Sunday, December 8, 2019

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

Save the Date!

I AM FREAKING OUT!! SAVE THE DATE!! If you are in NYC, I am planning an EPIC event the night of 12/17!!!

Download v1.0 of my #KringleCon CheatSheet NOW!  Enjoy!

Saturday, August 17, 2019

Holiday Hack Sneak Peek 2019


It seems the SANS Annual Holiday Hack Challenge buzz begins earlier and earlier every year.  This year is no exception.  My first Holiday Hack CheatSheet of the season is here!  HUGE shout-out to our RedTeam mole, @ssampana_tr for infiltrating the @edskoudis party in Vegas during BlackHat USA DEF CON week and reporting back clues.  Download v1.0 of my #KringleCon CheatSheet NOW!  Enjoy!

Wednesday, March 20, 2019

About DFIR - Moar!

I’m overdue for an update, so here we go!  I came across some pretty cool stuff recently.  I know I’ve said this before, but it really is a fantastic time to be involved in DFIR!

Nick Caldwell won me over with the very first article of his I came across, and he hasn’t disappointed me since!  He’s such a solid force of wisdom: 

The Worst Career Advice I Ever Received

Unless you live in a cave, you probably already knew this, but Eric Zimmerman has a new tool out, looks amazing!  KAPE - Kroll Artifact Parser and Extractor 

I came across this “Malware Dynamic Analysis” nugget by Veronica Kovah, one of so many great and FREE training resources available on 

Microsoft Security Intelligence puts out an annual Report, guess I knew that but forgot about it.  Really enjoyed this most recent one! 

Microsoft's Annual Security Intelligence Report

Podcasts worth mentioning: 

CISO-SecurityVendor Relationship Podcast with David Spark and Mike Johnson:

Defense in Depth Podcast with David Spark and Allan Alford:

Simple Leadership Podcast: 


World Class Investigator Podcast: 


Human Factor Security Podcast: 


The OSINT Podcast: 


Hackable Podcast by McAfee:

Inside Intercom Podcasts: 

ATM Malware Tracker: (Caution Malware!)


13 Cubed DFIR Learning Series: 


Now you can grab it here

Updated BelkaSoft, Carnegie Mellon, and eForensics training listings.

Sunday, January 27, 2019

About DFIR - Catching Up

I took some time this weekend to catch-up a bit with AboutDFIR and add some of the content I've been too busy to share.  I've got tons more, so that will be coming as time allows.  I know Devon has stated it, but I'll reiterate, the links that we add often have context and so I've decided to take a few minutes to add some backstory around the new additions I've made this weekend.

First, under "Certifications and Trainings", I've added the free class The Cuckoo's Egg Decompiled that Chris Sanders gives (yes free, and yep, "the" Chris Sanders!).  Not sure how that wasn't already on here, but hey, now it is, so don't miss that one!  Next, under CTF's (one of my favorite categories), I've added two really cool links from a wonderful gentleman, Mr. John York, whom I met last month while playing the phenomenal "Holiday Hack" that Ed Skoudis and the CounterHack team puts together every year.  John has not only won the annual "Holiday Hack" in the past, he's placed in other years as well.  He teaches at the Shenandoah Valley Governor's School, and has put a unique spin on "Holiday Hack", using it to teach his students about cyber security: KringleCon Lessonized and Holiday Hack 2017 Lessonized.

Then, also through playing "Holiday Hack", I met Mr. Jim Kirn who told me he really likes a tool called OSquery, so I added that under "Intelligence Portals".  And, one more friend I met through "Holiday Hack" (you really need to play that CTF because you make so many wonderful friends) is Mr. Mike Felch.  I actually met Mr. Felch through playing "Holiday Hack" last year, but we reconnected again this year and I realized he is part of the CoinSec PodCast, so check that out.

For all the OSCP fans out there, I came across a real gem that's really gonna help you "Try harder", and he's from my hometown!  I can't wait to buy him a soda next time I'm in Lancaster, PA!  Shout-out to Mr. Michael LaSalvia and his Youtube Channel: Path to OSCP - he's got other really great videos on there as well.  He's totally passionate and such a great teacher!

Then, there's the Google Phishing Quiz that was all over Twitter this past week, so I stuck that under the "Malware Analysis" section. I also learned about yet another ISAC, the Health-ISAC, so I added that one along-side all the others we have listed.

Lastly, I had the great privilege of sitting down to lunch with Evan Gaustad who used to work for Target and has now branched out on his own. Evan is no stranger to the stages of large conferences and it's not every day that I get to chew the fat with someone of his ilk, so that was a really great treat. Evan told me how much he really likes using  LogicHub  and so I added that tool under "Intelligence Portals".

Saturday, December 15, 2018

HolidayHack 2018 CheatSheet

SANS HolidayHack 2018 is going to drop any hour now.  I've compiled a list of tips that I've come across to help get you started.  Enjoy!

HolidayHackCheatSheet 2018

Wednesday, September 26, 2018

DFIR Field Manual?

