Forensic Femmes 4: Melissa Augustine

Melissa AugustineAt the end of September, Foundstone’s Melissa Augustine (you might know her as @sketchymoose on Twitter) announced the release of her script, Total Recall, for memory parsing. What caught my eye in her blog post wasn’t the content of the script itself, but rather, her willingness to release it even though it wasn’t yet “perfect.” I caught up with Melissa to talk with her a little more about how she got to that point of confidence.

Christa: You’ve been involved in digital forensics since before it was “cool.” ;) How did you first become interested in the field? Was memory forensics always something that piqued your curiosity?

Melissa: I went to Hilbert College for Economic Crime Investigation, and did a dual in Computer Crime and Financial Crime. I found the Computer Crime side much more enjoyable and exciting so I decided that would be the route to try. I remember chaining together the FAT on a floppy to recover documents… I shudder to think about trying to do that manually now given the size of hard drives today!

I actually first remember memory forensics when working at the DoD and running strings against the page file…. I thought “well this is getting me nowhere” as I could not associate strings with an process, module, etc. I went to a DoD CyberCrime conference where I attended a talk about these guys from University of MD who were creating a memory parsing tool called “Volatility”… the rest is history really.

I find it amazing how much you can pull from a memory dump, and there have been people thinking about this since “way back when”. I also remember going to DFRWS in Pittsburgh and listening to the passion these guys have, and it gets you really excited!

Christa: You actually earned a DoD scholarship to GWU. How did that come about, and how did it help shape your career?

Melissa: How do most things come about at that age? Your mother tells to you do it! :) I was not sure what I wanted to do really, and I had a few job offers for a  Criminal Investigator at a few agencies (again though with the White Collar Crime) but it didn’t really appeal to me at the time. My mother had found out about this scholarship and really pushed me to sign up.

The DoD scholarship was amazing, it allowed me to focus on my graduate program, provided me a job in the government when it was all said and done, and, most importantly, put me in the middle of it all in Washington DC. Networking was rampant. The program even got us business cards and hosted events so we could meet the movers and shakers currently in the government.

Now it’s my former classmates who are the movers and shakers, and they still take time to go back to the campus and meet the scholarship students to talk about their careers and help out where they can. I will always be grateful for that scholarship because it put me on the road to where I am today.

Christa: What advice would you give to aspiring female forensicators whose moms don’t take such an active interest in their careers — if not scholarships, what other options do you feel would afford women similar opportunities to network and learn?

Melissa: You hit the nail on the head — networking. It’s key. There are tons of meetups where forensics geeks can mingle with pen testers, reversers, etc to meet people in the industry.

Also, colleges and universities generally have sessions where talks are given on a certain topic and then there is a Q&A session afterwards. The George Washington University, where I got my Masters, was amazing at this. Even Hilbert College, where I went for undergrad, was offering us opportunities to refine our resumes, partake in mock interviews, and offer us job openings based on connections in the field.

If you are outside the academic realm now, there are tons of groups and seminars to go to. The big ones are of course Black Hat and DefCon in Las Vegas, however the are local DefCons which have monthly meetups and there is B-Sides as well… and they are FREE.

Get out there, have a beer, and go talk to some like minded people! These venues are also great places to give a talk/presentation, as they are smaller and there is a bit less stress in presenting. Everyone is good natured :)

Christa: I really love that you freely admit “Yes yes I know I am not a coder and my code sucks.” What made you push past that and decide to just share the code?

Melissa: It came down to helping out the community. As an analyst I always try and figure out ways to make life a bit easier. This script I hope will help myself in future investigations to pinpoint potential badness. I figure if it works for me, why not see if others can use it?

I think Harlan Carvey once blogged about contributing to the community, and it just makes sense. If you see an issue or a problem, figure out a way to address it and share it with the world. Chances are someone else has ran into the same problem and would really appreciate your tool/script/howto.

My fiance is a bit of a coder himself and when he saw my code I knew he was thinking “If I was her team lead….” and not in a good way! However, he and others really gave me some pointers on how to think more like a programmer, rather than just patching the problem. Also with open source someone else out there may have a suggestion or idea for the code, making it more efficient! It’s all about learning and sharing ideas.

