Wednesday, April 5, 2017

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

The Little Engine That Could?

The Little Engine That Could by Watty Piper is one of my favorite books to read to my little ones.  It's chock-full of lessons such as The Golden Rule and The Power of Positive Thinking, to name just a couple.  Funny thing is, as an adult, it applies to me these days too.  You see, my partner Devon Ackerman and I have just been nominated for an industry award called the Forensic :4cast Award which is arguably one of the biggest awards in our industry.  We run a little site called and we were nominated as "Digital Forensic Organization of the Year".   We're up against some industry giants, but with your vote, we could (did you get that reference?) win.  It's a long shot, so here's where I humbly and respectfully request your vote, if you feel we've earned itDevon and I are both passionate about DFIR (and malware), and we each have full-time jobs and small children as well, so we do the best we can with the little bit of free time that we have, but we do it with a great love for our industry and the belief that if we think we can, we *will* leave our profession "better than we found it," which is advice I often impart upon my children.

THANK YOU SO MUCH to everyone who nominated us and we'd be honored if you voted for usAs for our competition, Magnet Forensics and Cellebrite (and who doesn’t LOVE those two industry luminaries?!) my thinking is, you can still vote for them in other categories and then choose us for your "Organization of the Year" vote.  Just my personal elevator pitch, but maybe it makes sense?!  Regardless, it’s simply splendid and an honor to be nominated!  Thank you everyone!!!

Sunday, January 22, 2017 Partnership

Today I have the great pleasure of announcing a partnership that has formed between Devon Ackerman and myself.  Devon had been sharing a DFIR resource that was similar to my Threat Intel list but we have now merged those two projects into one bigger and better repository that we host at!

Our merger is still a work in progress so if you don't see a familiar data set, it's probably because we haven't quite ported everythin
g over yet.  One of our goals is to offer continuous, timely and meaningful resources, in a very easy to use format and in one central repository.

I'd like to thank a few people who have been silent cheerleaders during this transition period, offering their support, wisdom, and in some cases their own resources.  David Cowen, who took a big chunk of his very valuable time to answer several questions and offer guidance.  Josh Sutfin, who offered valuable data which we will look forward to adding as time allows.  Matt Bromiley, Harlan Carvey, Phill Moore, and Andreas Sfakianakis, each industry rockstars in their own right, have been so kind to mention my research.

Last but certainly not least, I'd like to thank Devon. Devon quickly became a friend, and when I would get really stressed about the added pressure of a project of this magnitude on top of a full-time job and raising two children (which is another FT job LOL!), he would simply remind me that this was a hobby, and something that we chose to do because it was fun, so no angina allowed!

One more thing, if you're reading this and you are new to the field of DFIR, Threat Intelligence, Malware Analysis/Research or perhaps deciding whether or not to pursue a career in Information Security, I hope you will find our new shared resource DFIR - The Definitive Compendium Project helpful.  There is real community in Security, and one of our goals is to shine a light on that.  Enjoy!

Sunday, December 4, 2016

Threat Intelligence

UPDATE: Just added a new tab for CTF, Challenges and Sample Image Files, check it out!
I am really looking forward to sharing a new post with the community! 

I revamped my older "Links I Follow" spreadsheet and added a repository of Threat Intelligence portals, Hunt tactics and more malware links.  The new spreadsheet has tabs, so don't miss all three tabs. The "Research" tab has my old "Links I Follow" spreadsheet, with anything new in bold.  A good portion of the entries are free or open source, but if you like something you see and the author asks for a small donation, remember it's nice to give back if you are able.

Some time ago my "IR A-Z" paper was warmly welcomed, as was my list of tools that I shared.  I've since found a whole bunch more tools, but my new list doesn't have very many tools in it, instead I decided to focus my energy on answering a question I received from a former co-worker as well as from some of the listserv's I follow.  A few weeks back a good friend texted me, "Do you happen to have a list of blog intel stuff, API feeds, or anything that reports on current malware or phishing?"  Well, turns out I did, but it seems now that I follow Twitter, I come across so much incredible intel every day, that all I have time to do is copy the URL and move on!  I'd had links and links and links that I had saved but not taken the time to add to my spreadsheet!  But I knew, that in order to help my friend, I needed to sit down and take some time to cull through my pile of information and organize some of it.  There's tons more, but it's an infinite process, which at some point I just have to cut my losses and say, here's all I have time to record.

