Friday, July 7, 2017

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

How to Lose Like a Champion

Some of you may remember that just recently a little side project which I am a part of with Devon Ackerman had been nominated for a very prestigious award in our field of Digital Forensics and Incident Response called the Forensic 4:cast award. Perhaps some of you reading this even voted for us, thank you for that. We didn't walk away with the award and I know this sounds trite, but it truly was an honor just to be nominated. I mean that. It hurt to lose, I don't know how else to phrase it, it really did, but when we lose in life, there can be real value in that, and that's what I'd like to focus on.

The first thing I thought when we didn't win was, what am I going to tell my little girls back home. Of course the truth, but how could I hide my sadness from them and not look like a poor loser! I texted home and an answer shot right back..."We have to show them real life!" That was great advice, and honestly, it was the kick in the [you know what] that I needed!

The reality is, there was a ton of good in our loss. Let's count all of the blessings first. I had finally gotten a chance to meet my partner Devon Ackerman in person, what a joy! I also had the pleasure of meeting more than one person who came up to us to tell us how much value they have gotten out of our project

One of the persons who approached us was Jessica Hyde. Jessica was one of the first persons I met at the conference. She made a point to march right over to us and introduce herself and tell us how much she enjoyed our project. Turns out, she was born a few miles from my home and the next time she visits her parents, she's coming to dinner! But there's one more thing you need to know about Jessica (besides the fact that she is a wicked h@cker and gave one of the most awesome talks at the con). Jessica works for Magnet Forensics, the company that won the award in our category. Yup, that's right folks. Here we were competing against her company, but she had taken it upon herself to come over to us and compliment us on how much she enjoyed our project. Wow! None of us knew at that point who had won the award or who had lost, but I can assure you that when her team won the award and we didn't, she was one of the first persons I reached out to to congratulate.

I had put some thought into what I might write in a blog post in the off-chance that we won, and I think those ideas still hold some value so I'll share some of them below.

I believe that one of the things that makes our DFIR community great, is that we share, but what's ironic (and complicated) about that is, when you look at some of the folks in our space who have shared, and their incredible tools, blog posts, code, etc., it can be rather intimidating, at least to someone like me who sometimes wonders if they'd be more comfortable in a cave.

The other thing about sharing is that when you put yourself out there, you give up some control of your work, which can be scary on different levels. For one, control is a hot-button topic among many security practitioners. We love our controls, but I bet we've all worked for someone who's taken it a bit too far and either (a) not shared enough and kept too many keys to the kingdom to themselves and then the business suffered a single point of failure, or (b) locked-down users to the point they had trouble getting actual work done.

Also, in some respects, sharing can make you vulnerable to criticism (good or bad) - here's an example - if you're a singer-songwriter like myself, you might publish a song and then have someone get a totally different meaning from it, or someone else might hear a lyric incorrectly and have that song take on a whole other meaning. I remember my agent having to explain to me how I shouldn't get so bent out of shape by that. She called it, "poetic license" and went on to point out how it can be a beautiful thing. Afterward, I thought about all the times I had sung the wrong words to popular songs and was guilty of the same myself!

So when I returned home from the conference, my daughters were so excited for me! My oldest asked me, "Mom, what prize did you win for second place?!" And I took such great pleasure in sharing my wonderful life lesson with them, that for a fleeting second, I was almost glad we'd lost.

In closing, I suppose some of the above can be reasons not to publish or post, but our community is built on sharing, and it only gets better if everyone contributes. Don't be afraid! There's a little song I used to sing when I was a child called, "This Little Light of Mine" - I bet some of you know it!  Everyone has an inner light, find yours and let it shine!  Even if all you think you have is a bunch of annotated URL's in a NotePad file floating around somewhere (like yours truly), you can still turn that into something useful for others - and if one person benefits, isn't that winning? Isn't that your real prize?

Wednesday, April 5, 2017

The Little Engine That Could?

The Little Engine That Could by Watty Piper is one of my favorite books to read to my little ones.  It's chock-full of lessons such as The Golden Rule and The Power of Positive Thinking, to name just a couple.  Funny thing is, as an adult, it applies to me these days too.  You see, my partner Devon Ackerman and I have just been nominated for an industry award called the Forensic :4cast Award which is arguably one of the biggest awards in our industry.  We run a little site called and we were nominated as "Digital Forensic Organization of the Year".   We're up against some industry giants, but with your vote, we could (did you get that reference?) win.  It's a long shot, so here's where I humbly and respectfully request your vote, if you feel we've earned itDevon and I are both passionate about DFIR (and malware), and we each have full-time jobs and small children as well, so we do the best we can with the little bit of free time that we have, but we do it with a great love for our industry and the belief that if we think we can, we *will* leave our profession "better than we found it," which is advice I often impart upon my children.

THANK YOU SO MUCH to everyone who nominated us and we'd be honored if you voted for usAs for our competition, Magnet Forensics and Cellebrite (and who doesn’t LOVE those two industry luminaries?!) my thinking is, you can still vote for them in other categories and then choose us for your "Organization of the Year" vote.  Just my personal elevator pitch, but maybe it makes sense?!  Regardless, it’s simply splendid and an honor to be nominated!  Thank you everyone!!!