Christa: What pointers did you receive from your fiance and others to think more like a programmer? How did that advice help you to improve this particular code, and your overall skills as a forensicator?

Melissa: I would encounter a problem and would be trying to modify the code to address the issue. He would ask, “Does that solve the underlying problem or just this problem?” It forces you to think about what you are really trying to fix and write code to account for it, rather than applying a quick band-aid.

It makes sense as in the forensics field, blocking a simple IP from beaconing out is a temporary solution, wouldn’t you rather plug the initial infection vector so you don’t have to worry about that attack again? He simply showed me I should expand that thought to coding as well.

Christa: What’s up with the name “sketchymoose”? I used to live in Maine and never thought of moose as sketchy… :)

Melissa: I honestly do not remember… I remember being fascinated by moose in high school and somehow ‘sketchy’ got thrown in there. It just sorta stuck. I also do not consider myself the most graceful of creatures and moose themselves always look awkward and ready to fall over. I have even gone on road trips to Algonquin in Canada to find moose– Maine may be the next place to look!

Want more? Check out a short video of Melissa recapping her presentation at CRESTCon & IISP Congress 2013: “Memory Forensics – Helping to find what isn’t there“:

Forensic Femmes 3: Sarah Edwards

Sarah Edwards Harris Corp.Having been part of the very first Forensic Femmes Slumber Party in Atlanta, GA in January 2012 (at which a midnight stroll around downtown may or may not have been involved), Sarah Edwards is one of those fun people who’s smart to be around. An intrusion analyst at Harris Corp., Sarah has a passion for Mac forensics, though she appreciates digital forensics analysis in all flavors: Mac, Windows, Linux, mobile and anything else that seems like it could be analyzed.

Sarah has lately presented some of her work at conferences and in white papers. Most recently, she won one of David Cowen’s “Sunday Funday” challenges regarding OSX/timemachines, and in 2014 she’ll be teaching the 6-day SANS FOR518 – Mac Forensic Analysis, covering OS X & iOS.

Christa: What’s the best and the worst of being the only woman in a DFIR lab?

Sarah: There really is not best and worst parts of being the only female in a DFIR lab. There are times where I miss being able to just talk to another female techie but that’s why I appreciate the Forensic Femmes Slumber parties! I been working with primarily males for a very long time, most days I don’t even notice a difference!

Christa: You published a few items last year. What are you researching this year, and why?

Sarah: I have a few ideas floating around. I hope to do something on reverse engineering Mac malware or maybe something on Mac memory analysis. I like to make presentations that are very technical and detailed. I always want to learn something new or add to my knowledge on a certain subject. I hope the DFIR community can learn from and use my presentations in their own casework.

Christa: What’s one thing you wish you could change about the DFIR industry?

Sarah: I wish that more people would be confident in their own work to put their research out to the community. I always hear folks saying they don’t know enough or presenting is too frightening. People know more than they think, and once they put their research into a presentation they’ll know more than most people in the room. I used to be terrified to present in front of a crowd of people, I still get queasy at the thought, but it gets easier every time I do it. Every time I present my research I have this sense of relief that accomplishment that I was able to give back to the community.

Christa: In the vein of encouraging others to present so that the community can learn from them, what are some examples of presentations you yourself have learned from and used in casework?

Sarah: I enjoy going to many of the security conferences and sitting in on topics that I know will be far, far beyond my technical skills of actually employing their techniques – but as an Intrusion Analyst I can get ideas on how to find artifacts of what the “hackers” are doing from a forensic perspective.

More specifically I recently went to my friend Cindy Murphy’s talk on damaged mobile phones this year at CEIC. I went in expecting use of proprietary tool and advanced techniques to recover data from damaged phones, I would have never known it would so easy (yet tedious) to just take apart a phone and clean it and in a few hours have a working device. While I don’t deal with damaged phones often, I’m prepared to take on by surprise…or at least find comfort in the fact that Cindy is a phone call away!

