most likely location as well. However, a good indication will be how involved the digital forensics is within the Legal entity of said company. You could be working things like HR complaints. You could be working complex white collar crime cases. At the very least, you’ll most likely be working intellectual property (IP) theft. All three are very important and will range in how much of an operations tempo you’ll have by working this stuff. I personally have found a newfound enjoyment with working white collar issues for some odd reason. It must just be that I was just done looking at evil images!

How do I get a job in it? 

Again, I caveat. There is a lot in play here. And my experience is probably more against the grain than what many would see. However, I would tell folks to move cautiously with trying to get into these roles. For some companies, this may be really easy to get into. Others, almost impossible on anyone with entry level experience. And that is what I am trying to address this as. Those who have a 2 page resume with loads of certs and degrees and experience don’t need my help getting a job.

If you are just coming out of college with minimal IT experience (like official IT experience, not helping grandma get her computer set up), I would almost solicit folks to take a role on a SOC instead or Legal IT at first. While I would always take on someone junior level to work with me and mentor them, it is a hard sell to most legal operations to have someone who could be roasted in a deposition or court based on minimal experience. If you can find a junior role doing this, I would just solicit you to make sure the job isn’t eDiscovery in nature (aka, just email) or button monkey (aka, just push a button and let someone else look at the output). To me, that doesn’t seem fun — and this is a job you’re going to for 40+ hours a week!

Now if you go the SOC route, I think you’ll gain some useful experience if you really want to put the IR in DFIR. You’ll understand what hardware/software are in place at the company and can help make sure it is working like it should be. Additionally, if the company is small enough — this probably one of the best ways to get your foot in the door to build up a forensics position anyways! You’ll probably see these jobs posted as “Security Analyst.” It isn’t official unless analyst is in the name.

The Job Postings

Caveat as well, you’re experience may differ. I cannot foresee every company in the world. BUT. What I can provide is insight to hopefully make you the best candidate.

Things you’ll just need to have. 4-year degree in some facet of IT. That can be IT Management, “Cyber Security”, Information Security, etc. The big thing here is employers are going to wanna know that you have more advanced understanding of technology outside of “put this button and get email.”

Certifications are iffy in my opinion. Namely because HR doesn’t know what to have and hiring managers just copy and paste. But yes, things like CISSP are always going to be a “shoe in” for any IT application since it is predominately the only thing I swear HR employees know for IT certs. Another issue with certs is they tend to not be very cheap. Even as a big advocate for SANS, I cannot demand someone pay out of pocket for the cost of the courses. With that being said, seeing things like GCFE, GCFA, GCIH, GNFA, etc, are going to be intriguing to me. Namely because I know how difficult those tests are. However, if this is for entry level type forensics, if I see the CCE I am more likely to get these folks into an interview. I do not agree with how up-to-date the material is, but there are forensic techniques and processes there that are still very relevant. Hopefully in due time, they’ll update and I can start really championing this cert again.

The CFCE is another one if I see I’ll probably jump for joy. But it also isn’t cheap to take and the process is pretty painful as well. I’m not really expecting many out of college to be taking this.

Job Experience

Optimally having some semblance of IT Security or Legal knowledge is going to go the furthest. You want to establish to the hiring manager that you can do the job without hand holding and are not scared of lawyers. This can be anything from just blog reading to formal education.

Personally, that is it! Private Sector has some great opportunities to it. You’ll find the jobs probably pretty rare, but even if you get into IT Security within a company I think you’ll be able to pivot to doing Digital Forensics if that is your jam. Many just do not know how much money can be saved by keeping this role within the company as opposed to seeking 3rd party.

Command Line or: How I learned to stop relying on GUI interfaces and love the syntax

So this is a little later than I thought I would post this, but life gets in the way! This is something very near and dear to me for a specific reason, my mentor was extremely anti GUI software. Not because he didn’t understand (although he was about as G-Man you could imagine), but because he felt that to really understand the data, you needed to get into the weeds. Most vendor software out there were not letting the examiner/analyst/investigator (whatever you wanna call ourselves!) to really cull the data in a way that allowed us to understand it on its own terms. I found this out the fun way while doing my GCFA gold paper. Many tools were only reporting the $STANDARD_INFO attribute and not even showing us the $FILE_NAME one. That last attribute are temporal timestamps according to Brian Carrier and many other people who are much smarter than me. Those are extremely important to those of us who may deal with cases of timestomping. Why? Well, that timestamp “may” not be changed and still reflect the actual timestamps for at least Creation. That is HUGE if a person were to rollback the time.

Now, my caveat. This is not a bash at any software vendor out there. In fact, I have always advocated for using many of those vendors for the quick triage, or if you are going to be giving the case over for someone to review. They won’t know what they may be looking at if you just dump out CLI information to them, depending on the information.

A little about me quickly as well. When I first got into forensics, I really didn’t know too much. My first Masters didn’t really hit on a lot of things I would consider to be enlightening. We were not knee deep into any type of software. So when I first got started, command line really intimidated me. And remember, my mentor was very command line savvy.

So where am I now? I could almost do everything in command line for a DFIR case at this point. I will send the shout outs at the end of the blog w/ links to those I do endorse as great folks to do business with along with learn from.

