Forensic Blogs

An aggregator for digital forensics blogs

by

Changing Perspectives

In the Fall I was staring out my back window seeing my yard covered in orange leaves. This sight is one I see each year and I have always viewed as my yearly chore. The chore of cleaning up the leaves that have fallen from the trees. At times I would see some joy the leaves would bring as my kids would play in them but mostly I viewed the leaves with disdain. Knowing I would be spending hours upon hours cleaning it up. I came to accept this yearly chore as something that doesn’t change since it came with the territory of owning a property with trees. This was until I became more knowledgeable about a subject and this knowledge changed my perspective on how I see these leaves.

For over the past year I took some time to get refocused in life. During this time I was reflecting on different things; one of those things was I have never grown my food. My food typically came from stores, farmer markets, or local farmers. Thinking about it I realized my food has always came from someone else’s labor. I had no clue how to grow food nor what was involved with growing food. I decided I wanted to change this and I jumped head first into becoming more knowledgeable about organic gardening.

I won’t go into detail about my approach; basically I read books, researched on websites, spoke to friends who garden, and I spoke to local farmers who I buy food from. I tried to cover all of my bases to know as much as I could about the entire plant life cycle. My goal is to be fully self-reliant so to avoid having to constantly buy compost I started to learn about composting. As I went deeper into the art of composting by reading and seeing what others have done before me, the more knowledgeable I started to become. The more knowledgeable I started to become the more my perspective started to change. Staring out of my back window each Fall I only saw a chore. However, this year as I was staring out of the window I saw something else. I saw enough brown material that I could use to make compost the next spring. To create the rich compost loaded with nutrients to feed my vegetable plants. I saw the potential for cover material I could put on my raised beds to protect the soil during the winter months. I saw what a blessing each Fall is since it is when nature provides you with a wealth of material you can use to improve your soil to grow better vegetable plants.

As I stared out the window I also reflected on the similarities between my journey into composting and a security analyst’s journey into DFIR. When I’m building up a security analyst to do DFIR work the approach is the same. The first few months I allow them to be paid to learn; there job is to gain knowledge so their perspective looking at data changes. I want to give them knowledge about what they are looking for, different files and folders on the system, different log sources, and the analysis process. I try to give them enough knowledge to change how they see data and what that data means. To change them from seeing just a bunch of files and folder names to seeing select artifacts and log files. To change them from seeing just a bunch of activity to seeing the malicious activity. To change them from seeing alerts and alarms to seeing what the exact attack vector is.

Knowledge is the key to changing one’s perspective; applying the knowledge is what makes the change reality.

"Knowledge without application is like a book that is never read"

~ Christopher Crawford

by

Thanks a Million

Last week a new member on my $DayJob’s team reached the point in his in-house training where they started to read articles on jIIr. After I cracked a joke about the blog’s author he mentioned how my blog had over one million page views. To be honest, I haven’t looked at my jIIr’s statistics for months and I didn’t even know about the page views. The milestone really made me reflect on my journey and how it wouldn’t had been possible without others so I wanted to take the time to say thank you.

Thanks to everyone who has stopped by jIIr to read my content. Thanks to all the other bloggers who had linked back to my site or posted links directing their readers to my site. Thanks to everyone who posted links to my content on websites, social media, forums, and DFIR email lists to direct people to my posts. I especially wanted to thank those who took the time to leave a comment or contact me by email about something I wrote whether if it is positive or criticism. I wanted to give a shout out to Harlan for the advice he provided to me. I was just a random person who reached out to him looking for advice on starting a blog. Not only did he provided me with great advice (which showed me I was really over thinking things) but he also mentioned jIIr on his own blog, which helped my content gain more exposure. Lastly, I wanted to thank the Christian men’s group I was in all those years ago who walked with me on how we could use the passions God blessed us with to serve others.

In addition to saying thanks I also wanted to apologize. I wanted to apologize to those who left comments on my blog over the past few months and I never responded. To those who contacted me by email and I either took an extremely long time to respond or never responded at all. To those who may had been visited my blog only to be disappointed due to the lack of new content being posted on jIIr since last September. This was not the way I would had preferred to hit this milestone compared to hitting the milestone due to a great article that pushed me over a million page views. Sitting where I am today I wouldn’t had done it any other way. I needed some time to focus on my walk with Christ and spend more time in God’s word. In essence, I realigned priorities in my life and how I was spending my time. Outside of my commitments (family, $DayJob, $AcademiaJob, and church) I pretty much disconnected from everything else to focus on my faith. The DFIR community and jIIr was part of this everything else category that I temporarily put on hold while I spent time refocusing. Stay tuned as I start working my way through my blog idea hopper that has built up over the months.