So that's what this post is about.  It's not meant to be an exhaustive directory by any means, and trust me, I've labored over how to categorize things, where to place them in the list, and eventually just ran out of time. So you might find some malware research under Threat Intelligence or some Hunt stuff under Tools, etc.  I did the best I could with the little bit of free time that I had, so please know that the list is far from perfect, but hopefully it will be helpful to the community.

Friday, November 18, 2016

Unofficial Holiday Hack Countdown

I am so eager for this year's SANS Holiday Hack Challenge that I created a fun counter for myself! Thank you to the wonderful Katie Knowles for letting me use her pic!

Wednesday, June 29, 2016

Incident Response: A-Z

Update: I am incredibly humbled by the positive responses I've received since posting my paper on Incident Response A-Z. I am very grateful to each and every person who added their suggestions, and pointed out that glaring mistake on page 6 where I duplicated the first 3 processes.  I was on my way to Disneyland when I noticed it, and was mortified (and humbled in a different way)!  I have just posted a revised and corrected copy/link below.  Thank you again everyone for all your input, that's what makes community great, enjoy!

I began the concept of this paper with one sentence, almost 5 years ago. I have slowly expanded upon that sentence over the past 5 years, and I fully expect that trend to continue. Over the course of chipping away at the paper, I have published portions of it on my blog.

A likely follow-up would be an example investigation, soup to nuts, along with a final report that you would hand to the client. That may be my next endeavor. I started that process recently, but with not a lot of free time in my schedule, I decided to go ahead and publish what I have so far, and if I can eke out enough time to do the rest and tack on other stuff, I certainly will.

The paper is dedicated to my daughters. My 1 year old cannot yet grasp the concept of malware, however while traveling recently and Skyping with my 5 year old who is crazy about princesses and of course “Frozen,” we were sharing stories about our day and I mentioned that I had come across a very interesting piece of malware, to which she responded, “Mom, was it pink malware?!” And thus, "pink malware" was born, because of course I had to come home with some for her.

Lastly, my thoughts and processes are just one of a thousand ways you can approach an incident. I am making no claims that the paper is perfect, or exhaustive. I do, however, hope that someone will find something meaningful that they can take away from it. I recently received a private message from someone anonymously via my blog who encouraged me to keep putting things like this out there because it was incredibly helpful to the DFIR community. I am releasing this paper in the spirit of that post. It’s far from ready for publishing, or complete, but it is good enough for now: It opens to PDF:

Monday, May 30, 2016

Memorial Day Blessings

This past weekend I had the privilege of participating in a memorial service for a loved one in San Diego. Our beloved grandfather (through marriage, and great-grandfather to our children) passed away last week, and we all scrambled to fly to San Diego and celebrate his life.

Being a Mennonite, I had not previously had an opportunity to be exposed to a ceremony which included military honors. However, I have always adopted the philosophy that although our Mennonite theology is one of pacifism, we would not be able to have the choice to worship freely if those liberties hadn't been defended, fought for, and if many hadn't sacrificed their lives for them. So my belief on that matter has always been a very thoughtful one, and quite frankly with the threats our nation now faces, well, it's complicated,,,but I digress.

While poring over many photographs and memories of our dear grandfather, I learned about the Murmansk Run and how dangerous that passage was during World War II. So dangerous in fact that our grandfather, who was a Gunner in the Navy, had earned a Bronze Star and a Purple Heart.

The graveside message that the Reverend left us with will stick with me for a very long time. He opened by saying, "No matter what your political beliefs are in this heated election year, there's nothing that unifies us greater than the loss of someone who has served our country."

And that, my friends, is why I have had many conversations over the course of this Memorial Day weekend, to stop, pause, and make sure my 6 year-old and my 2 year-old, understand why they have the day off school, and how important Memorial Day is, not just today, but every single day.  Blessings to all the families who have lost a loved one who has made the ultimate sacrifice, and to all who are serving and have served our great country.