Also at CEIC, I found the presentation by David Cowen and Matthew Seyer to be helpful in introducing me to the NTFS Logfile. I always knew it was there but have always failed to look into it further. I appreciate the research these guys have done to help others understand its metadata contents, and even provided a tool to parse it, bonus!

Christa: Do you have any tips on presenting — preparing the research to be presented, and then tips on actually getting up and doing it?

Sarah: Know the research and presentation material front and back. I will often study my slides for days in advance, tweaking and changing the order of some slides to (hopefully) better present the material I have. Using the slide note feature can also help, while reviewing your material you can anticipate questions and put the answers in the notes.  90% of the time I’ll never get asked the question but I feel more prepared for the entire presentation.

When choosing a subject, create an outline of what you want to cover. Determine how much material you will need ahead of time and to limit what you need so you will not overdo it. I am probably the worst offender when it comes to too much material to cover – it kills me when I have to cut slides or topics out of a presentation to fit in the time slot allotted. I feel like my presentation is less thorough, incomplete, or just short-changing the audience. I have come to terms with uploading the entirely of my slide deck after the presentation, so those who are interested can have the information available to them.

Christa: Also, anything you have found about your audiences that makes presenting easier as time goes on?

Sarah: Everyone who comes up and says “thanks, that presentation is going to be very helpful” really encourages me to make more presentations or present at other conferences. I truly appreciate those folks who come up to me afterwards and say thanks or ask about a particular slide or section, it helps me explain things better the next time I give it. There are even folks who come up and say “hey, so I have this Mac back in the office…”, these questions help me come up with new presentation ideas – I’m always looking for content that would be helpful to the DFIR community.

Thanks Sarah! These are issues a lot of forensicators both male and female struggle with and I hope they will have found inspiration in your experience. Readers — questions for Sarah? Leave a comment!

Forensic Femmes at CEIC 2013

It wasn’t a big crowd, but it was certainly fun! Last week, a small group of us got together for the third or fourth Forensic Femmes Slumber Party. Although I still can’t contribute to discussions about timestamps, the MFT or “the worst of the worst” images and videos floating around in cyberspace, here’s a little bit of what else we did talk about:

Having a reputation as a bitch because you struggle with walking the exceedingly fine line between being as direct as the boys, but not as pleasant and “nurturing” as many of us were raised to be.

Sexual harassment. Yes, boys and girls, as tremendously supportive as the online DFIR community can be, harassment still happens — and sometimes it’s blatant. In this day and age, no woman should have to fear for her safety, much less worry about whether she’s more valued for her physique than for her brains.

By the way, if you’re at a conference and you’ve been drinking, and you’re in the same swimming pool where a woman or several women are hanging out in a group, don’t surface from the water like Swamp Thing looking to save Alice. You’re probably too drunk to save anyone (not that we needed saving to begin with) and we will forever remember you as Swamp Thing, no matter how smart a forensicator you are.

If you want to network, even while drunk, make it count. Ask what’s most important to us, what we’re researching, why we think it counts. A lot of guys in our community do this on a regular basis, and we’re all better for their support as they ask, challenge, push us past our comfort zones, and maybe even push themselves past their own comfort zones. We could not appreciate this more!

On the lighter side of things, we pondered whether you do or don’t need to have seen any of the Star Wars trilogies (especially the original) to validate your geek credentials. And in a sillier moment, we realized that you cannot pour wine from a bottle when the cap is still on.

Guess you had to be there. If you’re a female forensicator, join us next time! Meanwhile, the comments are open for debate. What have you experienced as a forensic femme, or as a man working with one or more of us?

Forensic Femmes 2: Stacey Edwards

Stacey Edwards has been a vocal member of Twitter’s #DFIR community (tweeting as @4n6woman) for at least two years, and was part of the original Forensic 4cast episode that started this blog series rolling. She’s contributed to the SANS Computer Forensics Blog, which was well received within the community. Until recently employed in the private sector, Stacey is now actively seeking new opportunities.