It’s been a long journey to reach this milestone. I started out as a digital forensic analyst/ vulnerability assessor looking to get into the incident response field to becoming a security analyst who built and manages a Computer Security Incident Response Team (CSIRT) performing security monitoring and incident response. jIIr has been a place where I have shared my thoughts during this journey in hopes that someone somewhere would find the content useful and helpful. God willing, I’ll continue publishing content and my research for another six years to help those their own journeys.


But He answered and said, “It is written, ‘MAN SHALL NOT LIVE ON BREAD ALONE, BUT ON EVERY WORD THAT PROCEEDS OUT OF THE MOUTH OF GOD.’”

~ Matthew 4:4

by

Breaking Out of Routines

I was digging a hole to plant my blackberries plants when I kept hearing a noise of something moving around the corner of my house. I stopped digging and walked around the house to see what was making the noise. I didn’t see anything anywhere so I shrugged it off and went back to digging the hole. Shortly thereafter I heard the noise again so I went back to look around the corner. Again, I didn’t see anything so I went back to work thinking maybe it was the wind. After a few minutes I heard the noise for a third time and this time I was determined to figure out what was making the noise. I went around the corner of my house but I still didn’t see anything. Then I looked down to my right to my basement window well that sits below ground and saw what was making the noise. Sitting next to my window inside the window well was a squirrel, which wasn’t moving since it saw me standing right above it.

I walked a few feet away so the squirrel couldn’t see me but I could still see it. I stood on top of my air condition unit to see what the squirrel was doing. After a minute, the squirrel started to move around. Not just in any manner but it started to walk the boundary of the window well making a circle. As I stood there watching the squirrel I realize what occurred. I built up the soil on that side of my house to prepare for our garden but this caused the soil to be close to the top of my window well. The squirrel must had been walking and fell into the window well before I was able to buy window well covers. The trapped squirrel searching for a way out turned it into a routine. The routine of walking in circles trying to find a way to escape but not finding one. The squirrel keeps walking searching for a way out. In the end, the squirrel is just walking in a small circle. As I was watching the squirrel I could see it had been trapped for some time; maybe for hours or maybe the entire day.

I thought about how I could help the squirrel escape without it biting me. My first attempt was to put a branch into the window well. This way the squirrel could climb up the branch to escape. I dropped the branch down into the window well and went back to my spot to watch what happens. The squirrel started to walk the circle and approached the branch. Then the squirrel walked over the branch and continued looking for a way out. My first thought was maybe the branch was too small so I replaced it with a piece of lumber. The same thing occurred with the squirrel walking right over the lumber and not seeing that the wood was its way out from being trapped. I stood there watching the squirrel and thought to myself the squirrel is trapped in its own routine. For hours the branch and lumber were not there so the squirrel was walking right past it since it was not expecting it. My neighbor came over to help me get the squirrel out. It took a few minutes but he was able to manage to lift the now freaked out squirrel out of the window well with the shovel. The squirrel panicked and jumped right back down into the window well. However, this time the squirrel was no longer trapped in its routine since the experience with the shovel was a jolt to its senses. My neighbor now struggled to get the squirrel on the shovel so he decided to set a brick on the bottom of the window well. The squirrel immediately saw the brick and used it to jump out of the window well to free itself.

At times we can find ourselves trapped in our routines and this is especially true when performing analysis for security monitoring, digital forensics, or incident response. Routines make our job easier because we can perform certain actions without having to think really hard about how to do it. The downside of routines is they tend to put us on auto-pilot, which blinds us to seeing something new that is right in front of us. Similar to the squirrel’s routine blinding it to seeing the way to escape. Every now and then when you are performing routine analysis tasks take the time to stop and think about what you are doing, what you are trying to accomplish, and what you are seeing. If you don’t then you may never see what you are missing because we don’t have the luxury of someone giving us a jolt to break us out of our routines.