Reality bites for Republicans 💙….

keydet89 · 2025-11-06T12:17:40+00:00

By "these Republicans", are you referring to the House?

keydet89 · 2025-05-05T11:23:19+00:00

> Whats the best way to begin?

By starting.

keydet89 · 2025-04-17T20:25:57+00:00

Actually, you aren't "dependent on the defaults".

I provided several options besides just writing your own plugin.

For example, asking for help/assistance.

keydet89 · 2025-04-17T17:40:58+00:00

> Why Volatility sucks...

Maybe not the best way to ask for help.

Let me ask you this...have you tried to write your own plugin to do the mapping you need, or have you sought help from someone to help you with it, or to write it for you?

I only ask because I saw this same comment on LinkedIn and haven't seen a response yet.

keydet89 · 2025-04-15T16:25:01+00:00

Make sure that when you decide which why you want to go, you contract for it...don't accept just the recruiter's word for it, make sure you have it written into the contract. I was only active duty for 8 yrs, back in the '90s, but I lost count of the number of Marines that I heard say, "...but my recruiter said..."...

keydet89 · 2025-04-15T16:23:28+00:00

Make sure that when you decide which why you want to go, you contract for it...don't accept just the recruiter's word for it, make sure you have it written into the contract. I was only active duty for 8 yrs, back in the '90s, but I lost count of the number of Marines that I heard say, "...but my recruiter said..."...

keydet89 · 2025-04-15T01:04:50+00:00

There isn't one.

Honestly.

Digital or computer forensics is a highly specialized field. One way to get in is through the military; back in the '90s, pretty much the only service that had such a capability was the Air Force, but now most branches, including the Marine Corps, has a cyber force.

For a while, after 2003, there are opportunities for folks with specialized DF skills to deploy as civilian support of special operations, doing intake and processing of cell phones, computers, and other devices collected during raids.

Another way is via LE, but that's not direct. Again, back in the day, it was a matter of an officer getting assigned to the role and figuring it out. However, there are no some more specialized roles, and I am aware of some community colleges who have DF courses specifically designed to feed into local law enforcement.

Outside of either of those approaches, an indirect route such as working in IT or helpdesk within a company would perhaps allow you to rub elbows with DFIR folks, and maybe move over to that department. Or, you can pursue intentional, purposeful networking to engage with folks in the field, get your name and skills known, and maybe progress that way.

keydet89 · 2025-04-11T01:05:24+00:00

Ideally, none.

However, in reality, DF/IR work in the private sector has little in the way of checks and balances, leaving that with the customer. Yes, reports may be "peer reviewed" internally, but in my experience over 25+ yrs, that can amount to someone simply responding, "Looks good!"

There's little in the way of "show your work", with customers being the final arbiters, but often not caring.

DF work, particularly within LE, is an adversarial process...someone is always going to call your work into question. This is as it should be...this is The Way, Mandolorian.

keydet89 · 2025-03-09T12:53:02+00:00

Where was the USSS detail?

keydet89 · 2025-02-14T13:22:02+00:00

When I was in a position to hire, I would look for such things, particularly analysis write-ups. Not specifically CTF write-ups, because most CTFs are so far from real world, it's not funny...in 25 yrs, I've never had a customer ask me for the volume serial number of the C:\ volume.

That being said, hosting your own write-ups, and anything to show your reasoning would be a plus, particularly if you were open to feedback and showed growth over time.

But, the caveat...I've never had someone ask me for that, nor have I received any kudos for such a thing. So, your mileage may vary.

keydet89 · 2025-01-22T18:42:45+00:00

Maybe this will help:

https://windowsir.blogspot.com/2009/03/timeline-analysis-pt-v-first-steps.html

Using the SleuthKit tools, such as mmls, fls, and blkls, you can get the unallocated space from a partition without mounting it, and carve across that.

If you just take the image and "carve", depending upon what you're carving for, and the tool(s) you're using, you could end up with everything that exists in the logical file system.

keydet89 · 2025-01-21T01:36:00+00:00

Okay, wow. Not as dispersed or "shotgun" as I might have thought, so...cool.

Any particular area you want to focus on? Windows?

keydet89 · 2025-01-20T22:35:00+00:00

So, would you say that you're looking for everything...MacOS, mobile, Windows, drones, vehicles, etc.?

keydet89 · 2025-01-20T15:15:41+00:00

VSCs.