About her personal style, Stacey says, “I might be quiet, but I consider it observing my surroundings and then adding my ‘two cents’ if needed.” From what I understand, her input in classes and conference lectures is worth a lot more than that. Following is a little more about another female forensicator to watch.

Christa: You’ve been doing forensics for 4 or 5 years, right? What got you interested in the field to begin with?

Stacey: I have – just over 4 years. I became interested in the field first on the “blood and guts” side. CSI (the original one) was very popular when I realized that I could make a career out of forensics. It was within a few minutes in my first class that I knew that the show was NOTHING like the real world – shocking, right? In fact, I thought the real world version was much more entertaining and stuck with it. Before graduating with my Associate of Applied Science in Forensic Science, I learned that working in the computer side of forensics was an option. I graduated three years later with my Bachelor of Science in Computer Forensics.

Christa: What was your experience in Defiance’s computer forensics program?

Stacey: It was a brand new program, and I was in the first class to graduate with that particular degree.  Some of our courses were programming (Visual Basic), forensics, and networking.  We had a semester-long internship program, which I completed at the Defiance County Sheriff’s Office.  The computer forensics program was very challenging, but after the lessons finally “clicked” one day, it became a little easier.  I was even able to graduate at the top of my class!

Christa: What led you to become GIAC certified? Likewise, to learn Python scripting?

Stacey: My GIAC certification (GCFA) was actually a part of the required curriculum when I was in college. We took a mentored FOR508 program, studied the course material, and quizzed each other. We all passed our GCFA certifications, and I was even offered a mentor-ship through SANS for my high score.

(Since I was fresh out of college and with no forensics work experience, I did not take them up on the offer.  Now that I have more experience under my belt, I have thought more about becoming a mentor and helping others, but have not fully decided if I should.)

Python scripting was a little different. After attending the SANS conference in Austin, TX this summer, I saw a need in the field for more programmers. One of my favorite courses in college was programming, so I knew I could do it.

I recently signed up for an online college course taught through the University of Toronto but offered through Coursera. Even though we are only a couple weeks into the program, I have already learned so much. In the near future, I hope to be working on testing some of the Python scripting with the soon-to-be-released python version of log2timeline (per Kristinn Gudjonsson’s request).

Christa: What types of cases do you most enjoy working on?

Stacey: I most enjoy working on criminal, forensics cases – fraud and arson, in particular.  With my husband being a local police officer and hearing his stories, it helps drive my passion to get into the law enforcement side of forensics investigations.

Christa: Cindy [Murphy] says you’re a great student, that you have a knack for making connections even as you are sitting in a class, learning something new. This doesn’t come easily to everyone — what drives your passion for learning? And how are you not afraid of speaking up to ask or give feedback?

Stacey: I love learning new things. Every night before I go to bed, I read 10-15 pages in a personal development book. (The book right now is titled “The Slight Edge” and is written by Jeff Olson.) This small effort every night keeps me motivated to learn.

In reading these books, I have also realized that I should never be ashamed to ask for help. All successful people have asked for help at one time or another because they realize that no one can ever know everything there is to know. My advice to everyone would be to always ask for help. You won’t be the only person with the same question, but you might be the only person brave enough to ask!

Christa: What do you find most challenging in the best way?

Stacey: The most challenging part of forensics, for me, would have to be trying to stay ahead of the game.  The field is constantly changing, and there is always something new to learn.  Community support and collaboration has been fantastic to help us all advance so quickly, but we have a long way to go.  We will never know everything, but that’s part of what makes forensics fun and allows for growth.

Christa: As a forensicator going forward, what are your professional goals?

Stacey: My professional goals include, at the very least, future employment with an outstanding company. I would also like to contribute more to the forensics community through testing and helping to write new programs as my skills improve.

Stacey, thanks for sharing more about your experience and professional goals. It’s been an honor and pleasure to know you, and I look forward to seeing your continued contributions.

Forensic Femmes 1: Alissa Torres

Alissa Torres SANS mentor and instructorWelcome to the inaugural Forensic Femmes blog post! As I wrote many months ago, the purpose of this series is to highlight the many contributions women are making to the DF/IR community, whether we know them or not.