Sunday, January 22, 2017 Partnership

Today I have the great pleasure of announcing a partnership that has formed between Devon Ackerman and myself.  Devon had been sharing a DFIR resource that was similar to my Threat Intel list but we have now merged those two projects into one bigger and better repository that we host at!

Our merger is still a work in progress so if you don't see a familiar data set, it's probably because we haven't quite ported everythin
g over yet.  One of our goals is to offer continuous, timely and meaningful resources, in a very easy to use format and in one central repository.

I'd like to thank a few people who have been silent cheerleaders during this transition period, offering their support, wisdom, and in some cases their own resources.  David Cowen, who took a big chunk of his very valuable time to answer several questions and offer guidance.  Josh Sutfin, who offered valuable data which we will look forward to adding as time allows.  Matt Bromiley, Harlan Carvey, Phill Moore, and Andreas Sfakianakis, each industry rockstars in their own right, have been so kind to mention my research.

Last but certainly not least, I'd like to thank Devon. Devon quickly became a friend, and when I would get really stressed about the added pressure of a project of this magnitude on top of a full-time job and raising two children (which is another FT job LOL!), he would simply remind me that this was a hobby, and something that we chose to do because it was fun, so no angina allowed!

One more thing, if you're reading this and you are new to the field of DFIR, Threat Intelligence, Malware Analysis/Research or perhaps deciding whether or not to pursue a career in Information Security, I hope you will find our new shared resource DFIR - The Definitive Compendium Project helpful.  There is real community in Security, and one of our goals is to shine a light on that.  Enjoy!

Sunday, December 4, 2016

Threat Intelligence

UPDATE: Just added a new tab for CTF, Challenges and Sample Image Files, check it out!
I am really looking forward to sharing a new post with the community! 

I revamped my older "Links I Follow" spreadsheet and added a repository of Threat Intelligence portals, Hunt tactics and more malware links.  The new spreadsheet has tabs, so don't miss all three tabs. The "Research" tab has my old "Links I Follow" spreadsheet, with anything new in bold.  A good portion of the entries are free or open source, but if you like something you see and the author asks for a small donation, remember it's nice to give back if you are able.

Some time ago my "IR A-Z" paper was warmly welcomed, as was my list of tools that I shared.  I've since found a whole bunch more tools, but my new list doesn't have very many tools in it, instead I decided to focus my energy on answering a question I received from a former co-worker as well as from some of the listserv's I follow.  A few weeks back a good friend texted me, "Do you happen to have a list of blog intel stuff, API feeds, or anything that reports on current malware or phishing?"  Well, turns out I did, but it seems now that I follow Twitter, I come across so much incredible intel every day, that all I have time to do is copy the URL and move on!  I'd had links and links and links that I had saved but not taken the time to add to my spreadsheet!  But I knew, that in order to help my friend, I needed to sit down and take some time to cull through my pile of information and organize some of it.  There's tons more, but it's an infinite process, which at some point I just have to cut my losses and say, here's all I have time to record.

So that's what this post is about.  It's not meant to be an exhaustive directory by any means, and trust me, I've labored over how to categorize things, where to place them in the list, and eventually just ran out of time. So you might find some malware research under Threat Intelligence or some Hunt stuff under Tools, etc.  I did the best I could with the little bit of free time that I had, so please know that the list is far from perfect, but hopefully it will be helpful to the community.

Friday, November 18, 2016

Unofficial Holiday Hack Countdown

I am so eager for this year's SANS Holiday Hack Challenge that I created a fun counter for myself! Thank you to the wonderful Katie Knowles for letting me use her pic!

Wednesday, June 29, 2016

Incident Response: A-Z

Update: I am incredibly humbled by the positive responses I've received since posting my paper on Incident Response A-Z. I am very grateful to each and every person who added their suggestions, and pointed out that glaring mistake on page 6 where I duplicated the first 3 processes.  I was on my way to Disneyland when I noticed it, and was mortified (and humbled in a different way)!  I have just posted a revised and corrected copy/link below.  Thank you again everyone for all your input, that's what makes community great, enjoy!

I began the concept of this paper with one sentence, almost 5 years ago. I have slowly expanded upon that sentence over the past 5 years, and I fully expect that trend to continue. Over the course of chipping away at the paper, I have published portions of it on my blog.

A likely follow-up would be an example investigation, soup to nuts, along with a final report that you would hand to the client. That may be my next endeavor. I started that process recently, but with not a lot of free time in my schedule, I decided to go ahead and publish what I have so far, and if I can eke out enough time to do the rest and tack on other stuff, I certainly will.

The paper is dedicated to my daughters. My 1 year old cannot yet grasp the concept of malware, however while traveling recently and Skyping with my 5 year old who is crazy about princesses and of course “Frozen,” we were sharing stories about our day and I mentioned that I had come across a very interesting piece of malware, to which she responded, “Mom, was it pink malware?!” And thus, "pink malware" was born, because of course I had to come home with some for her.

Lastly, my thoughts and processes are just one of a thousand ways you can approach an incident. I am making no claims that the paper is perfect, or exhaustive. I do, however, hope that someone will find something meaningful that they can take away from it. I recently received a private message from someone anonymously via my blog who encouraged me to keep putting things like this out there because it was incredibly helpful to the DFIR community. I am releasing this paper in the spirit of that post. It’s far from ready for publishing, or complete, but it is good enough for now: It opens to PDF: