Thursday, November 22, 2012

#DFIR things DavNads is Thankful for on Thanksgiving

I hope everyone has a great Thanksgiving. I am going to attempt to deep fry a Turkey tonight so I wanted to get a blog post up in case it’s my last words! There’s often discussion about how to get started in #DFIR or how to get to the next level for those already in the field. Therefore, I thought it be relevant on this day to take a few minutes to write about some things I am thankful for that have helped me be successful in my #DFIR career.

#Resources (aka weapons)

I like to use the analogy that the #DFIR battle ground is like a role playing video game. A new game provides your character with the essentials and through the course of your journey, you accumulate weapons to build your character's capabilities. 

No one starts in #DFIR with all the answers but knowing where to look for all the answers is possible (think game cheats). Having an arsenal of weapons including blogs, white papers, tools, and even contacts are what enables me on a daily basis to provide answers to questions, solve problems, and prepare for that next battle with the “SASPDT” – Sometimes Advanced, Sometimes Persistent, Definitely a Threat

I am confident that my arsenal of weapons is what has made me a valuable character on the #DFIR battleground similar to certain video game characters. The only difference is the "SASPDT" can’t steal the account credentials to ME unlike those pesty video game characters. For this I am again thankful of my arsenal of forensic weapons.


DFIR is not an easy career to “just get by” in. What makes it so difficult? Well I think there are a few factors including the constant changes in technology, process, and interpretation. One’s ability to not only adapt to these changes but help shape the changes are what (in my opinion) separates the button pressers from button builders. The notion of staying “cutting edge” is challenging because it requires time, passion, research, and sometimes even ability to develop. However, the reward of solving a challenge often outweighs the effort.

Personally, I have not always been an eager for challenges. Whether it was in the classroom or at gym I was always the one hiding not to be picked on. In fact I was even in Special Ed for a few years. I felt the my lack of confidence and belief in my abilities refrained me from just trying -- which I am sure many others can relate to.

One opportunity that I'll will always be thankful for was my first network intrusion project. Ed, my boss, my mentor, provided me with the challenge. I’ll never forget our special conversation in his office leading up to the experience. I literally tried to convince him in every way possible I was not qualified for this, and the only thing I was prepared to do was fail. I think I may have even asked him if he was stupid sending someone like me to do this type of project! Despite my thoughts, Ed believed in my abilities, and framed his response in a way that actually gave me confidence in myself, my abilities and most importantly the drive to try. 2 years later, after a very successful response, Ed gave me the opportunity to testify for the first time on the same project. Let's just say, I might have a little bit too much confidence now. I blame Ed for that.

Challenges are not easy. For most people like myself its important to surround yourself with people that support you, believe in you, and will push you. Don't be afraid to try something new, heck it may open your eyes to an entirely new passion -- network intrusions -- like it did for me. Today, I am thankful for challenges because they have shaped my career. 

#Role Models & Mentors

Something I did early on in my career was not only identify role models but identify what characteristic(s) made them role models to me. For instance, I have always looked up to all the SANS facility (Rob, Paul, Hal, Chad, Alissa, etc..) as role models. Not so much for their “know how” but their unique abilities to articulate and communicate technical knowledge.. that's something in my opinion that can be one of the most valuable skills. I rely on mentors (Jim, Brian, Steve, J, etc) to help guide me in following the footsteps of my role models.

Thank you to all my technical and non-technical role models and mentors. I have grown personally and professionally in my career in ways I could never accomplish individually. 


I am most thankful for an awesome #DFIR community. How many other communities out there have people and organizations so inclined to help others, contribute free tools, and advance capabilities? Also I can't even count how many new friends I have made thanks to this career path.

#Material things ; -)
  • RAM – Because the expensive tools don’t work without it.
  • SSD HDDS – So when the expensive tools crash my computer, I can reboot quickly!
  • New Log2timeline – Can you say super timeline analysis?
  • Volatility – When I thought I had enough to look at with hdds, now there’s even more with memory analysis.
  • Python – Because it’s better then Perl.
  • VMware Fusion – Allows me to literally swap with 4 fingers between 5 different Operating Systems.
  • Dual 24” inch monitors – Its the only type of realestate I can afford!!!!
  • DFIROnline and DFM – Webcasts and good reads
  • VSC toolset – Makes VSC analysis pretty easy!
  • Logicube Dossier – 5-7GB per minute 2 disk duplicator, need I say more?
  • TZworks stuff – Lots of great stuff. 
  • GitHub - Store all my code in the cloud.
  • SharePoint 2010 - Allows me to collaborate with teams on the same documents like Google docs.
  • - My favorite tech blog.
  • SANS 508 - I felt like this class really polished my skills. 
  • WFA Toolkit 3E - Great book and reference guide. Hope to have a iPad copy soon.
  • Sprint 4G LTE hotspot - Allows me to be connected anywhere just like I am in the office :)
  • ImDisk Virtual Disk Driver - great free image mounting tool
  • SQLite - Quick and dirty backend to little things here and there.
  • Dcode - Great decoder.
  • GREAT series of blog posts by by Patrick Olsen
Hopefully some of you share these appreciations and others find them resourceful. Now go eat
  some turkey or stand in line for something you don’t need that’s on sale!