This past week I attended the 9th OSDFCon...not my 9th, as I haven't been able to make all of them. In fact, I haven't been able to make it for a couple of years. However, this return trip did not disappoint. I've always really enjoyed the format of the conference, the layout, and more importantly, the people. OSDFCon is well attended, with lots of great talks, and I always end up leaving there with much more than I showed up with.
Interestingly enough, one speaker could not make it at the last minute, and Brian simply shifted the room schedule a bit to better accommodate people. He clearly understood the nature of the business we're in, and the absent presenter suffered no apparent consequences as a result. This wasn't one of the lightning talks at the end of the day, this was one of the talks during the first half of the conference, where everyone was in the same room. It was very gracious of Brian to simply roll with it and move on.
The Talks
Unfortunately, I didn't get a chance to attend all of the talks that I wanted to see. At OSDFCon, by its very nature, you see people you haven't seen in a while, and want to catch up. Or, as is very often the case, you see people you only know from online. And then, of course, you meet people you know only from online because they decide to drop in, as a surprise.
However, I do like the format. Talk times are much shorter, which not only falls in line with my attention span, but also gets the speakers to focus a bit more, which is really great, from the perspective of the listener, as well as the speaker. I also like the lightning talks...short snippets of info that someone puts together quickly, very often focusing on the fact that they have only 5 mins, and therefore distilling it down, and boiling away the extra fluff.
My Talk
I feel my talk went pretty well, but then, there's always the bias of "it's my talk". I was pleasantly surprised when I turned around just before kicking the talk off to find the room pretty packed, with people standing in the back. I try to make things entertaining, and I don't want to put everything I'm going to say on the slides, mostly because it's not about me talking at the audience, as much as its about us engaging. As such, there's really no point in me providing my slide pack to those who couldn't attend the presentation, because the slides are just place holders, and the real value of the presentation comes from the engagement.
In short, the purpose of my talk was that I wanted to let people know that if they're just downloading RegRipper and running the GUI, they aren't getting the full power out of the tool. I added a command line switch to rip.exe earlier this year ("rip -uP") that will run through the plugins folder, and recreate all of the default profiles (software, sam, system, ntuser, usrclass, amcache, all) based on the "hive" field in the config headers of the plugin.
To-Do
Something that is a recurring theme of this conference is how to get folks new to the community to contribute and keep the community alive, as well as how to just get folks in the community to contribute. Well, a couple of things came out of my talk that might be of interest to someone in the community.
One way to contribute is this...someone asked if there was a way to determine for which version of Windows a plugin was written. There is a field in the %config header metadata that can be used for that purpose, but there's no overall list or table that identifies the Windows version for which a plugin was written. For example, there are two plugins that extract information about user searches from the NTUSER.DAT hive, one for XP (acmru.pl) and one for Vista+ (wordwheelquery.pl). There's really no point in running acmru.pl against an NTUSER.DAT from a Windows 7 system.
So, one project that someone might want to take on is to put together a table or spreadsheet that provides this list. Just sayin'...and I'm sure that there are other ideas as to projects or things folks can do to contribute.
For example, some talks I'd love to see is how folks (not the authors) use the various open source tools that are available in order to solve problems. Actually, this could easily start out as a blog post, and then morph into a presentation...how did someone use an open source tool (or several tools) to solve a problem that they ran into? This might make a great "thunder talk"...10 to 15 min talks at the next OSDFCon, where the speaker shares the issue, and then how they went about solving it. Something like this has multiple benefits...it could illustrate the (or, a novel) use of the tool(s), as well as give DFIR folks who haven't spoken in front of a group before a chance to dip their toe in that pool.
