Friday, July 7, 2017

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

How to Lose Like a Champion

Some of you may remember that just recently a little side project which I am a part of with Devon Ackerman had been nominated for a very prestigious award in our field of Digital Forensics and Incident Response called the Forensic 4:cast award. Perhaps some of you reading this even voted for us, thank you for that. We didn't walk away with the award and I know this sounds trite, but it truly was an honor just to be nominated. I mean that. It hurt to lose, I don't know how else to phrase it, it really did, but when we lose in life, there can be real value in that, and that's what I'd like to focus on.

The first thing I thought when we didn't win was, what am I going to tell my little girls back home. Of course the truth, but how could I hide my sadness from them and not look like a poor loser! I texted home and an answer shot right back..."We have to show them real life!" That was great advice, and honestly, it was the kick in the [you know what] that I needed!

The reality is, there was a ton of good in our loss. Let's count all of the blessings first. I had finally gotten a chance to meet my partner Devon Ackerman in person, what a joy! I also had the pleasure of meeting more than one person who came up to us to tell us how much value they have gotten out of our project

One of the persons who approached us was Jessica Hyde. Jessica was one of the first persons I met at the conference. She made a point to march right over to us and introduce herself and tell us how much she enjoyed our project. Turns out, she was born a few miles from my home and the next time she visits her parents, she's coming to dinner! But there's one more thing you need to know about Jessica (besides the fact that she is a wicked h@cker and gave one of the most awesome talks at the con). Jessica works for Magnet Forensics, the company that won the award in our category. Yup, that's right folks. Here we were competing against her company, but she had taken it upon herself to come over to us and compliment us on how much she enjoyed our project. Wow! None of us knew at that point who had won the award or who had lost, but I can assure you that when her team won the award and we didn't, she was one of the first persons I reached out to to congratulate.

I had put some thought into what I might write in a blog post in the off-chance that we won, and I think those ideas still hold some value so I'll share some of them below.

I believe that one of the things that makes our DFIR community great, is that we share, but what's ironic (and complicated) about that is, when you look at some of the folks in our space who have shared, and their incredible tools, blog posts, code, etc., it can be rather intimidating, at least to someone like me who sometimes wonders if they'd be more comfortable in a cave.

The other thing about sharing is that when you put yourself out there, you give up some control of your work, which can be scary on different levels. For one, control is a hot-button topic among many security practitioners. We love our controls, but I bet we've all worked for someone who's taken it a bit too far and either (a) not shared enough and kept too many keys to the kingdom to themselves and then the business suffered a single point of failure, or (b) locked-down users to the point they had trouble getting actual work done.

Also, in some respects, sharing can make you vulnerable to criticism (good or bad) - here's an example - if you're a singer-songwriter like myself, you might publish a song and then have someone get a totally different meaning from it, or someone else might hear a lyric incorrectly and have that song take on a whole other meaning. I remember my agent having to explain to me how I shouldn't get so bent out of shape by that. She called it, "poetic license" and went on to point out how it can be a beautiful thing. Afterward, I thought about all the times I had sung the wrong words to popular songs and was guilty of the same myself!

So when I returned home from the conference, my daughters were so excited for me! My oldest asked me, "Mom, what prize did you win for second place?!" And I took such great pleasure in sharing my wonderful life lesson with them, that for a fleeting second, I was almost glad we'd lost.

In closing, I suppose some of the above can be reasons not to publish or post, but our community is built on sharing, and it only gets better if everyone contributes. Don't be afraid! There's a little song I used to sing when I was a child called, "This Little Light of Mine" - I bet some of you know it!  Everyone has an inner light, find yours and let it shine!  Even if all you think you have is a bunch of annotated URL's in a NotePad file floating around somewhere (like yours truly), you can still turn that into something useful for others - and if one person benefits, isn't that winning? Isn't that your real prize?

Wednesday, April 5, 2017

The Little Engine That Could?

The Little Engine That Could by Watty Piper is one of my favorite books to read to my little ones.  It's chock-full of lessons such as The Golden Rule and The Power of Positive Thinking, to name just a couple.  Funny thing is, as an adult, it applies to me these days too.  You see, my partner Devon Ackerman and I have just been nominated for an industry award called the Forensic :4cast Award which is arguably one of the biggest awards in our industry.  We run a little site called and we were nominated as "Digital Forensic Organization of the Year".   We're up against some industry giants, but with your vote, we could (did you get that reference?) win.  It's a long shot, so here's where I humbly and respectfully request your vote, if you feel we've earned itDevon and I are both passionate about DFIR (and malware), and we each have full-time jobs and small children as well, so we do the best we can with the little bit of free time that we have, but we do it with a great love for our industry and the belief that if we think we can, we *will* leave our profession "better than we found it," which is advice I often impart upon my children.

THANK YOU SO MUCH to everyone who nominated us and we'd be honored if you voted for usAs for our competition, Magnet Forensics and Cellebrite (and who doesn’t LOVE those two industry luminaries?!) my thinking is, you can still vote for them in other categories and then choose us for your "Organization of the Year" vote.  Just my personal elevator pitch, but maybe it makes sense?!  Regardless, it’s simply splendid and an honor to be nominated!  Thank you everyone!!!

Sunday, January 22, 2017 Partnership

Today I have the great pleasure of announcing a partnership that has formed between Devon Ackerman and myself.  Devon had been sharing a DFIR resource that was similar to my Threat Intel list but we have now merged those two projects into one bigger and better repository that we host at!

Our merger is still a work in progress so if you don't see a familiar data set, it's probably because we haven't quite ported everythin
g over yet.  One of our goals is to offer continuous, timely and meaningful resources, in a very easy to use format and in one central repository.

I'd like to thank a few people who have been silent cheerleaders during this transition period, offering their support, wisdom, and in some cases their own resources.  David Cowen, who took a big chunk of his very valuable time to answer several questions and offer guidance.  Josh Sutfin, who offered valuable data which we will look forward to adding as time allows.  Matt Bromiley, Harlan Carvey, Phill Moore, and Andreas Sfakianakis, each industry rockstars in their own right, have been so kind to mention my research.

Last but certainly not least, I'd like to thank Devon. Devon quickly became a friend, and when I would get really stressed about the added pressure of a project of this magnitude on top of a full-time job and raising two children (which is another FT job LOL!), he would simply remind me that this was a hobby, and something that we chose to do because it was fun, so no angina allowed!

One more thing, if you're reading this and you are new to the field of DFIR, Threat Intelligence, Malware Analysis/Research or perhaps deciding whether or not to pursue a career in Information Security, I hope you will find our new shared resource DFIR - The Definitive Compendium Project helpful.  There is real community in Security, and one of our goals is to shine a light on that.  Enjoy!