Improvise Adapt Overcome

Tuesday, April 10, 2012 Posted by Corey Harrell

Everybody has a story about how they became involved in DFIR. Showing the different avenues people took to reach the same point can be helpful to others trying to break into the field. I’ve been thinking about my journey and the path that lead me to become the forensicator who I am today. This is my story …

My story doesn’t start with me getting picked up by another DFIR team, being shown the reins by an experienced forensicator, or being educated in a digital forensic focused curriculum. My story starts many years ago when I took the oath and became a United States Marine. The Marines instilled into me the motto: improvise, adapt, and overcome. When I was in the Marines, I didn’t get the newest equipment, the latest tools, or other fancy gadgets. Things happen and it was not always the best of circumstances but I had to make do with what I had by improvising, adapting, and overcoming. This motto was taught to me when I first entered the Corps. Gradually it became a part of who I was; it became second nature when I was faced with any kind of adversity. Reflecting back on my journey I can easily see I ended up in DFIR by improvising, adapting, and overcoming the various situations I found myself in. Before I discuss those situations I think it’s necessary to define what exactly the Marines’ motto means:


jIIr (Star Wars Character)

Improvise: leverage the knowledge and resources available. You need to be creative to solve the situation you are going through.

Adapt: adjust to whatever situation being faced. Whether if its things not going as planned, lack of resources, issues with employment, or just adversity while doing your job. Whatever happens you need to make adjustments and adapt to the situation at hand.

Overcome: prevail over the situation. With each situation conquered you come out more knowledgeable and in a better position to handle future adversity.

Did I Take the Wrong Job


I was first exposed to the information security field in my undergraduate coursework and the field captivated my interest. However, at the time security jobs in my area were scarce so I opted to go into I.T. One of my first jobs after I graduated was not the most ideal conditions. I picked up on this on my first day on the job. A few hours were spent showing me the building locations throughout the city, introducing me to a few people, and pointing out my desk. That was it; there was no guidance on what was expected of me, explaining the network, training, etc. In addition, hardly any resources were provided to us to do our jobs. To illustrate, we needed some basic equipment (cabling, crimpers, connectors, …) so I did research and identified the most cost effective equipment which came in around $300. My purchase request was denied and then I narrowed the equipment down to the bare minimum for about a cost of $70. This was still denied since it was $70 too much. This lack of support went across the board for everything in our office. You were asked to do so many things but virtually no support was provided to make you successful. As I mentioned before, this was not the most ideal working condition.

I adapted to the environment by dedicating my own resources to improve myself by increasing my skillset and knowledge. I didn’t have access to a budget so I learned how to use free and open source software to get the job done. I couldn’t rely on any outside help so I used my problem solving skills to find my own answers to problems or coming up with my own solutions. Within a short period of time I went from questioning my decision to take the job to becoming the one managing the entire Windows network. I had the flexibility to try and do what I wanted on the network. I even used the position to increase my security skills by learning how to secure the Windows network. In the end the job became one of the best places I worked at and my knowledge grew by leaps and bounds.

Landed My First InfoSec Gig


The way I improvised, adapted, and overcame the issue I faced at a previous employer helped me land my first information security position. I joined a network security unit within an organization’s auditing department. My initial expectation was to bring my technical expertise to the table to help perform security assessments against other New York State agencies. My first week on the job I encountered my first difficulty. The other technical person I was supposed to work with resigned and his last week was my first week. My other co-worker was an auditor so I didn’t have a technical person to bring me up to speed on what I needed to do. Adapting to this situation was easier because of the resources my organization provided me. I had at my disposal: books, Internet, a test network, servers, clients, great supervisors, access to previous completed work, and time. In addition to these resources, I drew on my years of experience in IT and the information security knowledge I gained in my Windows admin days. Over time I increased my knowledge about information security (at management and technical levels) and I honed my skills in performing security assessments. On my first engagement where I helped come up with the testing methodology against an organization we were highly successfully. Within an extremely short period of time we had full control over their network and the data stored on it.

