Contribute to Learn: Building DFIR Expertise Through Open Source

Awesome.

All right. Good afternoon, everyone. Um, just looking around. Are are there any like current students or recent graduates from college or anything around? Cool. Nice to see you guys. Um, this talk isn't I won't say centered towards you guys, but I hope you'll find it particularly useful, I guess, is the best way to put it. Um so Okay, cool. So, as as I got introduced, my name is Christopher. Um, I've had about 15 years in IT. Um, not specifically in digital forensic and incident response, but it's kind of where I've kind of brought my interest to, right? Um, I started out doing system administration, uh, development and programming and all the other stuff. Uh, and then I ended up being the, uh,

CIO over at Gutman Community College. So I don't know if you guys are are you students from one of the cutuny colleges and stuff like that. Okay, cool. So it's always nice to see you guys around. So especially John J. So um as I said I went back to school actually afterwards um to learn about digital forensic science uh graduated in 2023. Um and that left me a bunch of questions after I finished, right? It's like what did I want to do with this? Right? Because the world's your oyster. There's so many areas of digital forensic and incident response, right? Um the course work was great and all the >> this one small >> the small. Okay.

>> Yep. Is that good or assume you're good. Okay, cool. So, uh, before I go on, I just really want to quickly, you know, acknowledge my family. They're actually at a trunk or treat. Um, I was hoping to go to that, but, you know, I'm here instead with you all. Um, hopefully they'll save me some candy and stuff like that. So, um, and then one last note, right? Works and thoughts are solely my own and not my employer. I'm not here in the capacity of, you know, from CUNI or Gutman and stuff like that. So, just want to get that out of the way. So, as I said, you know, why this talk? Um I had a few questions right after

graduation it's like where do I go from here was the first one right um I wanted to know more right the classes that we had in there just kind of opened up everything for me um the other option was you know how how else can I really learn digital forensics and incident response right I took the classwork did a degree and all the other stuff um you know a lot of things that people do are other books courses CTFs are very popular um doing certifications afterwards records. Um, and those are definitely things you should do, right? If you're interested in doing that. Um, I've participated, as I mentioned, a few few uh digital forensics centered CTFs,

right? There's there's ones from Magnet, Belosoft, um, multiple multiples of those, right? Um, they don't happen that often. They're like a yearly thing. Um, especially since since I already have like a day job, right? It's sometimes hard to find time to do those CTFs, right? Uh so you know that was one area another big question was how I can network right I didn't come from that field you know um how do I meet other people get mentors learn from them and all the other stuff right um as you know right networking is very important for any any job right uh and that that's true for this area um the other thing you could do to network right uh very

popular thing is to do a lot of blog posts right um going on LinkedIn or like some people do YouTube and all the other stuff. Um those are always fun. Um there's there's like these Zeltzer challenges where you try to do like a daily post on on various subjects and stuff like that. Um and then the last question is, you know, how can I specifically individually start contributing towards the field of digital forensics, right? Um so that's kind of what led me as a programmer to try to figure out like where is that going to lead me, right? Um, so we kind of come back to, you know, open source tools, right? Um, as I

said, I I'm kind of consider my day job kind of as a programmer. Um, and that's where I came from, right? So I'm kind of used to doing, you know, open source projects. You contribute to them and all the stuff. Um, and I figured Yeah. >> Sure. Yeah. I'm moving back, right? >> Okay. Yeah, not a problem. So, you know, as a programmer, doing those contributions, open source projects was kind of an area that I was comfortable with already. Um, and I figured, hey, you know, there there's a lot of open source projects in digital forensics and is in response. Um, maybe I can start contributing to them. Um, and if I do that, you know, what can I learn or gain

from doing that, right? Um, I'm sure you've probably seen a lot of the tools. Um some of them may not be open source per se. Um but they may have open source um components. Um you know Cape isn't open source but they have a Cape uh Cape files repository that is uh open for contributions to do that type of stuff. You have the various leaps from Alexis Brignoni right you have Alap those are all for uh mobile forensics um parsing those things. Um, Rapid 7 and Michael Cohen, um, they have the, uh, Velocraptor project. Um, if you ever played around that, very useful for incident response and stuff like that. Um, Wire Shark, right? That that that is

an open source project. Same with Gedra for reverse engineering. The list goes on and on, right? Um, I'm sure many of you have used one at some point. You may not realize it, but they are there. Um, the question becomes, you know, how many of you actually have contributed to those projects, right? in some in some form, right? And that's kind of where I'm going to be coming from there, right? Um, Alap itself, if you look at the contributors, it's only like 60 people have contributed to that project. Same with like Cape Files and Velociraptor is about 115, right? So, it's a pretty small community of of people who have actually like contributed and worked on those

