Thursday, August 25, 2011

Forensics Reading List

This is the list that my professor has decided we need to read or be familiar with.
Thought I would pass it along in case someone wanted some Article to read, or want to add to it.

Required Reading List

Note: The instructor may make minor changes or add a few more papers to this list during the semester.

Module I: Digital Forensics: An Overview

  1. [Required] Gary Palmer, A Road Map for Digital Forensic Research,  Digital Forensic Research Workshop (DFRWS), Final Report, Aug. 2001.
  2. [Required] Sarah Mocas, Building Theoretical Underpinnings for Digital Forensics Research, Digital Investigation, vol. 1, pp. 61-68, 2004.
Module II: Forensics Basics and Criminalistics

No required readings. Here is a reference book.
  1. Richard Saferstein, Criminalistics: An Introduction to Forensic Science, 8th edition, Prentice Hall, Inc., 2004, ISBN: 0-13-111852-8.
Module III: Basic networking and OS Concepts: A Review
No required readings. Please read CprE 308 and 489 textbooks whenever needed.
  1. Andrew Tanenbaum, Modern Operating Systems, 2nd Edition, Prentice Hall, Inc., 2001, ISBN: 0-13-031358-0.
  2. Alberto Leon-Garcia and Indra Widjaja, Communication Networks: Fundamental Concepts and Key Architectures, 1st Edition, McGraw-Hill Companies, Inc., 2000, ISBN 0-07-022839-6.
Module IV: Advanced Topics in Computer and Network Forensics
Forensic Duplication and Analysis
  1. [Required] Brian D. Carrier and Joe Grand, A Hardware-Based Memory Acquisition Procedure for Digital InvestigationsJournal of Digital Investigations - March 2004 edition, 2004.
  2. [RequiredThe survey of disk image formatsCDESF Technical Working Group, September 2006.
(More will be added).
Cyber Forensics Tools and the Testing Thereof
  1. Encase Online Manual (on Lab Machines)
  2. FTK Online Manual (on Lab Machines)
  3. Bruce Schneier and John Kelsey, Secure Audit Logs to Support Computer ForensicsACM Transactions on Information and System Security, v. 1, n. 3, 1999.
  4. Alec Yasinsac and Yanet Manzano, "Policies to Enhance Computer and Network Forensics," in Proceedings of the 2001 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, 5-6 June, 2001.
  5. Eoghan Casey, Practical approaches to recovering encrypted digital evidence, Digital Forensic Research Workshop (DFRWS), Aug. 2002.
  6. Matthew Geiger, Evaluating Commercial Counter-Forensic ToolsDigital Forensic Research Workshop (DFRWS), Aug. 2005.
PDA and Cell Phone Forensic Analysis
  1. [Required] Wayne Jansen and Rick Ayers, Guidelines on PDA Forensics, NIST, August 2004.
  2. [[Required] Mobile Device Forensics (Blackberry, Android),, 2009.
Network Surveillance
(Will be added).
Profiling Cyber Criminals
  1. Eric Shaw, Keven G. Ruby, and Jerrold M. Post, The Insider Threat to Information Systems: The Psychology of the Dangerous Insider, Security Awareness Bulletin, No. 2-98. 1998.
Network Attack Traceback and Attribution
IP Traceback
  1. K. Shanmugasundaram, et al, Payload Attribution via Hierarchical Bloom Filtersin Proceedings of the ACM CCS 2004.
  2. [Required] A. Belenky and N. Ansari, Ip traceback with deterministic packet markingIEEE COMMUNICATIONS LETTERS, vol. 7, no. 4, pp. 162�164, Apr. 2003.
  3. [Required] Alex C. Snoeren, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Beverly Schwartz, Stephen T. Kent, and W. Timothy Strayer,Single-Packet IP Traceback, IEEE/ACM Transactions on Networking (ToN), Volume 10, Number 6, pp. 721-734, December 2002.
  4. Micah Adler, Tradeoffs in Probabilistic Packet Marking for IP Tracebackin Proceedings of 34th ACM Symposium on Theory of Computing (STOC) 2002.
  5. D. Song and A. Perrig, Advanced and authenticated marking schemes for ip traceback, in Proc. of IEEE INFOCOMM 2001, Apr. 2001.
  6. [Required] M. F. D. Dean and A. Stubblefield, An algebraic approach to ip traceback, in Network and Distributed System Security Symposium (NDSS �01), Feb. 2001.
  7. [Required] Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, Practical Network Support for IP TracebackProceedings of the 2000 ACM SIGCOMM Conference, pp. 295-306, Stockholm, Sweden, August 2000.
  8. Steve Bellovin, ICMP Traceback Nessages, Network Working Group Internet Draft, 2000.
Stepping Stone Attack Attribution
  1. [Required] A. Blum, D. Song, and S. Venkataraman, Detection of interactive steping stones: Algorithms and confidence bounds, in 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), Sophia Antipolis, France, Sept. 2004.
  2. W. T. Strayer, C. E. Jones, I. Castineyra, J. B. Levin, and R. R. Hain, An integrated architecture for attack attribution, BBN Technologies, Tech. Rep. BBN REPORT-8384, Dec. 2003.
  3. [Required] X. Wang and D. S. Reeves, Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays, in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), Washington DC, USA, Oct. 2003.
  4. X. Wang, D. S. Reeves, and S. F. Wu, Inter-packet delay based correlation for tracing encrypted connections through stepping stones, in Proceedings of the 7th European Symposium on Research in Computer Security (ESORICS 2002), Zurich, Switzerland, pp. 244�263, Oct. 2002.
  5. D. L. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay, in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, Oct. 2002.
  6. X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill, Sleepy watermark tracing: An active network-based intrusion response framework, in Proceedings of 16th InternatConference on Information Security (IFIP/Sec�01), Paris, France, June 2001.
  7. [Required] K. Yoda and H. Etoh, Finding a connection chain for tracing intruders, in Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS 2000), Toulouse, France, Oct. 2000.
  8. [Required] Y. Zhang and V. Paxson, Detecting stepping stones, in Proceedings of the 9th USENIX Security Symposium, Denver, USA, pp. 171�184, Aug. 2000.
VoIP Security, Caller-ID Services, and Tracing Anonymous VoIP Calls
  1. [Required] R. Kuhn, T. Walsh, and S. Fries, Security Considerations for Voice Over IP SystemsNIST Special Publication 800-58, January 2005.
  2. [RequiredX. Wang, S. Chen, and S. Jajodia, Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet, in Proceedings of ACM CCS, 2005.
P2P Forensics
  1. [Required Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay ShieldsForensic Investigation of Peer-to-Peer File Sharing Network, DFRWS 2010.
Botnets Investigative Analysis (Optional)

