Getting Started in DFIR

longer earlier and i'm refreshing too

this yeah it did take about this long there it goes in three two one you're live and i'm ready all right well hi everybody i'm uh i'm josh stemp i'm a security engineer with the idaho transportation department i'm also floating around today as one of the staff members so thanks eric and uh sin ming for getting us going and getting us running so today i plan on presenting on getting started in digital forensics and incident response or dfir and this is a topic that's kind of near and dear to me that i've kind of worked my way into a little bit of luck but we'll talk about how someone might be able to get into

this same type of career field and the same path if you're interested and want to kind of steer into that you decide that that's kind of your slice of a slice of cyber that you want to do so talking about my background uh like i said i'm currently with the with itd um in the past i've worked with super value albertsons uh a fortune 100 retailer working endpoint security and then i did some stuff with ocio or its is the organization keith tresh is with from our keynote today so that was some number of years ago i've got about coming up on 10 years of experience doing cyber security and i've spent the last about five or six of it doing

um incident response and digital forensics so um these are of course you know that i'm doing this presentation independently uh separate from the organizations that i've formally been a part of so these are my opinions um but we'll uh we'll jump into what we what the plan is to cover for the next 20 minutes um we're going to cover what is dfir we're going to talk about some of the different tools and skills that you might have that you might be able to implement in what i find valuable and have been able to leverage in my career how someone might kind of steer into that get into it if it's something that they find themselves

interested in and then finally once the presentation's over i have a kind of a slick sheet of some different free resources and paid resources as well that if you're interested in doing more in this field that you will be able to kind of leverage and and uh and work off of so i kind of felt it was important to kind of talk about how i started in in forensics and or dfir and kind of just so you understand where i came from i had the first case that i that i worked on um was years and years ago my manager at the time came to me who handled all of the the forensics work and she was going to

be out the next week and so she said hey you know we might have something come up next week um there you know i need you to kind of take care of something for me and uh there's kind of three things to keep in mind that first of all you know we've got this write block kit use that uh use use dd to image the hard drive and um also take down the details of the hard drive so not having done it before just kind of took her word for it i uh you know she had talked it up a lot about how difficult it was how detail-oriented it was so i went out to uh to barnes and noble of all places

and uh you know back when they actually sold computer books and i got myself my first digital forensics book um which was the hacking exposed digital forensics computer forensics book big yellow book i still have it it's um well well used but i uh read through some of that over the weekend just to prime myself on some of the the ins and outs of what i was going to be potentially asked to do the next week i got the call later than or in the next week past weekend and uh off i went someone got fired it was potentially that they were going to sue we needed to do forensics on that computer so i ran off and i collected the

computer brought it back to my desk brought over the right blocking kit hooked everything up pulled my book out uh did dd on the hard drive um over to blank media and i looked at the hard drive not having like ever really paid that much attention to the number of details on the hard drive i didn't really know what details i needed at the time so i thought well there's like a thousand words here and a picture's worth a thousand words so i just flopped that hard drive onto a photocopy machine a xerox machine next to my desk and hit go stored the paper copy with uh with the hard drive copy where i was supposed to store it

and i remember getting back to my desk and saying you know digital forensics is boring um i can't do this like this is this is uh there's no way that i could do this as a daily job thank goodness i'm doing cyber security instead and the world kind of has funny ways in which it works and uh and now i do so what i didn't know then is really what digital forensics and incident response was all about so figure let's cover that um dfir split up into digital forensics and incident response uh incident response really we're focusing on actually dealing with an active threat there's a very high presentation there's a lot of nuances but i just wanted to kind of break this

down so we're focusing on an active threat to the organization and stopping that containing it boxing it in and eliminating it and then on the digital forensics side we're more going in and trying to find the we're processing the digital evidence to actually find the answers uh that we're seeking in our investigation uh the incident response i kind of find akin to um like a paramedic who arrives on like a crime scene um they will often just stabilize the patient and will provide certain medical interventions just to get things going in the right direction for them uh whereas a detective will come in and kind of do you know something like digital forensics where they're going to look into

what this specific issue is they're going to find out who was at fault what weapon was used what tool was used was it forced or not forced so on and so forth so that's kind of an easy way i tend to differentiate the two forensics also it tends to be it's it's forensics was uh was its root it's a latin root um back from roman era when we would have kind of public court and so it's it's a you know in a forum in front of forum so [Music] a lot of times uh forensics will still be tied to uh legal process there's lots of arguments about that and this that's outside the scope of