Conversations
Like I said, a recurring theme of the conference is getting those in the community, even those new to the community, involved in keeping the community alive, in some capacity. Jessica said something several times that struck home with me...that it's up to those of us who've been in the community for a while to lead the way, not by telling, but by doing. Now, not everyone's going to be able to, or even want to, contribute in the same way. For example, many folks may not feel that they can contribute by writing tools, which is fine. But a way you can contribute is by using the tools and then sharing how you used them. Another way to contribute is by writing reviews of books and papers; by "writing reviews", I don't mean a table of contents, but instead something more in-depth (books and papers usually already have a table of contents).
Shout Outz
Brian Carrier, Mari DeGrazia, Jessica Hyde, Jared Greenhill, Brooke Gottlieb, Mark McKinnon/Mark McKinnon, Cory Altheide, Cem Gurkok, Thomas Millar, the entire Volatility crew, Ali Hadi, Yogesh Khatri, the PolySwarm folks...I tried to get everyone, and I apologize for anyone I may have missed!
Also, I have to give a huge THANK YOU to the Basis Tech folks who came out, the vendors who were there, and to the hotel staff for helping make this conference go off without a hitch.
Final Words
As always, OSDFCon is well-populated and well-attended. There was a slack channel established for the conference (albeit not by Brian or his team, but it was available), and the Twitter hashtag for the conference seems to have been pretty well-used.
To follow up on some of the above-mentioned conversations, many of us who've been around for a while (or more than just "a while") are also willing to do more than lead by doing. Many of us are also willing to answer questions...so ask. Some of us are also willing to mentor and help folks in a more direct and meaningful manner. Never presented before, but feel like you might want to? Some of us are willing to help in a way that goes beyond just sending an email or tweet of encouragement. Just ask.
Updates
IWS
Folks have started receiving the copies of IWS they ordered, and folks like Joey and Mary Ellen have already posted reviews! Mary Ellen has also gone so far as to post her review the Amazon page for the book!
Some have also pointed out that the XP image from Lance's practical is no longer available. Sorry about that but I was using the image, and don't have access to, nor control over the site itself. However, the focus of the book is the process, and choosing to use available images, I thought, would provide more value, as readers could follow along.
Addendum, 7 Oct: Thanks to the wonderful folks from the TwitterVerse who pointed out archive.org as a resource, the XP image can be found here!
Speaking of images, I got an interesting tweet the other day, asking why Windows 10 wasn't mentioned in ch. 2 of the book. The short answer is two-fold; one, because it wasn't used/addressed. For the second part of the answer, I'd refer back to a blog post I'd written two years ago when I started writing IWS, specifically the section of the post entitled "The "Ask"". Okay, I know that there's a lot going on in the TwitterVerse, and that two year is multiple lifetimes in Internet time. And I know that not everyone sees nor ingests everything, and for those who do see things or tweets, if they have no relevance at the time, then "meh". I get it. I'm subject to it myself.
Okay, so, just to be clear...I'm not addressing that tweet in order to call someone out for not paying attention, or missing something. Not at all. I felt that this was a very good opportunity to provide clarity around and set expectations regarding the book, now that it's out. The longer response to the tweet question, the one that doesn't fit neatly into a tweet, is also two-fold; one, I could not find a Windows 10 image online that would have fit that into that chapter. The idea at the core of writing the book was to provide a view into the analysis process, so that analysts could have something with which they could follow along.
The second part of the answer is that it's about the process; the analysis process should hold regardless of the version of Windows examined. Yes, the technical and tactical mechanics may change, but the process itself holds, or should hold. So, rather than focusing on, "wow, there's a whole section that addresses Windows XP...WTF??", I'd ask that the focus should be on documenting an analysis plan, documenting case notes, and documenting what was learned from the analysis, and then rolling that right back into the analysis process. After all, the goal of the book is NOT to state that this is THE way to analyze a Windows system for malware, but to show the value of having a living, breathing, growing, documented, repeatable analysis process.
Also, I was engaged in analyzing systems impacted by NotPetya during the early summer of 2017. Another analyst on our team received several images from an impacted client, all of which were XP and 2003. So, yes, those systems are still out there and still actively being used by clients.