  1. Laurianne McLaughlin, Bot Software Spreads, Causes New Worries, IEEE DISTRIBUTED SYSTEMS ONLINE, Vol. 5, No. 6; June 2004.
  2. Bill Mccarty, Botnets: Big and Bigger, IEEE SECURITY & PRIVACY, JULY/AUGUST 2003.
  3. David Dagon, Guofei Gu, Cliff Zou, Julian Grizzard, Sanjeev Dwivedi, Wenke Lee, Richard Lipton, A Taxonomy of Botnets, NSF Cybertrust PI meeting, September 25, 2005.
  4. Felix C. Freiling, Thorsten Holz, and Georg Wicherski, Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, tech report, Department of Computer Science, RWTH Aachen University, April 2005.
  5. Ramneek Puri, Bots & Botnet: An Overview, GSEC Practical Assignment Version, SANS Institute, August 2003.
  6. Evan Cooke, Farnam Jahanian, Danny McPherson, The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, USENIX SRUTI'05: Steps to Reducing Unwanted Traffic on the Internet Workshop, Cambridge, MA, July 7, 2005.
  7. Know your Enemy: Tracking Botnets, word version.
  8. [Required] Anirudh Ramachandran, et al., �Revealing Botnet Membership Using DNSBL Counter-Intelligence,� in SRUTI '06.
  9. [Required] Cliff C. Zou and Ryan Cunningham. �Honeypot-Aware Advanced Botnet Construction and Maintenance," in the International Conference on Dependable Systems and Networks (DSN), June 25-28, Philadelphia, 2006.
  10. [Required] David Dagon, Cliff C. Zou, and Wenke Lee. "Modeling Botnet Propagation Using Time Zones," in 13th Annual Network and Distributed System Security Symposium (NDSS), p.235-249, Feb. 2-4, San Diego, 2006.