this presentation so let's talk about now that you kind of know what it is a little bit or a little bit more about it maybe you're like hey this is interesting i'm curious i've seen this on tv and maybe i want to do this myself so let's talk about a couple common career paths uh that you can take into this uh the two most common that i see are and there are others but the two most common are law enforcement coming up with a legal background going through a detective into a crime lab something like that or the other side is that incident response mentality of defending networks and investigating intrusions usually like military dod federal

networks things like that those the two most common like experiences i see uh when i look at forensic practitioners um that you know i follow and things so i did neither of those i went a different route and so i kind of wanted to talk about how i did this route and how you might do that route as well so really if we're looking at at law enforcement and military kind of having this like fat they they get a leg up with a lot of the ex the hard earned experience that they get up front a lot of the the the things they encounter that just we don't deal with in everyday life so we have to kind of compensate for

that and a part of that is being in the right place at the right time with the right tools and i found that this is kind of a algorithm that is at the heart of every every major change that i've done in my career is i've been in the right place at the right time with the right tools but being the right place and the right time are largely luck-based so we really can't influence those as much as we want to uh so we really need to focus in on the right tools and in tools i don't necessarily mean tools as in like hardware or kit though will that is a part of it we'll get into that

eventually i'm thinking more the soft skills the the attributes um things like that so let's let's take that and let's separate that off and let's see what we can do about actually influencing those right tools section so really i've broken it into four pieces here we have education experience attributes and equipment um education this is you know something hotly contested keith even um even talked about this in his in his presentation working with the colleges degrees while i don't have a degree and degrees aren't what i would consider absolutely necessary um there are a lot of doors that are opened by having a degree as opposed to not having one instead i kind of go down the path of

certifications i'm fortunate to have to have been able to take several uh well a majority of the sans forensics and incident response pro portfolio classes and i have a number of certifications from them um there's endless debates about certifications as well and uh my viewpoint on this for the purposes of this discussion is you need something to differentiate you to say that in the mind of joe public that you know what you're doing um and that you can demonstrate that and at the end of the day having a certification uh on your resume that says i am you know a certified ethical hacker or a cissp or you know a certified forensic analyst um leads joe public to think that you know

more about that topic than the average person um so that's that's really kind of what matters there when we get to experience this is everything that's not education this is your your i.t background uh this is you know you're likely a cyber professional who has worked their way up through the ranks or is in a cyber position that you came from somewhere maybe you came from the help desk maybe you came from network or server background i came from a sysadmin background myself that shapes uh kind of the tools that you have in your toolbox and in regards to experience uh also some things might be like investigative experience in a lot of ways you know you kind of

have the scientific method that you rely on as a technician for a lot of things but the actual investigative process to go through and and you know kind of suss out an investigation in a nice unbiased way without jumping to conclusions is not necessarily something that everybody has so that's something you might that might also get you a leg up or something you might look to invest in also in here is is something that i think kind of really well ties in so uh leslie carhart um on twitter is someone who i i follow and she recently put out a tweet at the beginning of this month a thread of tweets kind of talking about

her thoughts on people starting in dfir and i thought it was it really summarized a lot of the points that i wanted to hit on well um i encourage you to go check out her twitter her profile and those tweets back from october 8th i didn't want to include them here but they talk about a lot of these kinds of things a lot of the diverse background that is needed for these types of activities finally get into attributes and attributes are you as a person but also your happenstance so uh when when we're hiring um at my current position at my current place of employment one of the things that we look for is drive and motivation that's not

something that is easy to grow or build in a person um if they don't choose to do it themselves so we look for somebody who wants to do the home labs who wants to do those ctfs who wants to go self-study who wants to you know grow and grow and grow we want somebody with strong ethics because everything we deal with is highly sensitive um or has some some sort of you know issue to it uh you know there's there's something i've actually left off this slide which is kind of grit dfir professionals often deal with um you know not the most upstanding people and uh we deal with a lot of material that you know people don't want to deal with

so that flexibility i know that i don't get to choose my cases if i did there would be a lot less of them at friday friday afternoon at 4 30 and i wouldn't be going on as many car trips and plane trips on saturday morning um to edges of the state to to kind of you know do my deal um that if i did that and i had say kids and things like that you know or a rigid home life or a very strict schedule that would be very difficult for me to do and uh and so flexibility isn't just a it's not just a be flexible it's also making sure that you know you as a

