Thank You and Some jIIr Updates

Thursday, May 9, 2013 Posted by Corey Harrell

Thank You

Earlier in the year I sent out a tweet that was driven by disappointment. This blog is for personal use so I barely discuss what kind of work I did. I was in a pretty cool job. On the one hand I provided digital forensic support for security incidents, fraud, and investigations. On the other I was doing pen testing against public sector organizations. This was the role that made me want to get into incident response. I knew how to attack systems as well as investigate them. Seemed like a natural starting point for me to start my journey into incident response. My tweet hinted to the fact my role was changing; a change that didn’t align with my career goals in InfoSec.

I received an overwhelming response from the DFIR community. People offering help in any way they could. I also received support from people I know locally. I may not have taken anyone up on their offer for help but I did appreciate it. It meant a lot and made me realize I have a lot more people I can reach out to then I thought.

Thank you. Thank you to everyone who reached out to me and offered me support.

This Is a Personal Blog but ….

jIIr has always been a personal blog and the content revolves around my personal research and interests. However, I am influenced by the work I do for eight hours a day and it gives me ideas to research. A few weeks back I started in my new position. My primary responsibilities are internal incident response and compliance security testing. I can see the research ideas pouring into my mind as I type this sentence. My blog hopper is already full of things I need to write about. You may see the blog a little more focused on items related to incident response (from the internal perspective) with a sprinkle of pen testing.

Disclaimer: anything you see on this blog is personal and has nothing to do with my employer.

Malware Analysis Course

Hopefully you didn’t get your hopes up about the direction the content is going. You might notice I’m not updating the blog as frequent as I used to. I mentioned on Twitter a few times I’m developing a course. I didn’t really publicized what I’m working on and the impact it’s had on my ability to do research and blogging. I’m developing the Malware Analysis course for Champlain College’s Master of Science in Digital Forensic Science program. The course development has been intense and most of my personal time (and days off) has been focused on the course.

I remember taking college courses (both graduate and undergraduate) and afterwards thinking it was a complete waste of time. I even took courses where I felt the content was lacking. I also took trainings where not only did they not cover the theory behind things but there wasn’t a defined process to what they were teaching. I even took trainings where I wanted more but that content was provided in another course at an additional cost. I wanted Champlain College’s Malware Analysis course to be nothing like what I experienced before. Instead I wanted it to resemble the type of course I would love to take. The course is pretty intense but at the end students will have explored a range of topics including: malware fundamentals, malware anti-forensics, how to find malware (both in memory and on disk), and how to reverse malware and exploits.

Next Project on the Horizon

After I finish the course I’m going to focus on a project I put on hold. Last summer I decided I had to write a book. There are some things I want to say and the best format to do so is in a book. I won’t go into the details about the content at this time. However, I did want to provide a few teasers. If you followed my blog for any time then you know I frequently discuss the process I use to perform examinations. In some posts I show the process in action such as the article Finding the Initial Infection Vector. What I haven’t revealed is the detailed checklist I put together that goes along with the process. Just the Windows examination portion is about 60 pages. This checklist is going to be either Appendix A or B in my book.

A cool thing about having a detailed process is it can be automated. I wrote some initial scripts to automate the majority of my process. I may release an earlier version of one script but the detailed checklist will be accompanied with a tool or three to automate the examination process. The book will outline a process to follow and provide tools to make the process as fast as possible. The process is only a small piece of what I got in store. If you enjoy reading jIIr, learning about malware detection, and exploring attacks involving malware then you won’t be disappointed.

Detecting Fraudulent Documents

I updated the material for my technique to detect fraudulent documents by analyzing their metadata. I uploaded my latest slide deck to my jIIr site (PDF download) and new cheat sheets for Microsoft Word and Excel documents. My intention was to put together a white paper on the technique but I didn’t have the time. Now I’m probably just going to do a blog post on the topic (hopefully) as my formal good-bye to the fraud world.
  1. Hey Corey,
    Your blog is really maturing! I really like the methodology page. Nice job.

    I know I come back to my own blog posts to remember how to do something too. I should put up a methodology page of my own for ACL analysis. Good idea, thanks! (But that's going to be a lot of work.)

    Have you ever searched a topic and had had your own blog come up in a link? I find that so funny.

  2. @itauditsecurity

    Thanks. Blogging is kind of funny. In the beginning its tough picking content, writing, and editing. After a while it becomes natural and you get a feel for what you like to write about. I guess it does show more in the writing style and content in the posts.

    I ended up doing the methodology page to help me keep track of what posts go with what portion of my process. I always had my methodology documented; I just didn't advertise it until I put up the page. I find it's a nice way to bookmark things. I don't do much with ACL but I bet that type of resource would be helpful to others.

    It's definitely strange seeing your stuff in other places. What got me is I'm developing a course and I found myself using my material for the required readings. It really opened my eyes especially once I looked at the range of posts I've done over the years.

Post a Comment