(Will be added).
Multimedia Forensics and Multicast Fingerprinting

  1. [Required] H. Chu, L. Qiao, and K Nahrstedt, "A secure multicast protocol with copyright protection," Proceedings IS&T/SPIE Symposium on Electronic Imaging: Science and Technology, San Jose, CA, Jan. 1999.
  2. [Required] B. Briscoe and I. Fairman, "Nark: Receiver-based multicast non-repudiation and key management," ACM Conference on Electronic Commerce, Denver, CO, Nov. 1999.
  3. [Required] I. Brown, C. Perkins, and J. Crowcroft, "Watercasting: Distributed watermarking of multicast media," Network Group Communication, Pisa, Italy, pp. 286-300, Nov. 1999.
  4. [Required] P. Judge and M. Ammar, "WHIM: Watermarking multicast video with a hierarchy of intermediaries," Proc. NOSSDAC, Chapel Hill, NC, Jun. 2000.
  5. R. Parviainen and P. Parnes, "Large scale distributed watermarking of multicast media through encryption," in Proc. of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century, vol. 64, pp. 149�158, 2001.
  6. P. Judge and M. Ammar, "Security issues and solutions in multicast content distribution: a survey," IEEE Network, Jan./Feb. 2003.
  7. W. Trappe, M. Wu, Z.J. Wang, and K.J.R. Liu, �Anti-Collusion Fingerprinting for Multimedia�, IEEE Trans. on Signal Processing, vol 51, no 4, pp.1069-1087, special issue on Signal Processing for Data Hiding in Digital Media and Secure Content Delivery, April 2003.
  8. A. Eskicioglu, "Multimedia security in group communications: Recent progress in key management, authentication and watermarking," ACM Multimedia Systems, Special Issue on Multimedia Security 9, pp. 239�248, Sep. 2003.
  9. [Required] M. Wu, W. Trappe, Z.J. Wang, and K.J.R. Liu, �Collusion-Resistant Fingerprinting for Multimedia,� IEEE Signal Processing Magazine, Special Issue on Digital Rights: Management, Protection, Standardization, vol 21, no 2, pp.15-27, March 2004.
  10. Z.J.Wang, M.Wu, W. Trappe, and K.J.R. Liu, �Group-Oriented Fingerprinting for Multimedia Forensics,� EURASIP Journal on Applied Signal Processing, Special Issue on Multimedia Security and Rights Management, 2004:14, pp.2142-2162, Nov 2004.
  11. H. Zhao and K. J. R. Liu, "Bandwidth efficient fingerprint multicast for video streaming," IEEE Int. Conf on Acoustics, Speech and Signal Processing, May 2004.
  12. H. Zhao and K. J. R. Liu, "A secure multicast scheme for anti-collusion fingerprinted video," Global Telecommunications Conference, 2004.
  13. H. Zhao, M. Wu, Z.J. Wang, and K.J.R. Liu, �Forensic Analysis of Nonlinear Collusion Attacks for Multimedia Fingerprinting,� IEEE Trans. on Image Processing, vol 14, no 5, pp.646-661, May 2005.
  14.  Z.J. Wang, M. Wu, H. Zhao, W. Trappe, and K.J.R. Liu, �Anti-Collusion Forensics of Multimedia Fingerprinting Using Orthogonal Modulation,� IEEE Trans. on Image Processing, June 2005.
  15. [Required] H. Zhao and K.J.R. Liu, �Fingerprint Multicast for Secure Video Streaming,�  in IEEE Trans. on Image Processing.
Crime Scene Reconstruction: Evidence Linkage Discovery and Causal Reasoning
  1. [Required] J. Adibi, et al, The KOJAK Group Finder: Connecting the Dots via Integrated Knowledge-Based and Statistical Reasoningin Proceedings of the Sixteenth Innovative Applications of Artificial Intelligence Conference (IAAI-04), 2004.
  2. J. Zhang and V. Honavar, Learning Decision Tree Classifiers from Attribute Value Taxonomies and Partially Specified Data, in Proceedings of the International Conference on Machine Learning (ICML-03), 2003.
  3. [Required] J. Xu and H. Chen, The Topology of Dark Networks, Communication of ACM, Vol. 51, No.10, October 2008.
Stock Spam