Books
One of the challenges of writing books is keeping people informed as to what's coming, and giving them the opportunity to have input. For example, after IWS was published, someone who follows me on social media said that they had no idea that there was a new book coming out. I wanted to take the opportunity (again) to let others know what was coming, what I'm working on, in an effort to not just set expectations, but to see if anyone has any thoughts or comments that might drive the content itself.
This new book is titled Practical Windows Investigations, and the current chapters are:
1. Core Concepts
2. How to analyze Windows Event Logs
3. How to get the most out of RegRipper
4. Malware Detection
5. How to determine data exfiltration
6. File (LNK, DOCX/DOC, PDF) Analysis
7. How to investigate lateral movement
8. How to investigate program execution
9. How to investigate user activity
10. How to correlate/associate a device with a user (USB, Bluetooth)
11. How to detect/analyze the use of anti-forensics
12. Making use of VSCs
PWI differs from the current IWS in that it's about halfway between my previous books and IWS. What I mean by that is my previous books listed artifacts, how to parse them, their potential value during an investigation, but left it to the analyst to stitch the analysis together. IWS was more of a cradle-to-grave approach to an investigation, relying on publicly available images so that a reader could follow along, if they chose to do so. As such, IWS was somewhat restricted to what was available; PWI is intended to address some of those things that weren't available through the images used in IWS.
I'm going to leave that right there...
RegRipper Plugins
I recently released a couple of new plugins. One is "appkeys.pl", which offers an interesting persistence mechanism, based on Adam's blog post. Oh, and there's the fact that it's been seen in the wild, too...so, yeah.
The other is "slack.pl", which extracts slack space from Registry cells, and parses the retrieved data for keys and values. In my own testing, I've got it parsing keys and values, but just the data from those cell types. As of yet, I haven't seen a value cell, for example, that included the value data, just the name. It's there if you need it, and I hope folks find value in it.
LNK Parsing
While doing some research into LNK 'hotkeys' recently, I ran across Adam's blog post regarding the use of the AppKey subkeys in the Registry. I found this pretty fascinating, even though I do not have media keys on my keyboard, and as such, I wrote a plugin (aptly named "appkeys.pl") to pull this information from the Registry. I also created "appkeys_tln.pl" to extract those subkeys with "ShellExecute" values, and send the info to STDOUT in TLN format.
Adam also pointed out in his post that this isn't something that was entirely theoretical; it's been seen in the wild. As such, something like this takes on even greater significance.
Adam also provided a link to MS's keyboard mappings. By default, the subkey numbered "17" points to a CLSID, which translates to "My Computer".
Fun with Flags
There was a really interesting Twitter thread recently regarding a BSides Perth talk on APT LNK files. During the thread, Nick Carr pointed out MS had recently updated their LNK format specification documentation. During the discussion, Silas mentioned the LinkFlags field, and I thought, oh, here's a great opportunity to write another blog post, and work in a "The Big Bang Theory" reference. More to the point, however, I thought that by parsing the LinkFlags field, there might be an opportunity to identify toolmarks from whatever tool or process was used to create the LNK file. As such, I set about updating my parser to not only look for those documented flags that are set, but to also check the unused flags. I should also note that Silas recently updated his Python-based LNK parser, as well.
During a follow-on exchange on Twitter on the topic, @Malwageddon pointed me to this sample, and I downloaded a copy, naming it simply "iris" on my analysis system. I had to disable Windows Defender on my system, as downloading it or accessing it in any way, even via one of my tools, causes the file to be quarantined.
Doing a Google search for "dikona", I found this ISC handler post, authored by Didier Stevens. Didier's explanation is very thorough.