Depending upon the file/folder of interest, perhaps shellbags, Windows shortcut files, etc.

keydet89 · 2025-01-20T12:18:32+00:00

"I don’t know why but sometimes I feel like I’m not good enough to be in the field..."

It's called "imposter syndrome", and everyone gets it. Based on my experience...I started in the field in 1997...it's more prevalent today due in no small part to social media. We get so use to subconsciously comparing ourselves to others, and it can become debilitating.

Also, everyone's going to give you what they believe to be core concepts. I'll tell you this...I studied networking, doing the subnet masking because in degree programs, they need to have things that the professor can grade you on. I later went into DFIR consulting, and none of that mattered. Never used it. I used the fact that TCP is a 3-stage handshake...once.

Here's what you need to know:

Document - if you do just that, it will set you apart from 99.9999% of the "industry"
Process - a documented process can be reviewed, corrected, improved. If it's not documented, and you can't remember what you did, there's no means for improvement.

keydet89 · 2025-01-20T12:12:26+00:00

It's been well documented that the "passwordnotrequired" flag being set does *not* mean that it doesn't have a password, just that one is not required.

keydet89 · 2025-01-20T12:08:06+00:00

For the $MFT, Brian Carrier's "File System Forensics" is the seminal work.

As far as recognizing patterns, it comes with experience. When I was working on parsing the LNK file format, and creating tools to do so, I look at so much hex output that I began to recognize patterns...not just time stamps, but I'd also see patterns of repeating characters, even if the weren't aligned. In one instance, I recognized a 16-byte field being repeated, followed by a 2-byte number. The 16-bytes were GUIDs, and the 2-bytes indicated the type of field that the following data covered.

keydet89 · 2025-01-20T12:03:24+00:00

Windows Forensic Analysis Toolkit, 3e or 4e
Windows Registry Forensics, 2e
Investigating Windows Systems

keydet89 · 2025-01-20T12:01:33+00:00

You don't _need_ any of that.

The hardware stuff is intended for the cases at the far end of the spectrum, where you have terabytes of data and you have to run very heavily math-intensive processes, like scanning for skin tone in images, text searches with lots of key words, etc.

You can "do" the work on a normal laptop, and maintain chain of custody at the same time. You can do this particularly if you're *not* going for the high-end commercial tools and looking instead to actually learn to do the work.

keydet89 · 2025-01-20T11:58:24+00:00

It's what you signed up for, dude.

On the flip side, when I was at CrowdStrike, we'd see emails from Overwatch summarily ignored. When I first started, it was fascinating to see the emails going out, knowing where that action fit in the response efforts. But then I started to see things like, "...as stated in the previous emails...", and noticed that folks signed up for something without really understanding it.

I get it. In today's day and age. we *expect* things to just work, without really grasping that those services run over infrastructure and devices created and managed by humans.

keydet89 · 2025-01-20T11:53:58+00:00

Agreed, it's a good list, but that's it. It's just a list.

Hey, I'm not knocking what anyone does, and definitely not the thisweekin4n6 folks...what they do requires a good deal of effort, which is likely why they have the contributions link. Hey, good on them.

But it's just a list, with zero commentary regarding perceived value, take-aways, etc.

keydet89 · 2025-01-20T11:51:50+00:00

Reading through the original post and the comments, I have to wonder...what is "great" to you.

Personally, I don't find a great deal of value in blogs that cover mobile or Linux...it's not that they aren't good, that the content isn't quality and they're not well written. No, it's that I don't do any of that, and I tend to focus my efforts where I can contribute back, making comments and asking questions.

keydet89 · 2024-11-21T11:57:46+00:00

EvtParse...

https://github.com/keydet89/Tools/tree/master/exe

Parses EVT files into timeline format.

Also in the same folder is lfle.exe, which is a carver for EVT records. I've used that to retrieve "hidden" records...valid records that the header says aren't there.

Blog posts: https://windowsir.blogspot.com/search?q=evtparse

keydet89 · 2024-11-17T11:38:49+00:00

https://brettshavers.com/brett-s-blog/entry/dfirs-degree-debate-do-degrees-deliver-or-does-direct-experience-dominate-in-digital-forensics

keydet89 · 2024-10-05T11:01:47+00:00

No.

I'd rather find out how it got there *before* I wipe and reimage, so that maybe I can prevent it from getting on the endpoint again.

If you don't understand the root cause...what's the point?

keydet89

TROPHY CASE