  1. [Required] Frieder and Zittrain, Spam Works: Evidence from Stock touts and Corresponding Market Activity, working paper, March 2007.
  2. [Required] Hanke and Hauser, On the Effects of Stock Spam E-mails, working paper (later version published in the Journal of Financial Markets, 11(1), February 2008.
  3. [Required] Bohme and Holz, The Effect of Stock Spam on Financial Markets, working paper (also published in WEIS 2006), April 2006.

Case Studies
No required readings.
Module V: Investigative Techniques from Intrusion Detection and Response

  1. [RequiredH. Debar, M. Dacier, and A. Wespi, A Revised Taxonomy for Intrusion-Detection Systems, Research Report of IBM Zurich Research Lab, 1999.
General Model
  1. D. Denning, An Intrusion-Detection Model, 1986.
  2. R. Maxion and K. M. C Tan, Benchmarking Anomaly-Based Detection Systems, 2000.
Detection Method

Misuse Detection

  1. K. Ilgun, R. A. Kemmerer, and P. A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, 1995.
  2. C. Y. Chung, M. Gertz, and K. Levitt, DEMIDS: A Misuse Detection System for Database Systems, 1999.

Anomaly Detection

  1. H. S. Javitz and A. Valdes, The SRI IDES Statistical Anomaly Detector, 1991.
  2. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, A Sense of Self for Unix Processes, 1996.
  3. D. Wagner and D. Dean, Intrusion Detection via Static Analysis, 2001.
  4. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, 2001.
Learning (or Data Mining) Based Approaches
  1. C. Warrender, S. Forrest, and B. Perlmutter, Detecting Intrusion Using System Calls: Alternative Data Models, 1999.
  2. A. Valdes and K. Skinner, Probabilistic Alert Correlation, 2000.
Implementation Issues
  1. B. Mukherjee, L. T. Heberlein, and K. N. Levitt, Network Intrusion Detection, 1994.
  2. F. Kerschbaum, E. H. Spafford, and D. Zamboni, Using Embedded Sensors for Detecting Network Attacks, 2000.
  3. P. A. Porras and A. Valdes, Live Traffic Analysis of TCP/IP Gateways, 1998.
  4. J. S. Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. H. Spafford, and D. Zamboni, An Architecture for Intrusion Detection Using Autonomous Agents, 1998.
  5. S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford, R. Yip, D. Zerkle, The Design of GrIDS: A Graph-Based Intrusion Detection System, 1999.
  6. W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok, Toward Cost-Sensitive Modeling for Intrusion Detection and Response, 2001.
Evaluation Issues
  1. N. J. Puketza, K. Zhang, M. Chung, B. Mukherjee, and R. A. Olsson, A Methodology for Testing Intrusion Detection Systems, 1996.
  2. R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. P. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman, Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation, 2000.
  3. R. P. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das, The 1999 DARPA Off-line Intrusion Detection Evaluation, 2000.