In order to do some additional testing, I used the VBS code available from Adam's blog post to create a LNK file that includes a "hotkey" field. In Adam's example, he uses a hotkey that isn't covered in the MS documentation, and illustrates that other hotkeys can be used, particularly for malicious purposes. For example, I modified Adam's example LNK file to launch the Calculator when the "Caps Lock" key was hit; it worked like a champ, even when I hit the "Caps Lock" key a second time to turn off the functionality on my keyboard. Now, image making that LNK file hidden from view on the Desktop...it does make a very interesting malware persistence method.
Additional Stuff:
Values associated with the ShowWindow function - the LNK file documentation describes a 4 byte ShowCommand value, and only includes 3 values with their descriptions in the specification; however, there are other values, as demonstrated in Adam's post.
Support in the Industry
On 4 July, Alexis tweeted regarding the core reasons that should be behind our motivation for giving back to the community. Yes, I get that this tweet was directed at content producers, as well as those who might be thinking about producing content. His statement about the community not owing us engagement or feedback is absolutely correct, however disheartening I might have found that statement, and the realization, to be. But like I said, he's right. So, if you're going to share something, first look at why you're sharing. If you're doing it to get feedback (like I very often do...), then you have to accept that you're likely not going to get it. If you're okay with that, cool...fire away. This is something I've had to come to grips with, and doing so has changed the way (and what) I share. I think that it also predicates how others share, as well. What I mean is, why put in the effort of a thorough write-up in a blog post or an article, publishing it somewhere, when it's so much easier to just put it into a tweet (or two, or twelve...). In fact, by tweeting it, you'll likely get much more feedback (in likes and RTs) than you would otherwise, even though stuff tweeted has a lifespan comparable to a fruit fly.
More recently, Alexis shared this blog post. I thought that this was a very interesting perspective to take, given that when I've engaged with others specifically about just offering a "thank you", I've gotten back some pretty extreme, absolutist comments in return. For example, when I suggested that if someone shares a program or script that you find useful, one should say, "thank you", one tweeter responded that he's not going to say "thank you" every time he uses the script. That's a little extreme, not what I intended, and not what I was suggesting at all. But I do support Alexis' statement; if you find value in something that someone else put out there, express your gratitude in some manner. Say "thank you", write a review of the tool, comment on the blog post, whatever. While the imposter syndrome appears to be something that an individual needs to deal with, I think as a community, we can all help others overcome their own imposter syndrome by providing some sort of feedback.
As a side note, the imposter syndrome is not something isolated to the DFIR community...not at all. I've talked to a number of folks in other communities (threat intel, etc.) who have expressed realization of their own imposter syndrome.
Alexis also shared some additional means by which the community can support efforts in the field, and one that comes to mind is the request made by the good folks at Arsenal Recon. Their image mounter, called "AIM", provides a great capability, one that they're willing to improve with support from the community.
Folks have started receiving the copies of IWS they ordered, and folks like Joey and Mary Ellen have already posted reviews! Mary Ellen has also gone so far as to post her review the Amazon page for the book!
Some have also pointed out that the XP image from Lance's practical is no longer available. Sorry about that but I was using the image, and don't have access to, nor control over the site itself. However, the focus of the book is the process, and choosing to use available images, I thought, would provide more value, as readers could follow along.
Addendum, 7 Oct: Thanks to the wonderful folks from the TwitterVerse who pointed out archive.org as a resource, the XP image can be found here!
Speaking of images, I got an interesting tweet the other day, asking why Windows 10 wasn't mentioned in ch. 2 of the book. The short answer is two-fold; one, because it wasn't used/addressed. For the second part of the answer, I'd refer back to a blog post I'd written two years ago when I started writing IWS, specifically the section of the post entitled "The "Ask"". Okay, I know that there's a lot going on in the TwitterVerse, and that two year is multiple lifetimes in Internet time. And I know that not everyone sees nor ingests everything, and for those who do see things or tweets, if they have no relevance at the time, then "meh". I get it. I'm subject to it myself.