My first guest is Alissa Torres, who recently joined Mandiant’s team as an incident handler along with being a SANS Mentor and instructor. Here, Alissa talks about why she thinks crosstraining is important, what led her to SANS, what women should never do when entering a STEM profession, and the successes that keep her going.

Christa: Your lecture topic at the SANS DFIR Summit garnered a lot of very positive tweets. What experiences in your career led you to want to talk about crosstraining?

Alissa: Speaking at the SANS DFIR Summit was an honor – probably the best presenter experience I have had to date due to the support of the community and the attendees in the room.  The Summit is unique in that everyone who is there is passionate about DFIR – it actually took someone pointing out to me that most of our after-hours conversations were geek speak – I didn’t notice honestly!

So, why did I talk about crosstraining?  I have had the opportunity to work at some very different jobs, to include being a forensics examiner on a security operations team and more recently, playing a key role on an offensive skills team.  Looking at network compromises and being able to understand both the attacker’s perspective and that of the responder offers great advantages in unraveling what happened on a compromised system.

My own realizations that I hoped to have shared were 1.) you have to know what a normal system looks like to identify anomalies and 2.) familiarity with other disciplines of security, be it pentesting or system administration, enhances your depth of knowledge and skill as an incident responder.

Christa: How did you get into DFIR to begin with?

Alissa: I first became interested in forensics when I was an instructor at DCITA (Defense Cyber Investigations Training Academy).  Although I was teaching the introduction to hardware & networking course (INCH), I was surrounded by forensics and IR professionals who knew so much more than me.  During this time, I was able to pelt my co-workers with daily questions – I can’t say enough about the camaraderie of the instructor staff there at the time.  While I was at DCITA, I obtained my EnCE and moved from there to a job at a defense contractor performing internal employee investigations.

Christa: What drove you to become a SANS mentor?

Alissa: When I took FOR508 with Hal Pomeranz in Baltimore, I was a work-study facilitator, paying for the training out of my own pocket.  My company had denied additional training for me and it was truly the only way I had to attend this advanced forensics course.

To say the course was life-changing sounds pretty ridiculous, but it is true – I realized on Day 5 of that course that I could become an active researcher in the forensics community instead of looking everything up online, I could contribute with my own knowledge and experience that not everyone has.  The field of forensics/incident response is so young and expansive that not everyone can know everything, the perfect environment for collaboration and freedom to follow your interests.

So, considering what a great impact FOR508 had on me (and my previous experience as an instructor!), I decided to study my butt off and do well on the GCFA.  If you score over 85 on the certification exam, you are invited to apply to the mentor program.

Christa: What one piece of advice would you give another woman seeking to get into DFIR (or any STEM profession)?

Alissa: My advice to other women just entering the field is to never self-deprecate.  Someone may hear you and just might believe your humble assessment of yourself.  You need to realize that everyone started off somewhere, even the “Old Man of Forensics” (whomever that may be) and it does no good to state that you are “inferior” because you are new/junior/inexperienced.

One of the women in my class recently said  to me in front of the rest of her male classmates, “My mind doesn’t work that way.  I am not as good as everyone else here.”  She was one of 2 women in the room of 20 and although she never signed up to represent our gender, she indeed was doing just that.

Since there is such a small percentage of us in the security field, and even less as you delve into the more technical jobs, we must always acknowledge and bear the responsibility of this.  I am a firm believer in the idea “No one knows what a woman isn’t capable of.”  Other women may feel I am wrong on this, but I have run into this “women can’t do as much” mentality first hand.

After the presentation of the MMA Challenge that my co-worker and I presented at CEIC 2012, I was approached by two male attendees who exclaimed “We were surprised that a woman would know so much.” in reference to my ability to speak to both the forensics and offensive realms.  It is this attitude that tells me that I still have a great deal left to accomplish.

Christa: What has been your greatest challenge in your career?  What has been your greatest success?

