Daily Blog #714: Forensic Lunch 1/10/25 with Ryatt Roesrma talking about fine tuning AI models

The Forensic Lunch is Back! 🍴

Hello Readers,

I'm excited to announce that The Forensic Lunch is back with another episode! This week, we had the privilege of hosting Wyatt Roersma, who shared his insights on training open-source AI models for specialized tasks.

Wyatt has been exploring how to take open-source AI models, like Qwen-2.5, and train them using examples such as YARA rules and targeted prompts to enhance their usefulness for specific applications. In the episode, he walks us through the process step-by-step, empowering you to apply similar techniques to solve your unique challenges.

For instance, I'm currently experimenting with getting AI models to write dfvfs code. While the models are fairly accurate, I believe with a bit of fine-tuning and additional training, they could become even more precise and reliable.

Key Resources from Wyatt's Discussion

Here are some invaluable links to help you dive deeper into the topics discussed in the episode:

• Download Wyatt’s trained models: Hugging Face – vtriple (Wyatt Roersma)
• Rent GPU containers: Vast.ai
• Run open-source models without local hardware: OpenRouter
• Discover and download models: Hugging Face
• Run local models: Ollama
• Train and fine-tune models: LLaMA-Factory GitHub Repository
  • SFT example: Train with LLaMA-3 LoRA SFT
  • DPO example: Train with LLaMA-3 LoRA DPO
  • LoRA example: Train with Qwen2VL LoRA SFT

Watch the Episode

You can catch the full episode below and learn how to start training your own open-source AI models to tackle specialized problems:

Or click the link here:
https://www.youtube.com/live/z6QkYHo97k0

Also Read: Developing an AWS Examination Tool Part 4

Read More

Daily Blog #697: Forensic Lunch 5/8/20 - Jack Farley, Josh Brunty, Kevin Pagano, Tom Pace, Jim Arnold

Hello Reader,
        Another week of crisis times means another weekly Forensic Lunch!

This week on the Forensic Lunch we had:

• Josh Brunty, @joshbrunty,  talking about his DFIR program at Marshall 
•  https://www.marshall.edu/cyber/
• Tom Pace of Blackberry Cyclance and Jim Arnold of KPMG talking about recent ransomware trends. 
• Kevin Pagano, @kevpagano3,  talking about his Sunday Funday and the Magnet Virtual CTF 
• Jack Farley, @jackfarley248,  talking about MEAT and the Magnet Virtual CTF
•  https://github.com/jfarley248/MEAT

You can watch it here:
https://youtu.be/fPzSm-hofA0

Also Read: Daily Blog #696 - Free Autopsy Training

Read More

Daily Blog #690: Forensic Lunch 5/1/20 - Oleg Skulkin (FeatureUsage), Brian Marks (Office 365) , Lee Whitfield (Forensic 4Cast Nomations)

Hello Reader,
      This week the Forensic Lunch went into Overtime! We went a full 25 minutes over the usual hour because we had so much to talk about. On this weeks show:

• Matt Seyer (@forensic_matt) talked all about the etl parser and monitor he's working on in Rust! https://github.com/forensicmatt/RsWindowsThingies
• Oleg Skulkin (@oskulkin) talked about how he approaches Sunday Funday's (he's won 3!) and about his new blog post about the Windows FeatureUsage artifact.  https://www.group-ib.com/blog/featureusage
• Brian Marks (@briandfir) talked about how the Office365 UAL MailboxItemsAccessed Audit event works and what the entry details mean  
• Lee Whitfield (@lee_whitfield ) talked through the Forensic 4Cast Awards nominations that end in two weeks, and Matt and I gave who we will be nominating. https://forensic4cast.com/2020/02/2020-forensic-4cast-awards-nominations-are-open/

You can watch the video here:
 https://youtu.be/g-CajSYPzYY

Also Read: Daily Blog #689

Read More

Daily Blog #687: Forensic Lunch schedule for the next 4 weeks

Hello Reader,
       Its taking some work but I'm lining up guests a month in advance now. Here is the schedule for the next four weeks so you can plan out what episodes you want to see

Date	Guest 1	Guest 2	Guest 3	Guest 4
5/1/2020	Brian Marks	Lee Whitfield	Oleg Skulkin
5/8/2020	Cylance/Jim	Jack Farley w/ MEAT	Josh Brunty - Marshall	Sunday Funday Winner
5/15/2020	MVS CTF Winner	Magnet	Sunday Funday Winner
5/22/2020	Mike Cohen	Sunday Funday Winner

Notice something new there?  I thought it would be fun to invite the Sunday Funday winner from the prior week to come on the Lunch to talk about what they did. Oleg Skulkin was willing to be the first and hopefully not the last!


All times will be Noon CDT (UTC -5) With the exception of 5/22/2020 when we will broadcast at 5PM CDT (UTC -5) to let Mike Cohen actually get some sleep.

Remember if you want notifications subscribe to the Youtube channel to never miss a live broadcast: https://www.youtube.com/user/LearnForensics

Also Read: Daily Blog #686

Read More

Daily Blog #686: Want to be on the Forensic Lunch?

Hello Reader,
         Now that the Forensic Lunch is weekly I'm trying to work extra hard to book guests in advance, which I maayyy have been lax about the last year or so. I'm now booked for the next 4 weeks but I'm looking to find new voices, new research and new cool stuff that the community at large wants to see.