“Investigating Windows Systems” by Harlan Carvey was a great read on so many different levels for me. After binge-reading it over a weekend, I was so excited about it that the following Monday morning I found myself almost shouting at warp-speed to a co-worker about why it was such an important read.  Our chat reminded me of something I had thought about while still making my way through the book.  How could a book so compact, contain that much valuable information?!  I actually believe this book could have been titled, “DFIR Field Manual”, or “DFIRFM.”

For one thing, the book was easily digestible.  At times, I found myself “playing along”, almost like a CTF.  That’s because the book takes you (step-by-step) on an analyst’s journey through several investigations, and invites you to follow-along by downloading all the free images and open source tools the author is using to walk you through.  You get to learn alongside a seasoned veteran, almost in real-time, and observe, even as critical case decisions are being made along the way.

The book felt really timely to me.  I’d recently been following some thought-provoking discourse around the pronounced differences between the “DF” and “IR” of “DFIR” - Digital Forensics and Incident Response, and have even myself gotten into some rather animated discussions during time-sensitive incidents asking, “Where’s our DirListing?!” or, “May I please just have a DirListing!”

The book had a recurring theme for me, and that was, the steps you take regardless of the type of investigation, are often consistent.  Why?  Low hanging fruit!  My take-away was that Harlan almost always makes a visual inspection of the data before he does anything else.  That is not just to verify that he has an image that isn’t damaged, but it’s also so that he can identify outliers rather quickly, such as a batch file sitting in the root of C:\ - might be nothing, but could be something.  Things that make you go, “hmmm”.

Another important concept I learned was the art of discernment and how critical that can be to your end-goal (which an analyst must keep in mind is often guided by a paying client, not your own curiosity).  So, should you choose to dive down a rabbit-hole, (and we all do), a concise analysis plan will help keep you on track, and he shows you how.

As our digital landscape continues to grow, and the average size of hard drives (and memory) gets larger and larger, sometimes it can seem like we’re trying to “boil the ocean”.  To combat that, Harlan teaches us the art of timelining and how that process can help you streamline your analysis by distilling down the data and filtering out the noise.  Additionally, we learn that we have tiered options in our approach, so that we don’t lose meaningful data by doing so; mini, micro, and even nano timelines.

I also learned how to “fail fast”.  Trust me, when you have a client or upper management breathing down your neck for answers, you’ll be glad you grasped that concept.  Regardless of how long you’ve been in the field, you will be astounded at the knowledge you acquire from this book.  New folks might learn not to assume that malware or “hacking tools” simply sitting on a system, are bad.  On the contrary, they’ll become proficient in how to prove whether or not those tools were launched, and how they might have been used.  Or, what local accounts on a system with no profile might mean, and how FTP being run from a browser might be overlooked as it leaves fewer artifacts and in “unusual” places.  Even TimeStomping is covered, as well as using the “Conversations” filter in WireShark to “Follow Stream”.  It’s all there!

The book also tackles another topic I’ve been seeing articles around recently – Sufficiency.  How much data is enough data for us to come to our analysis goals?  Lately that’s been on a lot of people’s minds.  Well, perhaps that answer depends.  For example, have we answered the questions the (paying) principal has asked of us?  It also pivots on another very important case concept – have we, as the investigator, helped our client ask the right questions, because they don’t always know themselves what questions they need to be asking.  If so, and we’ve come to a solid conclusion, then yes, we can confidently state that “our work here is done!”  Even more so, if the principal cannot articulate those questions, and in fact leaves you with almost no information to begin your quest, how do you still make magic happen?  Those answers are all in the book, and the reader is steadily guided through every scenario.

You’ll learn what persistence can look like, and how to spot it.  You’ll grasp what the artifacts of “staging” resemble, whether it’s being done by an advanced adversary, or an insider who’s ready to bolt.  You will also learn how not to allow your own analysis to create a red herring in your case, in other words, if you detonate a piece of malware from the Desktop of your VM, you need to understand that you might be building artifacts that would not be present had it been introduced via its native vector (email, URL, USB), and what those are so you don’t include them in your findings.  You might even find a new trick for using Calc.exe.

I also learned a new thought process around triaging malware that I hadn’t read before and found it to be quite clever.  Execute the sample, let it run for a bit, then shut the box down and grab an image.  Then you can perform analysis to examine the complete file system after the malware runs.  Perhaps not all incidents have time for that, but I thought it was a brilliant methodology.  I typically use RegShot or other tools to snapshot the Registry state before (and after) I run a sample, but now I no longer need to chance missing anything that the malware might have changed.

In conclusion, it truly is fascinating how much ground the book covers in such a concise manner, which I believe can only be attributed to the author being both an accomplished writer, and a seasoned investigator.  Whether you’re running-to-ground File System Tunneling, WindowsXP, Windows10, a Web Server running iis or Apache, it’s all covered in the book, and with log locations and examples.  You. Will. NOT. Be. Disappointed!