Alissa: One of my biggest challenges in my career, as well as my life, has been to balance my desires to be the best at my job and to be the best Mom to my kids.  While in the Marine Corps, I learned quickly that talking about one’s family can be seen as a sign of weakness.  I still see negative ramifications for women who discuss their family and personal obligations (kids, mainly) in the workplace.  So, yes, unfortunately, I am divided down the middle sometimes between “uber-driven cyber warrior” and “super soccer mom”, both completely ridiculous titles!

I am sure most working women feel this conflict, at some point, whether their personal lives include kids or marathon training or any other arduous, “soul-sucking” hobby.  :) But, kids have a way of holding you accountable and my biggest and most constant challenge has been in being present for them when they need me.

My greatest professional success, as of yet, has been finding others who share a similar passion for information security. What a fantastic community we have! Finding folks who understand and share the drive to keep learning, keep asking questions, has been key to my progress.  It is unique to our industry, that things change on a daily basis. Without surrounding myself with like-minded people, I would have burned out a long time ago.

Alissa, thanks so much for the thoughtful responses, for taking the time to write them, and for all your contributions to the DF/IR community!

Writing for the community

If we’re connected on various other social media sites, especially LinkedIn, Twitter, or Facebook, you may have noticed that I have a new job. Although I haven’t shuttered Christa M. Miller Communications, I’ll be devoting time only to very limited projects.

At heart this blog has always been about how DF/IR businesses can better interact within the community. Rather than direct this toward vendors, however, I want to focus a little more on service providers — individual practitioners, small business owners, teachers, and researchers. Therefore, look for two things at Communications Forensics in the near term:

Women in Digital Forensics

I’m starting a new series highlighting the contributions of women in the DF/IR field. This isn’t to say that Melia Kelley, Sarah Edwards, Cindy Murphy, Erika Noerenberg, or others aren’t doing a great job of highlighting their own contributions. Rather, it’s for these two reasons:

  1. Lots of other women contribute without speaking up, either because they don’t have time or they don’t feel they’re on a par with Erika, Cindy, Sarah, or Melia. I know, I know — lots of guys don’t, either. Leading me to my second point:
  2. Women are underrepresented in the STEM professions as a whole. I’m looking to help reverse that trend at least a little by showing the really cool things the DF/IR women are doing, whether it’s research or investigation or even something related like writing (after all, I’m not a forensic examiner, either).

If you’re a woman working in DF/IR or you know one who deserves to be highlighted, send her my way! (And don’t forget to let her know there’s a LinkedIn group, too.)

It’s your community — what do you want to read?

In the last few months I’ve blogged about how to connect after a conference, contributing to the community with content, and the process of creation, among other things. They added to existing conversations and generated their own discussion, which I really appreciated.

But they were easy to write because the conversation was already happening. Other times, it’s not as easy to know what to say that will be valuable to a community that focuses on process. Heck, I don’t even know what a well-constructed DF/IR report looks like!

So tell me: what do you need a writer’s or PR pro’s perspective on? How do you as a DF/IR practitioner, business owner, or student want to use content to connect with your community? Leave me a comment, email me, or connect with me on Twitter or LinkedIn. And thanks!

photo by: JD Hancock

Authenticating your content: The power of voice

there's a red house over yonderWhen I was regularly writing fiction, one of the most talked-about topics on the listservs and message boards was: How do you establish your voice?

The reason it was discussed so much is that voice is incredibly difficult to define. It’s the thing that makes writers sound uniquely different, what distinguishes Dennis Lehane from George Pelecanos in crime fiction, or Stephen King from Shirley Jackson in horror.

And it’s every bit as important in business writing as it is in fiction.

Last year I worked with an author on using articles to promote his book. Between some material in the book, emails we traded, and his blog, I’d pulled together what I thought was a pretty good piece. It was technically accurate and flowed well, and covered what I’d pitched the editors.

The problem? It didn’t sound enough like him, and he told me so. And he was right. He’s a prolific blogger as well as a book author, and has his own distinctive voice.

Why does it matter if voice is distinct?