Okay, so, just to be clear...I'm not addressing that tweet in order to call someone out for not paying attention, or missing something. Not at all. I felt that this was a very good opportunity to provide clarity around and set expectations regarding the book, now that it's out. The longer response to the tweet question, the one that doesn't fit neatly into a tweet, is also two-fold; one, I could not find a Windows 10 image online that would have fit that into that chapter. The idea at the core of writing the book was to provide a view into the analysis process, so that analysts could have something with which they could follow along.
The second part of the answer is that it's about the process; the analysis process should hold regardless of the version of Windows examined. Yes, the technical and tactical mechanics may change, but the process itself holds, or should hold. So, rather than focusing on, "wow, there's a whole section that addresses Windows XP...WTF??", I'd ask that the focus should be on documenting an analysis plan, documenting case notes, and documenting what was learned from the analysis, and then rolling that right back into the analysis process. After all, the goal of the book is NOT to state that this is THE way to analyze a Windows system for malware, but to show the value of having a living, breathing, growing, documented, repeatable analysis process.
Also, I was engaged in analyzing systems impacted by NotPetya during the early summer of 2017. Another analyst on our team received several images from an impacted client, all of which were XP and 2003. So, yes, those systems are still out there and still actively being used by clients.
Books
One of the challenges of writing books is keeping people informed as to what's coming, and giving them the opportunity to have input. For example, after IWS was published, someone who follows me on social media said that they had no idea that there was a new book coming out. I wanted to take the opportunity (again) to let others know what was coming, what I'm working on, in an effort to not just set expectations, but to see if anyone has any thoughts or comments that might drive the content itself.
This new book is titled Practical Windows Investigations, and the current chapters are:
1. Core Concepts
2. How to analyze Windows Event Logs
3. How to get the most out of RegRipper
4. Malware Detection
5. How to determine data exfiltration
6. File (LNK, DOCX/DOC, PDF) Analysis
7. How to investigate lateral movement
8. How to investigate program execution
9. How to investigate user activity
10. How to correlate/associate a device with a user (USB, Bluetooth)
11. How to detect/analyze the use of anti-forensics
12. Making use of VSCs
PWI differs from the current IWS in that it's about halfway between my previous books and IWS. What I mean by that is my previous books listed artifacts, how to parse them, their potential value during an investigation, but left it to the analyst to stitch the analysis together. IWS was more of a cradle-to-grave approach to an investigation, relying on publicly available images so that a reader could follow along, if they chose to do so. As such, IWS was somewhat restricted to what was available; PWI is intended to address some of those things that weren't available through the images used in IWS.
I'm going to leave that right there...
RegRipper Plugins
I recently released a couple of new plugins. One is "appkeys.pl", which offers an interesting persistence mechanism, based on Adam's blog post. Oh, and there's the fact that it's been seen in the wild, too...so, yeah.
The other is "slack.pl", which extracts slack space from Registry cells, and parses the retrieved data for keys and values. In my own testing, I've got it parsing keys and values, but just the data from those cell types. As of yet, I haven't seen a value cell, for example, that included the value data, just the name. It's there if you need it, and I hope folks find value in it.
LNK Parsing
While doing some research into LNK 'hotkeys' recently, I ran across Adam's blog post regarding the use of the AppKey subkeys in the Registry. I found this pretty fascinating, even though I do not have media keys on my keyboard, and as such, I wrote a plugin (aptly named "appkeys.pl") to pull this information from the Registry. I also created "appkeys_tln.pl" to extract those subkeys with "ShellExecute" values, and send the info to STDOUT in TLN format.
Adam also pointed out in his post that this isn't something that was entirely theoretical; it's been seen in the wild. As such, something like this takes on even greater significance.
Adam also provided a link to MS's keyboard mappings. By default, the subkey numbered "17" points to a CLSID, which translates to "My Computer".
