Wednesday, October 1, 2014

One Step Ahead Part 3

One Step Ahead Part 3 is out on the Nuix blog, Unstructured!

Tuesday, September 23, 2014

One Step Ahead part 2

The second part of the One Step Ahead series has been posted on the Nuix blog Unstructured.

Saturday, September 13, 2014

BlackPOS v2.0? Not so fast!

Nuix CTU Malware Researcher Josh Grunzweig lays out why BlackPOS, and the latest Point of Sales variant being called BlackPOS v2.0 by Trend Micro are NOT from the same malware family.

Read Josh's blog post here.

Read the article from CSO Online here.

Monday, July 21, 2014

Silent Witness

"When he wants it, wherever he touches, whatever he leaves, even without consciousness, will serve as a silent witness against him his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value." - Dr. Edmond Locard 1942. 

Tuesday, July 15, 2014

The Investigator as the Storyteller Part 2

Check out, The Investigator as the Storyteller Part 2, on the Nuix Blog, Unstructured!


The Leader As The Storyteller

I read this today in, "The Leadership Excellence Devotional" by Pat Williams.  Having just wrote the Investigators as Storytellers post for the Nuix blog, I found this to be wonderfully complimentary.  I hope you like it as much as I did.

"The shortest distance between two people is a story."
- Terence Gargiulo

Steve Sabol helped found NFL Files with his father Ed Sabol.  He began working as a writer, editor, and cameraman with the 1962 NFL Championship game.  Over the years, Steve won more that forty Emmy Awards as a documentary filmmaker, and succeeded his father as the president of the company.

More than a filmmaker, Steve Sabol was a storyteller.  He used camera angles, slow-motion images, stirring music, the shouts of players, and the collision of helmets to transform football games into epic tales of human drama.

In March 2011, Sabol learned he had inoperable brain cancer.  In August of that he, he delivered an emotional induction at the Hall of Fame enshrinement of his ninety-four-year-old father.  And on September 18, 2012, Steve passed away at the age of sixty-nine.

When his father's Hall of Fame induction was announced, Steve said, "My dad has a great expression: "Telle me a fact, and I'll learn.  Tell me a truth, and I'll believe.  Tell me a story, and it will live in my heart forever."

That is great leadership wisdom.  Our greatest leaders have always been storytellers.  They use stories to illustrate their vision, teach us lessons, touch our emotions, rivet our attention, and motivate us to action.  Stories move us, compel us, and inspire us.  Stories make us laugh, and cry.

To be persuasive, to be unforgettable, simply say, "Let me tell you a story..."

Tuesday, July 8, 2014

The Investigator as the Story Teller

New blog post on the Nuix Blog, Unstructured.  Arguably one of the most important skills we as DFIR professionals can possess!

Take a read!  #changingthehunt

Monday, June 16, 2014

Like a Rock

I read this today, and it really struck a chord with me, so I thought I would share.  It's from, "A Leader's Heart: 365-Day Devotional Journal":

Dependability is important in every team's success.  Everyone on the team knows upon whom they can and can't depend.  Allow me to give you what I consider to the essence of dependability:

1. Pure Motives: If someone on the team continually puts themselves and their agenda ahead of what's best for the team, they ave proven themselves to be undependable.  When it comes to teamwork, motives matter.

2. Responsibility: While motivation addresses why people are dependable, responsibility indicates that they want to be dependable.

3. Sound Thinking: Dependability means more than just wanting to take responsibility.  That desire much also be couples with good judgement to be of real value to the team.

4. Consistent Contribution: The final quality of a dependable team player is consistency.  If you can't depend on teammates all the time, then you can't really depend on them any of the time.  Consistency take a depth of character that enables people to follow through no matter how tired, distracted, or overwhelmed they are.

That's all...sorry nothing more forensic-y...I just thought it was solid.

Saturday, June 7, 2014

An Unexpected Journey

So...I'm not Bilbo Baggins...obviously (shut up with the short jokes), but I have recently embarked on a very welcome, albeit unexpected journey.  Let me explain...

Sometimes, leaving is more about moving towards something new rather than moving away from where you currently are.  Such is the case with my departure from SpiderLabs.  I have truly enjoyed the almost six years I spent there as an Investigator and Director, but when this new opportunity found me, like Bilbo and his beloved ring, I could not resist.

In my first conversation with my new boss, Jim Kent, I have to admit, I was not all that excited about going to work at a software company.  Having worked in the field for so many years, like most investigators, I have come to loathe commercial forensic tools. I have seen them as a necessary evil, something we had to have for RFPs or for courtroom testimony, but not something we actually worked cases with.  Along with the likes of Corey Altheide,  Harlan Carvey, Rob Lee, and Hal Pomerantz, I have beat the drum of using Open Source forensics tool, because...and let's all say this together, "This is NO SUCH THING as COURT APPROVED"!  It's all about the way you interpret the 1s and 0s of an investigation and not the tool that you use!  YOU are the investigator, YOU are the one that testifies, not the tool.  Anyways, I was not expecting this conversation to go anywhere, but I listened to what Jim had to say.  It's a good thing too...because what he said make the conversation take a 180, and head off in a totally unexpected direction.

Jim: So, I have been reading up on this Sniper Forensics methodology of yours, and I have to say, it's spot on.

Me: Thank you.  

Jim: What would you say if I told you that our tool, Nuix Investigator is Sniper Forensics come to life?

Me: (stunned) Say that again...

Jim: Our tool suite at Nuix is very much the embodiment of your Sniper Forensics methodology.  We'd love for you to come be a part of our team and help us take our tool to the next level.

From that point in the conversation, my journey began, and as I stated initially, it was less about leaving SpiderLabs, and more so about joining Nuix.  I could not be more excited to be part of this team, and I am blown away by what the Nuix engine can do, that it really, no kidding incorporates Sniper Forensics, and that I get to be a part of making it everything I have always wished a forensic tool would be!  In my opinion, this is the intelligence multiplier we have all been waiting for.  The hunt is about to change.

The next six months are going to be a whirlwind.  I have so many ideas about what to do, and how to do it that my fingers and keyboard are having a hard time keeping up with my brain.  But, I don't want to be so naive as to think that my ideas are the best and or only ones.  So, I want to turn to YOU...the DFIR community for assistance.  In the coming weeks, I am going to be taking in feedback from many of you that will email me at - AND, I am also going to be making trips to see some of you - Chicago, San Francisco, Sarasota, DC, New York (HOPE), and Vegas (Blackhat / DEFCON) - to get YOUR feedback (if you are in or around those areas, drinks are on me)!  Tell me what you have always wanted to see in a commercial forensic tool suite?  What have you wanted it to feel like?  What features and functionality have you always wished for?  And please...DON'T HOLD BACK...the sky is the limit.  You shoot for the job is to figure out how to make it happen.

We are going to turn the DFIR world upside down, and bring to market the most effective, most efficient, fastest, best, Sniper Forensic-y tool on the planet!  I am looking forward to hearing from, or seeing you!

In the immortal words of Ton-Loc..."Let's do it"!

*** In the past I have said, "Happy Hunting", but...since the new gig puts me in a bit of a different position...let's go with this...

"Changing the hunt!" ***

Monday, March 10, 2014

2014 SANS DFIR Summit

Can't wait to be back at the DFIR Summit!