Because everyone recognizes impersonal “corporate speak.” It’s usually filled with buzzwords like “leading,” “synergy,” “paradigm shift,” and so on. It’s lazy, safe, predictable. People use it because no one wants to inject their own personality into it.

This is a legitimate branding concern. Too many distinct personal voices can dilute a brand and confuse its customers. On the other hand, a brand that sounds just like every other brand is also pretty diluted. It also, and I see this in social media, misses opportunities to show its unique strengths.

So where’s the balance? How can you sound distinct, without losing your voice when your best communicator leaves or your company (and PR department) suddenly grows?

Know your company’s mission, vision, and values

The people who communicate on behalf of your company need a strong command of its mission, vision, and values. This isn’t as simple as making them memorize the company’s mission statement (many of which are useless anyway).

It’s not even as simple as inviting them to strategic planning or goal-setting meetings. A company’s values come through in every interaction with their publics, from sales to customer service to employee relations. Communications people, like everyone else, observe and listen. Pushy sales, lazy or rude customer service, and indifferent employee relations communicate a company’s values far more than a few sit-down meetings with the C-suite.

A communications staff using indistinct language may, in fact, be afraid to rock the boat — or at the very least, afraid of the potential consequences, from the boss if not the public. So:

If you’re the boss:

  • Start by asking yourself what you stand for. Integrity, truth-telling, the best service in your market, and so on. Outline what that means for your customers. While you’re at it, think about whether you need to redefine your business.
  • Review company content: website, press materials, videos, etc. Do their words match your vision?
  • If the answer is “no,” find out why. Be open to the answers.
  • Work with your communications team to figure out how and where you can make changes.

If you’re the communicator:

  • Assess the language you use in your current content; separately, assess what you believe your company’s brand to be. Do they match?
  • If not, challenge your boss to do better. Find out how and where to change your assumptions and align your ideas with your boss’s.
  • Start experimenting with language and visuals. Use words that advance the newly aligned understanding of mission, vision, and values. Don’t back down from committing to a different way of communicating!

In an industry like digital forensics, where thought leaders are easily recognizable, a blog or article that doesn’t “sound like” them can mean trouble. Whether they own a business or are contributing something else — research or training — a diluted brand can be as bad as making readers wonder whether they can trust what they’ve just read.

This is all the more important as more business-to-business firms — 89 percent, as of last year — embrace social media. It can be scary to show how you’re different from the competition. But companies are made up of individuals and their interactions with one another. If you have to think about authenticity, you probably aren’t authentic; but if you focus on developing your best values, and your voice along with them, you’ll differentiate in a way no competitor can match.

Would you add anything to the lists of what to do to find your voice? How do you communicate?

Creative Commons License photo credit: foto3116

The process of social content creation

Work In Progress - Go SlowThose of us who use Twitter on a regular basis often find ourselves fascinated by the speed of our streams. New content gets shared, retweeted, discussed on an hourly basis; it’s impossible to read and digest it all, so we filter it, judging an entire blog post by its headline or the hashtags used to promote the tweet.

Twitter streams so quickly that it’s easy to think you have to go faster, too. A blog post leads to a Twitter conversation that leads to more blog posts and more conversation… who wants to miss the opportunity to contribute (and be recognized for contributing)?

In watching the activity, it can be difficult to remember two key points:

  1. Everyone goes at their own speed.
  2. In failing to go at our own speed, we miss things… sometimes important things that might make the difference in how we differentiate our thinking from others’.

As social media and communications expert Amber Naslund wrote not long ago:

Reflection itself has a few benefits, from cool-off time to the ability to let thing sit and process for a while, like steeping tea leaves. Sometimes I notice something I didn’t before. I notice that didn’t say something or make myself clear enough, something that might have made the conversation easier, and I know to be more articulate and specific next time.

How I create social content

An example: to get to the post I wrote about contributing to the DFIR community, things sat in the back of my mind for a few days. I had seen Twitter conversations among Harlan, Ken, Erika and others; I’d read their blog posts. I knew there was something I could add… I just wasn’t sure what. I didn’t want to rehash what everyone else was saying, and I didn’t want to let the opportunity pass.