Here is the reason for the change. Many of the best tools in my experience have been Open Source material. Yes, AccessData and X-Ways are amazing when it comes to just pushing a button and letting the software do the work for ya. But it is a completely other realm when you can roll your sleeves up and do it all from a command line prompt and either get the same results, or maybe even more. For example, Eric Zimmerman, who is a SANS Instructor, and a fellow mentor of mine, has designed some of the most comprehensive tools out there in my opinion for Windows Analysis. And they are free. I’ve yet to honestly see a tool that will do what his tools do.

This is how you can save THOUSANDS of dollars in your office. And if I were to talk about one vendor that will charge ya, but is worth it: it is TZworks.  I will not post photos up of the results of that tool because I have not checked with them in advance for permission, but I can attest to their accuracy and speed. They are great and very responsive to your requests.

And it goes without saying that the SANS SIFT is the bees knees. If you have not taken FOR508, you should! I don’t even care if you take the cert or not. But you’ll learn so much about what you can do in that VM environment that you could justify your training just by removing some of the software tools you’re relying on now. Not to mention that while FOR526 and FOR572 have some tweaks to that environment, it is all still pretty much the same at its core.

But here is the whole premise to this post: you don’t need to rely on some fancy GUI tool to do your job. We, as forensic folks, need to be able to understand what we are looking at. Things like EXIFTOOL will tell you more about metadata than almost any other tool I’ve even seen. Yet its free. The issue comes that it feels like folks are afraid to use options to get the desired function. As such, I’ll most likely start with Eric’s tools and work down…but my goal is to help everyone feel much more comfortable as they walk around in command line. I assure you, it is not as nearly as scary as you think it is. And my hope is, by the end of the year EVERYONE who reads this is using command line to do their investigations.

UPDATE 26/6/2018

I forgot to get the list in here of folks I do owe a lot to for my command line affection! Because some of these folks are not actively blogging, I’ve elected to add their twitter handles instead. This folks I considered integral in my ability to learn command line either through their own tools or explanation of methods that can be done via commands that are much faster or cleaner than GUI interfaces:

H. Carvey

Phil Hagen

Rob Lee

Eric Zimmerman

Dave Cowen

Jared Atkinson

Playing Nice in the Sandbox Together

Tell me how many of these you’ve heard of: Blue Team, Red Team, Purple Team, Green Team, Sprinkles Team

…okay that last one I just made up. Also, why doesn’t DFIR ever have its own “team?”

I’m not going to explain them all to you, but yes, these are in-fact terms of explanation of the many facets of IT Security in some way. In the mil days, they were a way of distinguishing who would be Good and who would be “Evil” when I was first hearing them. Now they have been indoctrinated into corporate life.

They are all integral to a company, but for some reason so much emphasis has been put on Red Teaming.  Why? Ya, we all like to break things…but is it really that much better than doing DFIR work? In my opinion, it isn’t any better. But there is a big difference between those folks and us in DFIR.

So, who am I?

Many are probably wondering who I am and if this is worth their own time. My hope is that it will be! To start, I won’t go into my background too much…if you want to know it you’ll probably be able to ask around to put the pieces together. Also, I’m not of the kind of person who thinks degrees and certs make the person. Do I have those? Yes, I do. We will leave it at that.

My first, and probably only, claim to fame within the community has been the GCFA gold paper I wrote: https://www.sans.org/reading-room/whitepapers/forensics/filesystem-timestamps-tick-36842. It was the first time I really branched out and it was very worth while. I would solicit everyone to do that deeper dive research to further the field. How did I come up with this? It really came to be that I just didn’t understand how timestamps would reflect if it was bouncing around a bunch of filesystems. And low and behold, the paper wrote itself. Seriously…I had this thing written before I even submitted the idea to GIAC for the gold paper. That was just how easy it was!

That is my urge to you on this Sunday…find something you’re passionate about and start researching it! After speaking with many of our peers over the last weekend, I am going back to that paper and revising it. Namely to make it cleaner and much more visual friendly. So be on the lookout!

Removing the Cloak

So I was basically challenged into starting up a blog in relation to giving back to the community. This was largely pushed by many of the SANS instructors within the digital forensics curriculum as there is a large gap within the field as a whole. Coming from my previous employer, this was just something that couldn’t be done. We are always pushed to err on the side of caution while conducting any activity online as to not be found. That has basically been my mantra for quite some time now after I left. Exposing myself was something that has taken a lot of courage internally for me to do.

But I am doing it!

And the reason’s why I am doing it largely are because I want to give back to a field that has offered me so much. It is the right thing to do. Watching many of those I look up to have no issues using real names and email addresses out there in the wild has made this transition a lot easier. The hope is to provide content that our community finds to relatable and helpful in their own careers and studies.

What you can expect to see in terms of content is going to vary considerably depending on what I feel like would help move this forward. Since I work directly with SANS as a SME, I have been blessed to have taken a considerable amount of the courses. This will most likely be some of the first few postings to hopefully provide one person’s perspective on taking these classes and maybe going over some study tips for the GIAC certs whom many of you have not either done or the preparation you’ve done was not the best.

Expect to read….

SANS / GIAC
Digital Forensics
Incident Response
Legal Issues
Lab Management
Policy Development
Red Teaming
Engagements and Operations Planning
Travel