So this is your chance. Been watching the Lunch for years? Always thought you had something to say? Email me dlcowen@gmail.com with the subject Forensic Lunch Guest Request and let's get you scheduled and get the word out on what your up to.

Commercial Software Vendors Please Note:
Commercial products are something I let on the lunch when I personally feel that the value they bring is something novel and has value to the community at large. If you send me a product pitch I may need alot more information before agreeing to have you on.

Examples of past vendors:
Guidance software
Accessdata
Magnet
Atola
Demisto
Belkasoft

I have turned away many others, please know that even if you do come on the public chat will be wanting to ask questions you must be prepared to answer.

Also Read: Daily Blog #685

Read More

Daily Blog #683: Forensic Lunch 4/24/20 with the Google IR Team (GRR, Timesketch, Turbinia, DTTimewolf, More!)

Hello Reader,
      We had a jam packed Forensic Lunch today with a portion of the Google IR team today talking all about the open source tools they develop, use and support in their work at Google.

Specifically we had :

• Mikhail Bushkov giving a big update on GRR https://github.com/google/grr
• Johan Berggren (https://twitter.com/jberggren) and Kristinn Gudjonsson (https://twitter.com/el_killerdwarf) talking about Timesketch and Data science
• https://github.com/google/timesketch
• Aaron Peterson (https://twitter.com/aarontpeterson) talking about Turbinia
• https://github.com/google/turbinia
• Thomas Chopitea (https://twitter.com/tomchop_) talking about DTTimewolf
• https://github.com/log2timeline/dftimewolf
• Theo Giovanna talking about libcloudforensics aka cloudforensicutils
• https://github.com/google/cloud-forensics-utils/tree/master/libcloudforensics
• Joachin Metz (https://twitter.com/joachimmetz) - Talking about Plaso, libntfs and Libyal
• Plaso: https://github.com/log2timeline/plaso 
• Libfsntfs: https://github.com/libyal/libfsntfs
• Libyal: https://github.com/libyal

Join them on the Open Source DFIR Slack: https://join-open-source-dfir-slack.herokuapp.com/

Read more about what they are doing on the Open Source DFIR Blog: https://osdfir.blogspot.com/

Watch the video below

Also Read: Daily Blog #682 - Linux Kernel Patches for Safe Forensic Imaging

Read More

Daily Blog #676: Forensic Lunch 4/17/20 with Zach Wasserman

Hello Readers,
  Today on the Forensic Lunch we only had one guest, Zach Wasserman, from OSQuery technical steering committee. We only had one guest because we knew we would have so much to talk to Zach about! From OSQuery's future in the linux foundation, Kollide Fleet and other fleet managers to Zach's work at Dactiv, LLC you have alot waiting for you in this weeks broadcast.

You can reach Zach Wasserman on twitter @TheZachW or Zach can be reached at zach@dactiv.llc if you want to work with him!

Also Read: Daily Blog #675

Read More

Daily Blog #674: Forensic Lunch Podcast is up to date!

Hello Reader,
        I was planning to search my Cloudtrail logs today in a test kitchen to show my snapshot activity, but life has a way of getting in the way ... even when you don't leave the house.



However what I did accomplish today was getting the podcast caught up with the Youtube broadcasts! It was over a year behind so this was long overdue. The official podcast page is here:

https://forensiclunch.libsyn.com/

You can listen/subscribe from the main site above or get it on many popular podcasting apps such as:

• Apple iTunes/Podcasts (BTW leave us a review) https://podcasts.apple.com/us/podcast/the-forensic-lunch-with-david-cowen-and-matthew-seyer/id1035370378 
• 
  
• Stitcher: https://www.stitcher.com/podcast/david-cowen/forensic-lunch
• 
  
• Google Podcast: https://podcasts.google.com/?feed=aHR0cHM6Ly9mb3JlbnNpY2x1bmNoLmxpYnN5bi5jb20vcnNz
• 
  
• and many more!

I thought it would be a good idea to explain the process of turning the live video's into a podcast in case others wanted to do so.

1. After the live broadcast is over I can download the show as a mp4 video file from Youtube
2. I think use Foobar2000 to strip the audio our of the mp4 and store it as a mp3
3. I use libsyn.com for my podcast hosting so I then have to upload the mp3 there
1. Note I tried to self host my podcast but there are some additional tags and features that the podcast feeds want that I just decided I didn't want to deal with
4. Once uploaded I need to add guest info and titles and the podcast sites pull from there, years ago I submitted the feed to a couple and the others appear to have taken the hint

Reasons why I was behind:

1. When I left the old company the login was tied to my old company email account, so I had to get that changed since I was paying for it but couldn't get access to it
2. Once episodes build up its a chore to go back and catch up which is why it fell behind before I left
3. Real work and personal lives sometimes compete with free work

So my plan is to keep up from this point forward, I'll be honest its easier when I do the daily blogs because then I can take the show description I wrote in the blog and just paste it into the podcast description!

So there you go, that's what it takes to get the podcast done. What I would ask of you if you read this far is to let me know things I could do with the podcast side of things that would make it easier to listen to/better to use.

Also Read: Daily Blog #673

Read More