person and where you are in your life can can be flexible to the the often unpredictable schedule that is dfire works and then finally we get to that tools the traditional tools uh the hardware the software um so let's let's jump into a couple of those uh this here is a list of all open source and free software um and tools and resources um this is not the slick sheet slick sheets separate um but i use every single case i work on will involve at least one of these tools um so i encourage that if you are interested in getting into this and you're like how do i get started where do i go how do i uh how do i get to the next

level um i think that going and being familiar with these tools downloading them using them there's tutorials all over the place will get you in a position to better be able to do this type of work it'll be it'll make you ready these are tools that are used in the industry and there's nothing wrong with them um you don't need you know a big expensive end case license or a big expensive suite license um to to do forensics so uh get familiar with these uh as far as scripting i'm i'm on the python powershell camp uh i there's so many things for that now that it's such a pat those two are so powerful languages

that uh i that's that's what i spend most of my time doing i know there's holy wars over this type of stuff but um and then we i often get asked what's my go bag all about um what what do i take with me when i go you know fly or drive or whatever and so i took a picture of this and uh kind of all the contents spilled out all over the place and well you know there's things missing from this picture there's no laptop i usually have a usually a high-powered dell precision workstation that i use um that's a that's a laptop i also have a desktop in my lab there's there's not a lot of tech here

in this pile and it's because when i'm out doing things when i'm doing collections uh to then bring back and process in in my in my environment the it's it's not necessarily all about the tech um a lot of times i'm collecting things preserving it for later i'm taking it and bringing it back um you know i'm not gonna sit in an office in rigby for you know however many hours sitting there trying to chew through something when i could just as easily pick it up and bring it back [Music] so it's a lot of process oriented stuff i got i have you know different office supplies here some of the most important part that i i

have in this is extra log books and blank forms um we log all of our cases case notes uh in a one notebook per uh per case format and each one of those log books then gets stored with a case folder with all the paperwork in it that's really really important to us also we've got some evidence bags some anti-static i have an anti-static mat and some people might think why on earth would i have that am i tearing apart phones in the field um honestly there's times where just someone you know i work in an engineering organization itd's an engineering organization you walk in and someone's desk is just absolutely coated with stacks and stacks

of paper so it might be easier if i need to photograph things which i'm photographing all the time my phone's not in this picture but i'm photographing the scene all the time um to lay out a mat or something that i don't compromise you know data that might be on those papers and i'm disturbing the scene as little as possible other things will be supplemented into this kit as as time goes on depending on the case depending on what i need to do i might take extra write blockers extra hard drives i might do other stuff but this is the this is the kit that usually goes everywhere on every single case so that we've kind of talked about the

tools and uh and that kind of what the right tools are and uh kind of talking about how how we can cut you know just some different ideas and things you might be able to exploit or kind of work on um then let's kind of talk about this come back to this equation thing so again we're trying to get a leg up on well not a leg up but we're trying to make up the gap between um us and and and law enforcement military dod and so we're getting that right place right time and right tools well the the key to remember is that these are not guaranteeing success they are putting you in a

position to take advantage of opportunities and those opportunities an example of that for me was uh when i uh one of the cases i worked on um we found some suspicious stuff on a workstation and we needed to figure out what was going on with it and so we went to management and notified them management gave us three directives uh one be quiet about it keep it keep it under wraps two this is your highest priority and three uh keep investigating we're not really sure that we want to do anything about it yet but keep investigating and uh let us know what you find so we kept digging over the course of a couple days

my you know a couple people and i started riffling through things we kept hitting brick walls answering one question is this malicious and while it was suspicious and it was it was kind of strange we couldn't say it was actually malicious so what i did is um one evening we uh we kind of you know after another defeated evening i grabbed a copy of it i came home spun it up in a virtual environment i had a book that i had on malware analysis that i picked up a year ago i'm not a malware analyst uh i know i've done some basic static analysis but nothing super major so instead i spent six and a half hours

walking through labs and going through that book and pushing through and trying to kind of teach myself to do some super super basic malware analysis to just answer the question is this malicious or not and we found the answer i found that it had no business being on the network or the systems that it was on and uh i wrote up my findings and i sent off that email at like 6 30 in the morning and when i went to bed got a call about an hour later from my manager saying hey we have a phone call in an hour where we're going to present we need you to present your your findings uh so make your way to the office and

