Wednesday, July 10, 2013

Daily Blog #18: End of the milestones - 13 and 14 detailed

Hello Reader,
           The DFIR Summit has come and gone and I've learned a lot. This post marks the end of the milestones series and I think the first series I've ever actually completed on this blog. I'll be honest when I first wrote out the milestone blog I wasn't sure what the reaction would be from you. I wasn't sure if you would be upset that I was trying to define your career progression or be happy to see a way forward that you may not have seen to continue to grow your skills and knowledge. I'm happy to say that all the feedback I've gotten so far has been very positive, so if you are upset with me, you have at least not let me know.

    These are the final two milestones that I know of from my 14 years of experience in the field, if you can think of what comes next I'd love to hear it. Otherwise, I hope that in another year I'll look back and see what I need to add and just keep expanding this list as I also continue to progress and learn. There is no end to our journey, only the point where we decide to stop taking it.

Milestone 13 - You've developed your own data structures parsers and you begin looking into new data structures to make new tools.
    
    This is a great time in your career. You have matured so far as an examiner that you are expanding the field of knowledge now to help the community at large, and possibly release a product that could lead to a better future. If you are thinking forward to when you hit this milestone with the idea that nothing new will be left to be discovered then I'm happy to say this is the last of your worries. Every new application, version, service pack, operating system version, file system, service, device, etc... that gets introduced into the market and is used by a custodian becomes ripe for new artifact discovery. There is still so much we don't know about the internals and data left behind through normal system usage both in cutting edge OS releases as well as historical OS artifacts that if you find the motivation to do so I believe you will find a new artifact that will set the community a buzz.

    Now having said this, you don't have to find a new artifact to make a useful tool. Many times being able to take your perspective as a seasoned examiner and apply that knowledge to program logic will allow you to create powerful programs that let newcomers have a small portion of your wisdom encapsulated in a utility. Every time an experienced examiner becomes a developer the tools available for other developers become that much better because we know what we want and need. So if you've reached milestone 13, well done. I look forward to seeing your tools and hope you will let me know if I can help you in testing and validating your output.

Milestone 14 - You get the artifact bug and spend your free time thinking of what else might exist and start creating testing environments solely to find new artifacts.

    This is where I am. I have the artifact itch, when I hear people talk about things that exist/don't exist/are capable of doing within the operating system I think of what parts of the OS are involved and what should exist. I then expand that thinking to what systems and artifacts relate to those parts of the OS and begin making a mental checklist of things to check to validate my theory. If my theory appears correct I begin looking into creating a prototype parser and begin testing to validate the results. Once validated I begin to blog about it and release alpha's for testing and suddenly begin to notice and think of other things to go check and test. The cycle just continues and it's very rewarding  as you just continue your understanding and knowledge of why things exist and what you should be able to recover. At the same time you can continue to give back to the community that helped you get to this point. 
 
    If you've reached milestone 14 I'd like to invite you to email me, dcowen@g-cpartners.com, lets talk about your journey and I'd like to interview you for the blog. In addition I'd love to setup a mailing list of DFIR developers and artifact hunters so we can help each other moving forward.
 
    That's all for the milestone series, I hope you push yourself forward to achieve everything you want to and ask for help when you need it!