Welcome to DFIR


As I said I’m in a security unit within an auditing department. One activity other units in my department perform is conducting fraud audits. As a result, at times auditors need assistance with not only extracting electronic information from networks but help in validating if and how a fraud is occurring. I was tasked with setting up a digital forensic process to support these auditors even though I didn’t have any prior experience. I accepted the challenge but I didn’t take it lightly because I understood the need to do forensics properly. I first drew on my previous experience in evidence handling I gained when I managed the video cameras not only mounted in vehicles but scattered throughout the city. I even reached out to a friend who was a LE forensicator in addition to using the other resources I had available (training, books, Internet, test network, and time). I overcame the issue of setting up a digital forensic process from scratch. I established a process that went from supporting just my department to numerous departments within my organization. A process capable of processing cases ranging from fraud to investigations to a sprinkle of security incidents.

Improvise – Adapt – Overcome


The Marines instilled in me how to overcome adversity in any type of situation. This mentality stayed with me as I moved onto to other things in life and it was a contributing factor to how I ended up working DFIR. Whenever you are faced with adversity just remember Gunny Highway’s words:


Forensic4cast Awards


Forensic4Cast released the 2012 award nominees. I was honored to see my name listed among the nominees (blog of the year and examiner of the year). I am in outstanding company with Melia Kelley (Girl, Unallocated) and Eric Huber (A Fistful of Dongles) both of which are outstanding blogs. For Examiner of the Year I’m accompanied with Kristinn Gudjonsson (log2timeline literal changed how I approach timelines) and Cindy Murphy whose everyday efforts are improving our field. Both of these individuals are very deserving of this award. It’s humbling to see my work reflected in the Forensic4Cast awards especially since it was only about four years ago when my supervisor’s simple request launched me into the DFIR community. I wanted to say thank you to those who nominated me and wanted to encourage anyone who hasn’t voted for any of the nominees to do so. People have put in a lot of their own time and resources to improve our community and they deserve to be recognized for their efforts.
Labels:
  1. Cool post Corey.

    It truly shows the benefits of having a can-do attitude.
    As a newbie to the field, I sometimes think that I really should "harden up" and focus on my objectives more and ignore any (perceived/real) setbacks. Just like the Marines.

    I would like to add one more activity which the Marines may have overlooked - "Ask!"

    I'm not sure where it fits in the cycle but just by reaching out to/asking more experienced DFIRers, I have been able to achieve a lot more than I thought possible. eg project ideas I never would have thought of.

    Admittedly, not everyone has responded to my requests but the ones that have (such as yourself) make me feel like I'm a part of a wider caring/sharing community.
    And if I manage to get a project working, it feels doubly-great knowing that I have potentially helped others in the community.

    I'll finish up with my favourite quote in "Heartbreak Ridge". I'm not trying to make a point - I just found it pretty funny ...

    Gunny Highway: "The Marines are looking for a Few Good Men ... Unfortunately, you ain't it!"

    Cheers

  2. Corey,

    I'm right there with you, bud. As a CommO, we didn't have all the RC-292 antennas we needed, so we communicated by tying together "slash wire" in the right lengths, tying string around a rock to get that antenna up high in a tree, etc. But you know something...that made us able to think outside the box and operate in ways and places that the folks with all the new, high-speed gear would get bogged down in.

    The same is true with DFIR. Why pay thousands of dollars for a full-on commercial product when all you need is some small functionality right now, when you can achieve it with a few minutes of coding?

    As operating systems become more complex (than they already are) and attacks become more "sophisticated", commercial forensic analysis applications are going to fall further and further behind. Not only that, analysts who rely on those tools will fall further behind, as well.

    You've provided such a great service to the community by digging into VSCs, as well as posting the results of your exploit artifacts testing. In fact, those posts alone should firmly cement your qualifications for one of the upcoming Forensic4Cast awards.

    Good luck, Corey, and Semper Fi.

  3. Corey,
    Thanks for sharing your background. Interesting. I love to improvise.

    Reminds me of the time I had to get a Fortune 100's CEO's problem fixed in 30 minutes..required changes to his PC and a firewall change. I improvised real fast, and called in a lot of favors to get help from a couple departments.

    I really admire your passion!

    p.s. Really weird, but I swear I've typed those same 2 captcha words before, if not on your blog, somewhere else.

Post a Comment