projects, right? Um, open source tools, right? As as we talk about all these things, um, you know, the transparency there. So if you're trying to learn stuff and like figure out the artifacts and stuff like that, you can look at the source code and figure out and understand where it's getting that information from, right? That's a little bit different from like closed source programs and and all the other stuff. They're going to show you the artifacts, but you might not know where they came from, right? Especially as a student wanting to learn more and more of like how those artifacts work, you're going to want to know where they came from and how that tool pulled it,

right? Um so that's that transparency. coming back to like customizable or agile, not the software methodology, but being able to quickly do it, right? Um, mobile applications, all the software, it's constantly changing, right? A new version comes out, the artifacts going to change, right? The vendor application, they're going to have to spend time or wait for development time to free up to make that change, right? Some vendors may only have like a a quarterly release schedule or something like that. So, you're going to have to wait until they update their software to use it, right? um with an open source project potentially if if you know and you have that knowledge of that information you could make that change

and contribute it to it you know like literally when you found it and stuff like that you're going to move that bar much quicker essentially. Um but and then the other thing is they they offer honestly a great way to collaborate with people especially across the world right a lot of us were working in our small silos with our company it's the same people we're always talking to all the time with an open source project you could be working with someone over you know totally different time zone halfway across the world in like like Australia or something like that you're sharing ideas and learning from them essentially so um but honestly in my opinion like

the biggest thing for me is that transparency like I can see how that tool worked and got that artifact. Um, it's kind of funny like if you ever get like called into court or something like that, they may ask you it's like where is this coming from? Prove it and can you explain it? And if the tool is hiding that, you may not be able to do that. That that potentially is a weakness there. So cool. So there's kind of like a few ways, general ways to contribute to like open source projects, right? we kind of talked about already the uh documentation discussion, right? Just talking to people, looking at the discussions going on and like poll

requests and issues and stuff like that. Um this is especially important for someone starting out. Don't just like jump in there and try to like change everything in the project, right? You need to get the lay of the land. Try to understand where are the maintainers going for this project. Um how do they like to work, right? especially if you're going to try to contribute, you have to do your due diligence on what they're looking from you, right? Um to do all that stuff. Um other ways to contribute is test and validation, right? Going back to that thing where like software constantly changes, right? So let's just say for example, chat GPT, the desktop client comes out with a new

version or an update or something like that. Um Cape, if I remember correctly, has a parser for that. It may not work on the new version, right? You might test it. If you find that it doesn't work, if you can figure out what what broke or what changed, right, you can make that suggestion to maybe reach out to the uh the original author of the plugin. Um, and you might be able to work with them to to uh add in that capability essentially, right? Um, and then the last thing, right, the last one of there is is the big guy, right? The pull request, right? Those are actually making those contributions, right? Pushing them into the project and then

getting it like accepted in essentially, right? So all three of these are kind of interlin right because if you're doing documentation honestly you should put that in as a poll request at the end of the day. If you're doing test and validation there should be some sort of result from that and you'll end up doing a you know poll request from that. So um you know as as the little meme says you know just using the forensic tool that's great you're going to get information and all the other stuff but contributing to it that's like the next step essentially. So cool. So kind of like my personal journey in this whole thing, right? Um I

kind of started with uh kind of some research in like Windows Notepad. Um that manifested itself in publishing like a tool and research on GitHub. Um during that research I kind of ended up collaborating with a bunch of other people once again across the world. Um looking at it, right? And that kind of that was like the light bulb in my head. It's like, oh, this is a great way to like actually learn, talk, and work with other people that I normally would never have the chance to, especially cuz, you know, I'm this is not my field that I'm working in, right? Um, so from there, you know, I moved on to it's like I used

cable a lot, right, in in my coursework and all the other stuff. So, I might as well play around with that. Um, so looked at that, did a few targets and modules. Same thing. Um, Velociraptor, I wanted to learn more on how to use that tool. Um so you know dove into that same thing um in the course of doing that submitted a few artifacts again same with a leap which is an interesting one um that actually spawned off of uh the Velcasoft CTF that recently happened essentially so they had a uh image of a a mobile phone essentially with um IMAP email artifacts um and at the time Alip wasn't able to actually parse that artifact

outoft software actually pulled that up. Um, and I was like, you know, it's it's missing from it. You might we might as well add it here essentially. Um, so that resulted in you'd have to do the research to understand where is it getting it from and write out the uh the parser and all the other stuff for for a leap. So, um, honestly, CTFs are are are great way to like get into it, right? Um, if if you find one that the tool doesn't parse or something like that, you you can make that, right? You have a data set already for you that's been provided um for the CTF. So