Fun with Flags
There was a really interesting Twitter thread recently regarding a BSides Perth talk on APT LNK files. During the thread, Nick Carr pointed out MS had recently updated their LNK format specification documentation. During the discussion, Silas mentioned the LinkFlags field, and I thought, oh, here's a great opportunity to write another blog post, and work in a "The Big Bang Theory" reference. More to the point, however, I thought that by parsing the LinkFlags field, there might be an opportunity to identify toolmarks from whatever tool or process was used to create the LNK file. As such, I set about updating my parser to not only look for those documented flags that are set, but to also check the unused flags. I should also note that Silas recently updated his Python-based LNK parser, as well.
During a follow-on exchange on Twitter on the topic, @Malwageddon pointed me to this sample, and I downloaded a copy, naming it simply "iris" on my analysis system. I had to disable Windows Defender on my system, as downloading it or accessing it in any way, even via one of my tools, causes the file to be quarantined.
Doing a Google search for "dikona", I found this ISC handler post, authored by Didier Stevens. Didier's explanation is very thorough.
In order to do some additional testing, I used the VBS code available from Adam's blog post to create a LNK file that includes a "hotkey" field. In Adam's example, he uses a hotkey that isn't covered in the MS documentation, and illustrates that other hotkeys can be used, particularly for malicious purposes. For example, I modified Adam's example LNK file to launch the Calculator when the "Caps Lock" key was hit; it worked like a champ, even when I hit the "Caps Lock" key a second time to turn off the functionality on my keyboard. Now, image making that LNK file hidden from view on the Desktop...it does make a very interesting malware persistence method.
Additional Stuff:
Values associated with the ShowWindow function - the LNK file documentation describes a 4 byte ShowCommand value, and only includes 3 values with their descriptions in the specification; however, there are other values, as demonstrated in Adam's post.
Support in the Industry
On 4 July, Alexis tweeted regarding the core reasons that should be behind our motivation for giving back to the community. Yes, I get that this tweet was directed at content producers, as well as those who might be thinking about producing content. His statement about the community not owing us engagement or feedback is absolutely correct, however disheartening I might have found that statement, and the realization, to be. But like I said, he's right. So, if you're going to share something, first look at why you're sharing. If you're doing it to get feedback (like I very often do...), then you have to accept that you're likely not going to get it. If you're okay with that, cool...fire away. This is something I've had to come to grips with, and doing so has changed the way (and what) I share. I think that it also predicates how others share, as well. What I mean is, why put in the effort of a thorough write-up in a blog post or an article, publishing it somewhere, when it's so much easier to just put it into a tweet (or two, or twelve...). In fact, by tweeting it, you'll likely get much more feedback (in likes and RTs) than you would otherwise, even though stuff tweeted has a lifespan comparable to a fruit fly.
More recently, Alexis shared this blog post. I thought that this was a very interesting perspective to take, given that when I've engaged with others specifically about just offering a "thank you", I've gotten back some pretty extreme, absolutist comments in return. For example, when I suggested that if someone shares a program or script that you find useful, one should say, "thank you", one tweeter responded that he's not going to say "thank you" every time he uses the script. That's a little extreme, not what I intended, and not what I was suggesting at all. But I do support Alexis' statement; if you find value in something that someone else put out there, express your gratitude in some manner. Say "thank you", write a review of the tool, comment on the blog post, whatever. While the imposter syndrome appears to be something that an individual needs to deal with, I think as a community, we can all help others overcome their own imposter syndrome by providing some sort of feedback.
As a side note, the imposter syndrome is not something isolated to the DFIR community...not at all. I've talked to a number of folks in other communities (threat intel, etc.) who have expressed realization of their own imposter syndrome.
Alexis also shared some additional means by which the community can support efforts in the field, and one that comes to mind is the request made by the good folks at Arsenal Recon. Their image mounter, called "AIM", provides a great capability, one that they're willing to improve with support from the community.