Module VI: Steganography & Steganalysis
  1. [Required] Ross J. Anderson and Fabien A. P. Petitcolas, INFORMATION HIDING: AN ANNOTATED BIBLIOGRAPHY, 1999.
  2. Ross Anderson, Fabien A.P. Petitcolas, On The Limits of Steganography, 1998.
Module VII: Anonymity/Pseudonymity/P3P
  1. [Required] David Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, CACM, v. 24, n. 2, pp. 84-88, 1981.
  2. [Required] David Chaum, The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability, Journal of Cryptology , 1/1, pp. 65-75, 1988.
  3. Michael Waidner. Unconditional sender and recipient untraceability in spite of active attacks. In Eurocrypt '89, volume Lecture Notes in Computer Science of 434, pages 302--319. Springer-Verlag, 1989.
  4. J. Bos and B. den Boer. Detection of disrupters in the DC protocol. In Lecture Notes in Computer Science 434 (Eurocrypt '89). Springer-Verlag, 1989.
  5. Ceki G�lc� and Gene Tsudik, Mixing Email with Babel, Proceedings of the 1996 Symposium on Network and Distributed System Security, 1996.
  6. [Required] P. Syverson, D. Goldschlag, and M. Reed, Anonymous Connections and Onion Routing, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, IEEE CS Press, pp. 44-54, May 1997.
  7. [Required] Michael Reiter and Aviel Rubin, Anonymous Webtransactions with Crowds, ACM Transactions on Information and System Security, v. 1, n. 1, pp. 66-92, 1998.
  8. Adam Back, Ulf M�ller, and Anton Stiglic, Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems, Lecture Notes in Computer Science, No. 2137, pp. 245, 2001.
  9. Clay Shields and Brian Neil Levine, A Protocol for Anonymous Communication Over the Internet, Proceedings of the 7th ACM Conference on Computer and Communication Security, Athens, Greece, Nov. 1-4, 2000.
  10. Rob Sherwood, Bobby Bhattacharjee, and Aravind Srinivasan, P5: A Protocol for Scalable Anonymous Communication, IEEE Symposium on Security and Privacy, 2002.
  11. Michael Freedman, Emil Sit, Josh Cates, and Robert Morris, Introducing Tarzan, a Peer-to-Peer Anonymizing Network Layerthe First International Workshop on Peer-to-Peer Systems, 2002.
  12. [Required] Yong Guan, Xinwen Fu, Riccardo Bettati, and Wei Zhao, "An Optimal Strategy for Anonymous Communication Protocols," in Proceedings of the 22nd IEEE International Conference on Distributed Computing Systems (ICDCS 2002), June 2002.
  13. George Danezis, Roger Dingledine, David Hopwood, and Nick Mathewson, Mixminion: Design of a Type III Anonymous Remailer2003 IEEE Symposium on Security and Privacy, May 2003.
  14. B. N. Levine, M. K. Reiter, C. Wang and M. Wright, Timing attacks in low-latency mix systems, In Financial Cryptography: 8th International Conference, FC 2004.
  15. Michael K. Reiter and Xiaofeng WangFragile Mixing, ACM CCS 2004.
  16. Platform for Privacy Preferences (P3P) Project,, 2002.
  17. [Required] Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, Stefan Wolf, Pseudonym Systems, Selected Areas in Cryptography 1999, Lecture Notes in Computer Science.
Module VIII: Cyber Law, Security and Privacy Policies and Guidelines, and Legal Issues
  1. [Required] U.S. DoJ, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, US DoJ, 2002.
  2. Daniel Ryan and Gal Shpantzer, Legal Aspects of Digital Forensics, The George Washington University, 2000.
  3. J. Patzakis and V. Limongelli, Encase Legal Journal, Guidance Software, April 2004.
  4. SWGDE Document, Scientific Working Group on Digital Forensics, Arpil 2003.
  5. THE SEDONA PRINCIPLES: Best Practices Recommendations &Principles for Addressing Electronic Document Production, SEDONA Principles, Jan. 2004.
  6. ACPO GuideGood Practice Guide for Computer based Electronic Evidence, Association of Chief Police Officers,
  7. NIJ Guide, Electronic Crime Scene Investigation: A Guide for First Responders, 2001.
Module IX: Legal and Ethical Issues (Optional)
No required readings.
Module X: Court Report Writing and Testimony Skills
No required readings. Here are two useful documents:

  1. Judy Nodurft, Documentation and Writing Skills for Legal Reports, California Social Work Education Center (CalSWEC), University of California, Berkeley, 2001.
  2. ABA Litigation Section, Factors to Consider When Presenting Expert Testimony, ABA Litigation Section Annual Meeting, August 22, 2005.
Recent Cryptographic News on Hash Collision and Weakness
  1. Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu, Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, Cryptology ePrint Archive, Report 2004/199,, August 2004.
  2. Eli Biham and Rafi Chen, Near-Collisions of SHA-0, Cypto'2004.
  3. NIST's NSRL Project response on recent cryptographic news on hash collision and weakness, 2004.

