I
work for an international organization. I am employed as a Digital
Forensic Examiner for said organization and perform quite well at what I do I
am told for the type of work I am exposed to. I am also looked upon as the IR fella;
however, I have had little to no exposure or experience in that specific arena.
That being, responding to major incidents at the enterprise level. This is both
a blessing and a curse. A blessing because of no major incidents, a curse
because it hinders my experience and ultimately my growth. All my training and
experience is based on analyzing disks in the Windows desktop/laptop world
addressing matters for Legal, Human Resources, Corporate Security, Lines of
Business, Policy Violations and some commodity Malware investigations etc.
These are all important, however, I am starting to feel the work is repetitive
and hindering my growth into more advanced areas.
I
have been doing what I do for a few years now and have gain much knowledge and
experience in the area of disk forensics. I have built out a forensic
infrastructure with a presence in major regions of the globe. I have put
together our operating procedures for conducting investigations using either
commercial tools or open source. Lastly, I have standardized our reporting
templates for investigations.
I
enjoy performing RAM dump analysis with Redline and Volatility, but wish I
could do more. I get excited and the thought of performing my next time line
with log2timeline and I really love digging into UsnJrnl files to witness the
birth of hostile binaries to follow their life cycle. This stuff excites me.
However, I have an issue as I suspect a lot of folks in the general workforce
do. I love what I do, but not necessarily with whom and the circumstances under
which I am doing it. That is where the frustration persists. It becomes frustrating
when you learn new skills but don’t get to use them on a continual basis.
On a
day not so long ago, I had an “Ah Ha!” moment that I knew would arrive eventually.
It was just a matter of time. The thought that I processed went like this. ”If
I am to truly grow in this field, I need to work around people with similar
desires and wants”. I feel I currently do not have that where I am.
So
what have I done to alleviate some of this frustration? While I attempt to
figure out my options I am doing multiple things to keep pushing forward in
this field. For example, I created this
blog to gain exposure and create an awareness of myself, my work, knowledge,
thought process and interests. There are many other things a person in this
line of work must do daily in an attempt to stay current with tools,
procedures, artifacts and trends. My approach is listed below.
Education & Training
Education
and continued training in any field is non-stop, especially one so technical as
DF. My approach to continual education is shown below. It’s easy to go off in
many directions in a field so broad as this, I find the key for me is to stay
focused on core skills and needs, what your good at, to then expand into some
areas of specialization as needs and/or desires require. For example, I am not
a malware RE, which is a separate discipline all together. I will spend some
time dedicated to static analysis, I think that is good, however, that’s as far
as it goes. There is so much more going on with the core of what I do that I
need to stay focused on it. It’s very easy to get distracted into something
else in a field so broad. I don’t want to be a jack-of-all-trades, this field
is so broad you can’t know everything, but at least have some kind of a
specialty if you can. Say OSX for example.
Training
Official
classroom training is a must. My opinion is 80hrs a year should be minimum. I’m
an advocate for sitting in a classroom with industry peers and an instructor.
Virtual training is OK, just not for me. I like real-time discussions and an
instructor you can pull to the side.
Budgets
are tight though when it comes to training. I’m lucky to get training to just
satisfy my certificate maintenance. So what to do about it? Read on.
Books
Continue to read books, as many as time will permit. Below
is an example of some of the books I have read.
·
Windows Forensic Analysis series, Harlan Carvey
·
Windows Internals 6, Part 1, Mark Russinovich
· Practical
Malware Analysis, Michael Sikorski, Andrew Honig
This is just a sample, this list goes on, but you get the
idea.
Blogs
There
are many blogs out there for this line of work. It’s easy to get lost in the
amount blogs available. They key is to pick a few core blogs, follow them and
then have a couple of specialty ones. Below are examples of core blogs I
follow.
Webinars
What
can I say except Mandiant, Mandiant and more Mandiant. These folks have amazing
webinars. You must subscribe to their Fresh Prints of Malware webinars, they
are incredibly useful. They have some great tools also. Because I am an EnCase
user I also sit through Guidance Software’s webinars too. Again, very useful
information on using their tools.
White Papers
Take
the time to read white papers that get released by various vendors and
institutions. The authors of these papers spend a lot of time and research
producing them.
Tools
There
are two camps here, Commercial and Open Source.
I use a combination of both. The amount of tools available today to
parse evidence or log files is vast. Try them out, however, you must settle on
what works for you, have a core set. Commercial tools cannot do everything;
therefore I have a set of open source tools for processing certain pieces of
data. For example, I use EnCase Enterprise for my acquisitions, case
processing, bookmarking evidence etc. However, I use reg ripper for processing
registry hives because it so good and efficient. It’s easy to get overwhelmed
with the amount of tools, especially the open source tools. Don’t end up with a
Downloads folder full of tools that you don’t recall what they do. Download and
test, verify against your test data, but if you cant use the tool for whatever
reason, put it to the side and move on.
Testing
I
have test data that is my known good data. I know the image well. Perform as
much testing against the data as you can continuously. When time permits I ask
myself, “What piece of data or tool do I want to test”. I may have read a blog
entry somewhere and want to test something mentioned in the blog. I keep a separate bookmark folder in my
browser called “To Read”. These are webpages that are my “must read list” or
something I want to test.
Procedures
I
create the procedures for my group. I identify a piece of data that I am
interested in and create the official procedure for my group to follow for
parsing the data. This requires research into the data point, identifying the
right tool, testing with my test data, reviewing the results and confirming
them, finally creating a procedure for folks to follow.
Knowledge Sharing
I
share what I know. This builds relationships and fosters a positive work
environment. We are all in this together, the work is challenging and often
frustrating when you don’t know a certain thing. Its only through sharing can we expect any of
us to become better analysts.
That’s
it for today.
P.S
My next book to read is on pre-order. The Art of Memory Forensics.
Even
though I don’t get to do much in the way of memory analysis right now, my
standard operating procedures state to perform a RAM acquisition regardless of
the investigation. Never a bad thing and you might just need it during what
starts out as a run of the mill policy violation case.