First Review of IWS
The written first review of IWS comes from Joey Victorino, a consultant with the IBM X-Force IRIS team. Joey sent me his review via LinkedIn, and graciously allowed me to post it here. Here are Joey's thoughts on the book, in his own words:
I've been a fan of Harlan Carvey ever since his first release of Windows Forensic Analysis, 2nd Edition book years ago when I first entered the digital forensics environment. Initially, I had reservations that the new book "Investigating Windows Systems" would be a bit simplistic as I've read quite a bit of forensics books and attended multiple SANS Courses. However, I was wrong, and I really enjoyed this book - especially because Harlan Carvey is an awesome analyst. Essentially, it looks into different scenarios a DFIR professional will encounter throughout their career, by unpacking these scenarios through the eyes of a professional analyst. After the initial evidence is triaged it is then broken down into a conversation about the scenario, with clear examples of what the artifacts are like in this stage of the investigation and then provides practical examples in identifying actionable data and leveraging that as a pivot point to uncover more data. Because of the spread of knowledge, I found it very interesting and very useful to cover off areas where I was a bit unfamiliar with the subject matter. My favorite was "Chapter 4" as it went into Ali Hadi’s “Web Server Case” in a fantastic manner. I've been using this challenge as a method to train junior analysts and another IT professional moving into the DFIR field. His approach to solving the exercise was a great example, of being a consultant performing on-site DFIR with a focus on getting the answers needed quickly, and in a proper manner to be able to allow clients to make important business decisions. Overall, the greatest message learned from this book is that even though there are many different tools, the most effective skill a forensic analyst can have is being able to investigate properly, by analyzing the correct data, and using it to clearly answer the important questions. This would be an excellent book to not only have on the shelf but read and actively reference for DFIR practitioners of all experience levels. Joey Victorino – Consultant IBM X-Force IRIS
Thanks, Joey, for your kind words, and thanks taking the time to share your thoughts on the book. Most importantly, thank you for purchasing and reading my book! My hope is that others find similar interest and value in what I've written.
Addendum, 26 Sept: Mary Ellen posted a review, as well!
I've been a fan of Harlan Carvey ever since his first release of Windows Forensic Analysis, 2nd Edition book years ago when I first entered the digital forensics environment. Initially, I had reservations that the new book "Investigating Windows Systems" would be a bit simplistic as I've read quite a bit of forensics books and attended multiple SANS Courses. However, I was wrong, and I really enjoyed this book - especially because Harlan Carvey is an awesome analyst. Essentially, it looks into different scenarios a DFIR professional will encounter throughout their career, by unpacking these scenarios through the eyes of a professional analyst. After the initial evidence is triaged it is then broken down into a conversation about the scenario, with clear examples of what the artifacts are like in this stage of the investigation and then provides practical examples in identifying actionable data and leveraging that as a pivot point to uncover more data. Because of the spread of knowledge, I found it very interesting and very useful to cover off areas where I was a bit unfamiliar with the subject matter. My favorite was "Chapter 4" as it went into Ali Hadi’s “Web Server Case” in a fantastic manner. I've been using this challenge as a method to train junior analysts and another IT professional moving into the DFIR field. His approach to solving the exercise was a great example, of being a consultant performing on-site DFIR with a focus on getting the answers needed quickly, and in a proper manner to be able to allow clients to make important business decisions. Overall, the greatest message learned from this book is that even though there are many different tools, the most effective skill a forensic analyst can have is being able to investigate properly, by analyzing the correct data, and using it to clearly answer the important questions. This would be an excellent book to not only have on the shelf but read and actively reference for DFIR practitioners of all experience levels. Joey Victorino – Consultant IBM X-Force IRIS
Thanks, Joey, for your kind words, and thanks taking the time to share your thoughts on the book. Most importantly, thank you for purchasing and reading my book! My hope is that others find similar interest and value in what I've written.
Addendum, 26 Sept: Mary Ellen posted a review, as well!
- « Previous Page
- 1
- 2
- 3
- 4
- 5
- …
- 59
- Next Page »