Thursday, May 31, 2012

Summer is Coming...

Like the Starks, my new motto revolves around the coming season:  Summer is Coming.  In fact, tomorrow marks the beginning of one of my most anticipated months of the year.  In mere weeks, I will be journeying to Austin for none other than the legendary DFIR Summit.  I get to facilitate FOR408, practice my camera face for the 4Cast Awards (What do you mean E! won't be there?), and even participate in the SANS 360.

Gleeda the Good Owl -
One of the helpful guides
You would think that talking for six minutes would be fairly easy for someone who enjoys talking as much as I do, but it is actually turning out to be quite the challenge.  Inspired by Jesse Kornblum's excellent DFIROnline presentation on storytelling, I've decided to attempt to tell a story - complete with illustrations (drawn by my amazing sister, Noelle Pettit Martin).  A few industry personalities may be making an appearance (see Gleeda the Good Owl left) to help the protagonist on her way to deeper DFIR understanding.  But before I go making people wonder why on earth I was invited to speak in the first place, let me reassure you that, somewhere in the parables and powerpoint, I will include what I hope are some useful tips and thoughts.

One such tip is that an examination isn't complete until it is communicated.  Below is a basic workflow to show how I break out my reports.  As always, this doesn't cover every eventuality, and merely shows what I myself do.
This can be used in conjunction with an article I wrote for the upcoming DFI News edition called "Report Writing"... check it out!
Let me know if you are coming to Austin.  I look forward to meeting many of the people I have gotten to know online.  Prepare yourselves... Summer DFIR is Coming!


  1. Replies
    1. Someday I will do one as awesome and ambitious as yours... I'm working myself up to it. Thanks for saying so - it means a lot!

  2. Hey GU,

    With such great illustrations your 360 talk is bound to be a hoot (get it?).
    Were they done old school freehand or via a software package? My internal wannabe artist is both curious and a whole lot jealous :)

    I can see you spruiking the T-shirts & hats featuring our soon-to-be favourite DFIR cartoon characters in the lobby ;)

    Thanks also for the cheat sheet preview. I look forward to reading all about it. But no FE logo in the corner?

    Stay 'tooned ...

    1. You are quite the one for puns, aren't you, Cheeky? :) I hope a hoot is within the realm of what people will be calling it...

      The drawings (by my oh-so-talented sis) were done freehand on a tablet using what I think was called Sketcher. Hmm. I'll double check and let you know.

      No plans to pawn my stuff on the poor Summit attendees, but I am planning to make some for me. My sister (is there anything she can't do?!) has an amazing embroidery machine, and I'm hoping to make myself a some one-of-a-kind FE shirts to wear.

    2. Hey puns are fun!
      I'm sure you'll ACE your talk but just EnCase you don't feel confident just imagine the audience SANS clothes ... #PhilDunphy4President ;)

      Will those T-shirts also come with a cape for those more formal occasions? ie when walking/promenading with King Louis? :)

      So looking forward to seeing pics of your FE fashion line someday!

      Your glutton for pun,


  3. GU,
    Great write up and cheat sheet! Any tool where we as examiners/analysts can visually present our thoughts is a win! The swiss army knife to report writing! Thank you for sharing.

    1. Thank you. I'm a fairly visual person, so I love graphics. It's good to know that it helpful to more than just me!

  4. Nice cheat sheet! I'm looking forward to showing to the class in Austin. Are you volunteering to teach that section of FOR408? :-)

    1. I would never presume... besides, I'll be too busy soaking in your teaching. Incredibly excited to be a part of it!

  5. This is great, thanks for putting this together!

  6. Hello,

    First of all : great cheat sheet. I used it to finetune my own report template. Just a small question : what do you understand under "Methodology". Is that for example : SIFT Workstation , Timeline , .. ?

    1. Thanks! Typically the Methodology section is used to list any software used and specific steps that were taken that led to your findings. Having this information helps ensure that your investigation is reproducible.