Lodrina, tell us about yourself and how you first got started in digital forensics.
Growing up outside Silicon Valley during the first dot-com boom, I was always interested in technology and luckily had access to the early web and programming classes. While I didn’t know about forensics as a career when I was younger, I consumed anything computer-related in school and did content for websites and communities at AOL.
What I saw as a logical progression from my teenage interests led me to pursue computer science in college. While the logic and problem-solving side of CS fascinated me – cryptography remaining one of my favorite courses to this day – I became less interested in programming itself and took some time to figure out where in technical world would be the best fit for me career-wise.After getting my CS degree, my days had me pursing other interests like working in the bicycle industry while racing on the weekends. During evenings I benefitted from living in Boston by taking classes at different colleges in related topics like technical writing, law, and policy. I had the good fortune of being instructed by a retired FBI cyber agent in one of these classes along the way, and she turned me on to where I could take classes to learn more about forensics, which led directly to my first job in the field.
You wear a lot of different hats, as a SANS instructor, a security analyst, and a contributor to online digital forensics resources. Is there a typical day in your life, and if so, what does it look like?
Because I have so many interests within DFIR and outside of it, my typical day in the life feels anything but routine! In the perfect day I’ll commute to Cybereason in Boston using a few different modes of transportation including walking to the train station, commuter rail, and a bicycle share to get me to the office door. Reading a book on the train or catching up with blog posts while I commute in, then getting a little bit of exercise before starting my day, really helps me focus.
During the work day, I split time at Cybereason with product management and our SOC/IR teams. With Cybereason being a startup, my work allows me to wear lots of different hats which keeps things exciting. Lately I’ve been pulled more into the business side with product management where I create systems around our consulting services and how those fit in with other departments like sales, finance, and product marketing.
I also get to spend time working in our services team which is where I get to keep my DFIR and hunting skills sharp. While I try to set aside regular time for each role, incidents and product launches mean dedicating time to different departments depending on the week. No matter what the day itself looks like, it’s important for me to leave the office and get to the gym during the evenings where I’ll spend a few hours lifting and coaching before ending the day.
Since my weekdays are pretty packed at Cybereason, commuting, and the gym, I dedicate a few hours on the weekends to getting ready to teach my next SANS Windows forensics class and assist Phill Moore with his This Week in 4n6 blog. I block off some DFIR time on Saturdays to review whatever blog posts I haven’t seen during the week and dig deeper into webcasts or podcasts.
You're an instructor on the SANS Windows Forensic Analysis Program. What are some of the most important changes in recent Windows updates?
I’ll pick just one example related to the Windows registry that Microsoft announced this summer and how copies of the registry are no longer kept in the RegBack folder.
In the six-day class I teach, we review the registry early in the week because it can answer so many questions about how a Windows system was used. Piecing together different sources of information like backups of the registry in the RegBack folder, Volume Shadow Copies, and rolling in uncommitted data from hive transaction logs help us tell the story of what happened on a system.
While copies of the registry stopped being stored under RegBack in Windows 10 v1803, that this news was announced in summer 2019 is a good example of the race examiners are constantly playing with keeping up to date with analysis.
Fun facts – if you squint at that Windows version number, you can see 1803 refers to the version of Windows 10 that came out in Spring 2018.
Do you think digital forensics as a discipline is good at keeping up to date with changes in OSes and applications, and if not, what do you think we can do about this?
Finding out about that one tool you need for that one weird artifact and keeping up with the industry via blog posts, conferences, Twitter, and forums can be tough. Then again, there are lots of free resources in blogs and social media, and video or presentations of conference proceedings can often be found online after an event.
I’d recommend a ‘choose your own adventure’ style approach and pick a mode of learning that is compatible with your bandwidth and interests.
I mentioned what works for me is scheduling a few DFIR hours on the weekends to keep up with industry news and play around with tools. If you find it hard to keep up with industry developments every week, maybe going to monthly local meetups or industry conferences is what will work best for you. Maybe listening to podcasts on your drive into the office is your speed, or hacking away in a virtual machine screen share with friends. Try out different things, and ink in some learning time on your calendar!
Can you give us an example of a stand-out investigation you've worked on?
Definitely the Sledgehammer investigation related to forged documents in a supposed Turkish coup, back when I was at Arsenal Consulting. This was a digital forgery that was almost perfect, landing over 200 people in prison.
While a cursory investigation into the document dates and metadata first confirmed plausibly untampered with files, a closer look revealed irreconcilable conflicts in the claims behind hundreds of prison sentences.
First, there were .docx type artifacts like XML references in .doc documents in the case – and at a time before Office 2007 .docx / .pptx / .pptx type file formats existed!
Second, references to fonts that came out with Windows Vista were found in some of the files, again well before Vista was released.
During that investigation I did tests to ensure there wasn’t a legit reason for the anachronisms and read reams of pages related to Microsoft Office file spec. Attacking the case from multiple angles, it was very satisfying to help get hundreds of innocent people out of prison.
What advice would you give to someone who is thinking about starting a career in digital forensics?
We have so many problems in DFIR to solve. Whether it’s analysis on Windows artifacts or system memory, thinking about scaling investigations over a business unit or whole company, or reverse engineering a mobile application, successful examiners usually need more skills than just looking at 1’s and 0’s.
There are a lot of career changers coming over from other technical roles or outside of infosec. Whatever expertise you may have from a prior career or interest outside of tech, bring those skills with you as you explore forensics.
The field is still growing and we need more researchers and writers, teachers and testers, and investigators who can work in teams to solve big complicated problems.
Maybe a graphic designer would have picked up on references to fonts that didn’t belong in the Sledgehammer case hundreds of hours earlier. Maybe an audio technician would have been able to find issues with the CD tracks that the Sledgehammer documents came on (by the way, forensic tools to look at the CDs showed no anomalies – that we knew of!).
Whatever your interests are, find a way to apply them as you get into DFIR. My best superpower might not be seeing timestamps in hex but rather unplugging at the end of the day to make sure I can recharge and reenergize at the gym before going back to work the next day.
Finally, when you're not working, what do you enjoy doing in your spare time?
I’ve alluded to spending time outside of screens going to the gym which doesn’t quite summarize what I do. Throughout my career I’ve trained and competed at a national or international level in powerlifting which is three barbell lifts: the squat, bench press and the deadlift. There’s a lot of training I do every week and an equal amount of taking care of my body with recovery work or nutrition and sleep.
To really unwind, I’ve been to lots of museums on the tail end of a trip teaching for SANS or competing. I also love reading and am always browsing the shelves at my local library or digging around in their basement stacks. The last few years of the DFIR Summit in Austin, TX have been a perfect blend of all the things I love: nerding out about DFIR, visiting a great strength history museum inside the UT stadium, and this year I finally went to the new Austin public library which is a gorgeous oasis in downtown.
Lodrina is a security analyst at Cybereason and an instructor for the SANS Institute’s FOR500: Windows Forensic Analysis Program. You can find out more about her classes and sign up here.