i showed up and we did the conference call and we got that green light to get in extra help and get extra resources which is what we've been the nut we've been trying to crack and we were also all right we also were given a war room to continue to work out of um this of course it gained priority and uh and i promptly found the war room and uh laid along the wall and slept for a few hours um with management's permission of course but uh the point was i was presented an opportunity to try and answer a question to learn something to to figure out the problem and you know we couldn't escalate there was

that barrier that until we got enough information we couldn't escalate so um you know we break that barrier and spend that effort to turn that opportunity into into a success where we can move that ball forward and that's really kind of what this is about is find putting yourself in the right place at the right time with the right tools to be able to get that opportunity and be ready to actually exploit it and turn it into something that you can then grow from and you can expand on just time and time and time again so with that um thanks for for sitting through this and uh thanks eric and xin ming for for hosting

this and i'm happy to answer any questions the last couple minutes here hey josh yes thank you we do have a couple of questions here in the chat so yeah thank you great presentation i enjoyed the cat in the background too so that was a good audience with you right there um first question in the channel is you referred in the slides earlier to one really important part how important is attitude so the attitude it it's really kind of up to you to make it what you will if you choose to just say you know if you choose to have a defeatist attitude where you're like uh you know whatever then that's probably what your outcome's going to be

you really kind of have to be you know looking up and looking out and you know you kind of i mean it some of it's like you got to like your job um i if you don't like this line of work you know you're not well it's true with everything if you don't really like doing it then you're not gonna be your best and so having that positive attitude having that positive outlook and really reaching for um whatever it is that you're you know whatever you're facing as a challenge is is vitally important that's really good advice in information security it's not always all roses right um another question another question here is you mentioned

quite a bit about some really good tools some different tooling i guess for the novice what tools would you start out with if you are new to security tooling um so so dfir specifically i mean i'm i'm primarily focused on the forensic side i do i mean of course i do ir as well i'm proficient in it but um most of my time is spent in the investigation phase uh so for a lot of that it like i do a lot of content review and so throwing something into autopsy which is a windows-based application and doing doing content review is kind of a good way to sort of get your feet wet and realize just how much data how much

volume there is to data um that's that's kind of how i sort of uh got started i guess you know when when we had stuff going on and management was like we need this to happen and i was like well i got this tool i guess we can give it a whirl um that was you know before i really had any formal training that's kind of how we how we went about it so it is sort of a push button more so than a lot of people would approve of and i think when you start out that's kind of okay right until you can get some training and get some experience or find a mentor

who can really guide you into the depths of forensics to where you're not looking for a push button solution you're really looking at understanding all of the artifacts and and what they truly mean at kind of the most raw levels all right excellent yeah very good very good with the tooling i think we got time for one last question and this is a really good question and it is do you find yourself experiencing any burnout in this field of cyber security uh absolutely um yeah i deal with burnout a lot unfortunately i wanted to watch the presentation just before mine here in track two it sounded like a fantastic presentation but uh you know prepping for this as

well as um you know kind of doing some of the the the back end work um here i couldn't i couldn't pay as much attention as i wanted to uh yeah burnouts burn it's a very real deal um especially in this arena there's kind of a i don't want to call it a joke but there's kind of this uh stigma that um you once you get into like hardcore doing forensics like you're gonna do it for like two or three years and either you'll make it or you won't um and it's it's not that you know you'll fail it's just you'll probably just decide it's not for you um it can be very procedural it can be

very boring at times um you know it's i when i had first experienced it was just collection and i did no analysis i just sat there and stared at a hard drive copying for four hours it was like wow um now it's you know it's different there's a lot more to it and the the hours can also wear on you the content can wear on you um you know you just you just kind of you have all the pressures that you do with cyber security but you don't get any control about deciding what it is you decide what you want to work on for the day as much it's it's your schedule is dictated by

the actions of others largely yeah i guess that's a good point so just one related part to that question do you find that you then maybe volunteer for some other projects kind of for some a little different thing to do yeah it's it's kind of important to break it up a little bit um i still do even in my team where i'm specialized i still step out and do some security consulting in general for projects or work on some compliance things every now and again just to kind of keep my skills up in other areas it's it's important to be well-rounded when you're when you even though you specialize it's important to be well-rounded so um i think that's you know that's

it's important so like b-sides i'm involved in b-sides i'm involved in some other groups in regard i'm president for infragard for this year and it's important that you find other things to to help disperse and help deal with some of that burnout absolutely all right very good well thank you again josh excellent presentation thank you thank you eric