#14 – Rest in Peace, DFIR Dog

Today’s post is an incredibly tough one to write. This morning my buddy, my best friend, my DFIR Dog passed away. He lived a great life and was loved by so many. Whenever I would work from home, he would lovingly announce his presence on conference calls, show his face on video calls, and would stare at the computer screen helping me analyze evidence. He was to be the topic of my presentation for next year’s DFIR Summit. (Who knows, maybe I will still do the presentation — bring tissues!)

Cody was rescued at 3 years old and lived to be just shy of his 13th birthday. He enjoyed being goofy, helping people, going for walks, being my anxiety companion, and being loved on by the neighbor kids and my nieces and nephews. He was incredibly smart and knew exactly how to get his way, most days. He passed peacefully in my arms at home, surrounded by love and comfort. May he rest in peace and run wild and free. Mama loves you, buddy.

This slideshow requires JavaScript.

#13 – Exploring macOS

Per the recommendation of someone, I took a peek inside the macOS /private/var directory. If you have never examined the contents, I suggest you do.

Screen Shot 2018-06-28 at 22.39.27
/private/var Contents

For example, one of the directories contains logs. Hint: It’s the “log” directory.

Screen Shot 2018-06-28 at 22.44.49
/private/var/log Contents

Over the next few posts, I will explain some of these logs and files for you. Then we will back out of this directory and dive into another. Stay tuned!

 

#12 – Supporting Women in Tech

The Diana Initiative is hosting a two-day conference on August 9 and 10, during the week of Black Hat and DEFCON. The conference is FREE for attendees, and this year’s theme is “Hacker Family: Our Diversity Unifies Us.” According to their website, the organization was set up to:

  • Encourage diversity and support women who want to pursue careers in information security
  • Promote diverse and supportive workplaces
  • Help change workplace cultures

This year’s conference schedule has been posted, and there are some really amazing talks planned. The one I am looking forward to most is Amanda Berlin’s Friday evening keynote on mental health.

There are sponsor spots still open if you or your company would like to sponsor the event. Donations are also open! If you cannot afford to donate (and that’s okay!), consider being a volunteer for the event. Regardless, you should attend! Did I mention the conference is free? Hope to see you there!

#2 – SANS DFIR Summit

Another year, another SANS DFIR Summit come and gone. What a whirlwind! If you have never been to the DFIR Summit in Austin, TX, I would highly recommend it. This year seemed to have more new people attending than ever before. (I don’t have the official counts, so I don’t know for certain.)

The presentation slides have been posted if you’d like to review them. In roughly 2-3 months, the videos should also be posted to YouTube. A few highlights:

  • #DFIRFIT or Bust – I loved this talk the most. Take a look at the slides to see why. 😉
  • Event Trace Logs – Nicole has been researching these for quite some time, and her presentation goes into awesome detail about these logs. If you’ve never examined ETLs, you really should.
  • mac_apt – macOS forensics is my jam. Yogesh’s mac_apt.py pulls [almost] all the things for forensic analysis. Obviously it requires some thought in your analysis to put together a timeline of events, but this script will be a great start in simplifying your efforts.
  • DNSplice – Shelly loves her DNS logs! Her python script helps put extra meaning behind the data.
  • Forensic 4:Cast Awards – Lee puts a lot of thought and love behind these awards, as evidenced by his 10 years of work on them. Congrats to all the winners and runner-ups!

After the conference, the DFIR Summit offers classroom training. This year I signed up for the FOR585 Advanced Smartphone Forensics course. Heather did a phenomenal job teaching the class and really made sure people understood the concepts. She even taught SQLite in a way that actually made sense! (I’ve struggled for years with SQLite queries, but now I can easily write basic queries, join tables, add case statements, and order columns.)

The final highlight of the DFIR Summit was the NetWars challenge. This year SANS added a Coin Slayer challenge where you could win a challenge coin from a particular course, assuming you answered all questions from all four levels correctly. There ended up being seven people who won Coin Slayer coins – two in Reverse-Engineering Malware and five in Smartphone Forensics. I happened to be one of the lucky ones to earn a Smartphone Forensics coin within the final three minutes of the competition.

IMG_2194

All in all, the DFIR Summit was more than worth it! If you get a chance to go, absolutely do it. The Summit will be held in Austin, TX next year July 25-26 (conference) and July 27-Aug 1 (training). Hope to see you there!

#1 – The Zeltser Challenge

It’s no secret that people have pushed for more community sharing in DFIR, assuming one’s company or role allows that sharing. A few years ago, David Cowen entered a daring experiment to write a daily blog. This was based on Lenny Zeltser’s challenge, lovingly termed “The Zeltser Challenge” among the community, in which one writes a blog post every day for a year. Matt Bromiley also embarked on the challenge. The goal of the challenge is to: 1) share with others and 2) push yourself to keep learning. Recently, David tweeted out a request to have others join in on the challenge, and well, here I am…

Are there any specific requests of topics you’d like to read? A few of the topics that I am considering over this next year are:

  • macOS Forensics
  • APFS Artifacts
  • Android Forensics
  • iOS Forensics
  • SQLite Analysis (a.k.a. forcing myself to learn SQLite)
  • Third-Party Application Forensics
  • OSINT (maybe?)

Here’s hoping all goes well!

 

DFIR Summit Family Reunion

“Reunited and it feels so good…” That lyric sums up my overall thoughts on the annual SANS DFIR (Digital Forensics and Incident Response) Summit experience in Austin, TX. Although, so does this song by Dual Core.

This conference is easily my favorite of the year. The talks are highly technical, but not to the point of overwhelming with your eyes glazing over. You can find the links to the presentations here. There were a surprising number of Mac Forensics talks this year (which I love!), open source and hardware talks (check out Brian Moran’s and Jessica Hyde’s Alexa badassery), workflow organization, and more. There really wasn’t anything that I did not find interesting, and that’s saying a lot.

The evenings provided an opportunity for networking and fun (so much fun). Honestly, the networking is worth its weight in gold. Each year I meet new people in the DFIR field and form lasting friendships (and many that are like close family). Being a naturally introverted person, for me to say that I actually enjoy the networking, that’s huge. We seriously have some truly incredible people in this industry.

Rather than uploading a bunch of photos from the talks and evenings, it’s likely easiest to just check my Twitter account: @4n6woman. Feel free to also follow me on there!

Hopefully next year I will see more new faces in Austin. It really is worth the trip!