I hope everyone has a great Thanksgiving. I am going to attempt to deep fry a Turkey tonight so I wanted to get a blog post up in case it’s my last words! There’s often discussion about how to get started in #DFIR or how to get to the next level for those already in the field. Therefore, I thought it be relevant on this day to take a few minutes to write about some things I am thankful for that have helped me be successful in my #DFIR career.
#Resources (aka weapons)
I like to use the analogy that the #DFIR battle ground is like a role playing video game. A new game provides your character with the essentials and through the course of your game, you accumulate weapons to build the capabilities of your character.
In #DFIR it’s not too much different. Knowing all the answers from the start is not conceivable but knowing where to look for all the answers can be. Therefore, having a arsenal of weapons including blogs, white papers, tools, and even contacts are what enables me on a daily basis to provide answers to questions, solve problems, and prepare for that next battle with the “SASPDT” – Sometimes Advanced, Sometimes Persistent, Definitely a Threat.
I am confident that my arsenal of weapons is what has made me a valuable character on the #DFIR battleground similar to certain video game characters. The only difference is the "SASPDT" can’t steal the account credentials to ME unlike those pesty video game characters. For this I am again thankful of my arsenal of forensic weapons (aka resources).
#Challenges
DFIR is not an easy career to “just get by” in. What makes it so difficult? Well I think there are a few factors including the constant changes in technology, process, and interpretation. One’s ability to not only adapt to these changes but help shape the changes are what (in my opinion) separates the button pressers from button builders. This notion of keeping “cutting edge” in the field can be challenging because it can require time, passion, research, and sometimes even ability to develop. However, the reward of solving a challenge often outweighs the effort.
Personally, I have not always been an “eager beaver” for challenges. I have found that a lack in confidence and belief in your abilities will refrain one (including me) from even trying. One specific challenge that I will always be thankful for was when Ed, my boss, provided me with my first opportunity to respond to a suspected network intrusion. I’ll never forget the conversation we had leading up to it, where I literally tried to convince him I was under qualified and the only thing I was prepared to do was fail. Despite my thoughts, he believed in my abilities, and framed it in a way that gave me confidence to try and succeed. This taught me (1) not to be afraid to try something outside what I was comfortable with and (2) opened the door to an entirely new passion of mine – network intrusions – that would be unknown to me if it wasn’t for facing a challenge in my career.
Today, I am thankful that challenges are a fundamental part of everything I do. I enjoy waking up every day knowing I could face potential problems that there aren’t solutions too. This gives me the energy and motivation to try to do something new or different… like changing the world one megabyte at a time! :-)
#Role Models & Mentors
Something I did early on in my career was not only identify select role models but identify what characteristic(s) made them role models to me. For instance, I have always looked up to all the SANS facility (Rob, Paul, Hal, Chad, Alissa, etc..) as role models. Not so much for their “know how” but their unique abilities to articulate and communicate technical knowledge.. now that's something in my opinion that can be one of the most valuable skills. I have then relied on my mentors (Jim, Brian, Steve, J, etc) to help guide me in following the footsteps of my role models.
Thanks to all my technical and non-technical role models and mentors I have grown personally and professionally in my career in ways I could never accomplish individually.
#Community
I am most thankful for an awesome #DFIR community. How many other communities are out there that have people and organizations so inclined to help others, contribute free tools, and advance capabilities? Also I have met countless new friends thanks to this career path.
#Material things ; -)
- RAM – Because the expensive tools don’t work without it.
- SSD HDDS – So when the expensive tools crash my computer, I can reboot quickly!
- New Log2timeline– Can you say super timeline analysis?
- Volatility– When I thought I had enough to look at with hdds, now there’s even more with memory analysis.
- Python– Because it’s better then Perl.
- VMware Fusion– Allows me to literally swap with 4 fingers between 5 different Operating Systems.
- Dual 24” inch monitors– Helps me be make up for productivity in other areas
- DFIROnline and DFM– Webcasts and good reads
- VSC toolset– Makes VSC analysis pretty easy!
- Logicube Dossier– 5-7GB per minute 2 disk duplicator, need I say more?
- TZworks stuff– Lots of great stuff.
- GitHub - Store all my code in the cloud.
- SharePoint 2010 - Allows me to collaborate with teams on the same documents like Google docs.
- Gizmodo.com - My favorite tech blog.
- SANS 508 - I felt like this class really polished my skills.
- WFA Toolkit 3E - Great book and reference guide. Hope to have a iPad copy soon.
- Sprint 4G LTE hotspot - Allows me to be connected anywhere just like I am in the office :)
- ImDisk Virtual Disk Driver - great free image mounting tool
- SQLite - Quick and dirty backend to little things here and there.
- Dcode - Great decoder.
- GREAT series of blog posts by by Patrick Olsen
Hopefully some of you share these appreciations and others find them resourceful. Now go eat
some turkey or stand in line for something you don’t need that’s on sale!