cool. So going back the uh getting started tips, right, for people essentially, right? Um honestly, you don't really have to be a developer to start with this. Um I'm I'm sure many of you already know programming languages and stuff like that. But um if you're just starting out, honestly, the best place to start, right, is with documentation. documentation is so important for any any sort of tool, right? People need to know how to use it and use it appropriately. Um, and this even goes down to like if you're looking at certain artifacts, are you understanding what you're seeing there? Right? Just because a time stamp says something, is that timestamp telling you what you think it's, you know, trying to tell you

and stuff like that. Um, so documentation is a good place to start. there's a lot of open source projects that you know may not have the greatest documentation or it has some room for improvement or it's slightly outdated essentially. Um so in the process of writing that documentation you yourself are going to learn or you're going to need to learn how to use the tool obviously. Um but that's a good place to start. You don't really need any programming experience. You just need to know how to use the tool. Um the the other thing is participate in those discussions. We kind of talked about it earlier, but the like issues and stuff like that, bugs that people bump into or

or questions they have. Look at the ones that have been closed already, right? The ones that have been solved in the past, right? Because they may have come across something and didn't understand like an artifact or or a feature. Um, and if you read that, you may see the solution and you'll end up learning from there, right? Um, conversely, like if you started to learn how to use it, you may see like a uh answer to like that you could provide um to someone looking for stuff like that. So, um it's just a great way to like give back to everyone and stuff like that. Um and then right going back to the example of testing and

I think it's Oregon

Should I just hold it or >> tends to be closer? >> Okay. Yeah. >> Um last thing is like um testing and validating changes and stuff like that that that's going back to the example of um new versions, right? Um you can help do that, right? If if you have that version already, you can you can run the tool, figure out if it's getting back to you what you expect. if it's not, you know, you can once again work with someone to try to figure out what's going on there. So, um, the last thing I'll kind of leave you all, I think, is with kind of like a call to action, right? Um, so, right, Eric Zimmer with Cape Files.

Um, they're they've been looking for people to help update the documentation on the various plugins. um that's specifically to provide um that's specifically to provide um documentation on the actual plugins itself, like the artifacts um what they mean, how to actually understand what they're providing and stuff like that. Um they they've been looking for help since 2021. It it's ripe for that, right? It literally all you have to go in there is add a link to like a blog post that you've written or someone else has written on that information. Um, same with Veloci Raptor. They have their artifact exchange. It's it's a really easy way to get your, you know, contribution, your foot in the door

there. So, um, but those are only two of them. Honestly, if you have a project that you're interested in or that you want to learn more about, that's a good place to start um to to bring that down essentially. So, but yeah, kind of kind of breeze through that really quickly. Um, so, um, if you want the slide deck, they're they're available there. Um, that that's kind of it for me. So, if anyone has any questions, feel free.

>> Awesome. >> Yeah. So if they are prone to burnout, how do you find the energy?

>> Yeah. >> Yep. Yeah. I mean that that's really rough, right? As I said, my day job has nothing to do with digital forensics, which which might help obvious honestly, right? like my my normal job is like talking with people like in it and and fixing those problems. Um I mean honestly for me at the moment like this digital forensic stuff remember these are projects that I'm interested in right or or they are artifacts that I have already found interesting in my mind to want to look at essentially. So, it's almost like a uh it's I mean it's literally a side project, right? Um it's not really answering your question, but I would say like pick something that

you're already interested in, right? Because if you're not, then yeah, that that motivation is just not going to exist, right? Um but it doesn't make it easy, right? Like half this stuff I'm doing like when I get home, like an hour before bed, that type of stuff. Um I mean, the other thing to remember, it's like this isn't going to be quick, right? If you're going to be working on like a contribution or something like that, don't expect you to don't expect yourself like give yourself that grace. You're not going to finish it in like a day, right? It could take you like a month or something like that. And then even when you submit that pull request,

remember a lot of the other maintainers are also volunteers in this project. It may take another month for them to even like validate and accept your pull request, right? So it's it's fast, but it's not a fast world, right? Um, so just allow yourself that grace to like not not burn yourself out on that type of stuff. So So cool. Yeah. >> Yeah.

>> Yeah. >> Yeah. That's a good question. I I have a lab setup at home essentially, right? Um I have a specifically I have a HyperV setup but you any any type of virtualization right so that's specifically for like Windows desktop hosts and stuff like that um to do the the mobile forensics I ended up getting like an older Pixel phone and just route in that essentially and then you could pull down pull down the data from there um it is very important if you're going to do that really document yourself like what steps you did to actually create that data set right so like you know going back to like the IMAP email example right you're gonna want to be

like, "Okay, I sent this email at this time. This was in it." And all this other stuff because it's going to just help you later on, you know, figuring out those artifacts. If you have those, if you don't have those notes, it's going to be a complete nightmare essentially. So, yeah,

I think we're good. Thank you.