My Additions:

Blogs (I know I am missing some):

  1. Sans Forensics Blog
  2. Harlan Carvey
  3. Fist full of Dongles
  4. Digital Forensics Solutions
  5. Tao Security

Saturday, August 13, 2011

Coming to Terms – Growth of a Philosophy

I’m coming to terms,
I’m starting to learn,
This ain’t all it’s cracked up to be.

Those lyrics are by Carolina Liar and they seem to be a good explanation of what my first conference has done to me. I attended the 7th annual GFirst conference, and I learned SO much, wish it was longer, and the tracks ran longer, I missed out on a few incredible ones.

I took careful stock on where I am in my career, my skill sets, and where I see myself in the next 3-5 years. Not so much as long term hard and fast rules, but a few key things I want to accomplish. I feel that anyone who wants to be successful in their chosen field they must be willing to do a written plan, dedicate time to understand and grow their skill set, a frequent and honest audit of their skills and abilities, the capabilities to challenge their philosophies and make change as needed, and the willingness to admit that they do not know everything.

I am an incident responder that I know, I have always felt that I needed to be a proactive responder, instead I have realized that I am a reactive responder, attempting to put out fires with no historical information on how they started. Part of this is because where I am this is how it always has been, and another part is I have not felt comfortable in my strengths as a responder to propose changes. This has caused me to stay in the daily grind and allow others with more experience to help lead the team I am on in the directions that they see provide strengths and values. Gfirst has given me the strength to challenge that.

Another take away I grabbed from the conference is that there are very incredible and capable people in the field, whom can admit that they do not know everything and are not afraid to ask questions and seek advice of those who are considered subject matter experts. It helped reinforce the strength and conviction of those who I want to emulate and learn from, those who I would consider my idols.

The final take away from this that with some dedication and determination I can make positive changes within my environment, I can make a difference and that just by listening you can learn a lot from those Experts who are willing to share their knowledge.

When I go back into the office I will have celebrated my birthday, which also throws more perspective into it, some of the people I learned something from are younger than me, and have more experience than I do. The willingness to learn from these youngsters will require one to be humble, and willing to accept their guidance.

The first step I plan to implement is working at helping move the team I am involved in from a Reactionary Responder philosophy to a Proactive Responder, that are able to deploy and mitigate threats before our defensive mechanisms are updated. This means that I must get management onboard to understand the changes we need to do will increase our efficiency and lethality in responding to threats. To do this, I need to take the things I learned from Netwitness, Mandiant, Chris Sanders, Jason Smith, Andrew Case, Golden Richard. Chris Pogue, Karlo Arozqueta and even Dave Marcus, and deploy them on the network I work to defend.

The next step is to make a fundamental change in the way we monitor traffic. Currently we rely on a lot of reactive methods that alert us when they believe something is wrong in the network. By adopting proactive monitoring, watching and analyzing Layer 7 metadata we can find and set baselines for normal traffic. Then when we start seeing things that are outside the normal parameters we can take action, even if there are no known signatures to alert us on this traffic. As I learned in one of the GFirst presentations the following things can be looked at from Layer 7 to predict evil in the network:
  • Web Address Length
  • Spike ranking of an unknown website/IP
  • Spike of external data transfers
  • Many Others

·       The final step that I need to implement is to never get comfortable in my job. I need to push myself to learn or improve a process or technique every month. I need to get aggressive in my development and I need to push for greatness. I need to be willing to honestly audit my skills, development and work performance and work on decreasing inefficiencies and lackluster in these areas. This last step is the most important thing out there, I can never allow myself to become comfortable in my position, and neglect challenging my skills or philosophies when it comes to digital forensics and incident response, doing that means I will never give my best. This also will allow me to be the most lethal tool in my toolbox, because it will allow me to adapt to any threat that might appear in the network I defend. 

Challenge yourself, challenge your beliefs, challenge your skills, and above all challenge the acceptance of techniques that have always been.