At the same time, two totally unrelated articles sat in my browser tabs. As with the DFIR conversation, I’d read them, knew I wanted to do “something” with them (bookmark them? Use them in a blog? Did I have a client who needed their wisdom?) but wasn’t sure what… until I began to see how they related to the DFIR discussion. What if, I asked myself, the writing itself might be the problem? And so my take on the “contribution” topic became about my own specialty: content.

Like Amber, I need time to process things. I’ve found this outside of Twitter too, in the last few months especially, whether in an email thread or in-person meetings or at trade shows.

  • It might take me two or more days to respond to email, not because I’m consciously stewing about something, but because I’ve read the thoughts and want to be sure I’m getting the issues and requirements right.
  • In person or on the phone, it’s not unusual for me to come back to meeting-mates a day or two later with more information, clarifying things I said and usually in relation to what I heard. (I sometimes struggle to articulate myself verbally.)
  • At DC3, on the last day of the trade show I came to the expo hall floor early and spent half an hour with the notes I had taken, connecting the dots between people and the thoughts they’d shared.

Among the connections I make is where good content lies. That’s why I don’t blog more than weekly on any blog I maintain.

Learning from the researchers

It’s hard to remember, amid the constant stream of content, that everyone has their own pace. This is true of fiction writers as well: some writers are just naturally more prolific than others (and may even suffer from hypergraphia). But it is also true that the more you write, well, the more you write. You learn to see the ideas in the everyday, to splice them together with other ideas.

And then there are the DFIR researchers.

It’s sometimes difficult for me, as a PR pro and content marketer, to see clients’ best minds working so slowly. Months can pass between good articles that support, say, a client’s training course, or that review a client’s forensic product.

Of course, all that means is that the writer is taking time with the research. Day jobs take precedence, and good research deserves thoroughness. It’s the only way to provide content that will be meaningful to the reader.

Back to Amber’s point: there is power in slow thinking, and perhaps what we owe most to our readers and followers is not the ability to keep up… but the ability to filter, connect, distill, and purify according to our own unique experiences and perspectives.

Are there times when you could have thought slower, or where you chose to think slower? Tell us about it below!

Creative Commons License photo credit: KarolGajda

20 ways to connect after a conference

Putting The Puzzle TogetherThis week I’ll be at my first DoD CyberCrime conference in Atlanta. Following on two HTCIA conferences, two Techno Security events (together with one Mobile Forensics Conference), and a Police Leadership Conference, I’m looking forward to meeting a somewhat different crowd.

And yet, also a little apprehensive. Early on I learned that conferences are alternate realities. All kinds of things happen there that wouldn’t happen in typical workaday life. As I commented on Conversation Agent Valeria Maltoni’s blog recently:

You meet people and have great, deep conversations, you brainstorm all kinds of possibilities. But when you go back to the normal schedule, after you’re all caught up and looking for a little of that ‘spark’ you found in a different time and place… you’re still constrained by schedules, responsibilities, expectations that temporarily didn’t exist at the conference.”

Valeria wrote an excellent post, “30 Connective Things You Can Do at a Conference,” about how best to manage that alternate reality, to network the way you want and need to. Because conferences and networking are so important to the DFIR community, I’d like to riff off her original post and talk about 20 connective things you can do after a conference.

1. On your day of departure—in your hotel room the night before you leave, in the airport, on the plane or train or in a coffee shop during a driving break—take the time to reconstruct your sessions, meetups, after-hours conversations, etc.

  • What did you learn, and from whom?
  • What ideas did you and others come up with?
  • What did you observe, what did you overhear?
  • What patterns do you see?

Write all this down to come back to in a week or so, after you’re caught up at work.

2. Share what you learned with your team. Remember that you’re coloring the information with your own perspective, so if possible, share the slide deck and/or handouts with them and invite their feedback.

3. Revisit your notes. Together with your team’s feedback, decide if there’s enough for new research, a new paper, blog article or podcast. Be sure to set aside time daily or weekly to work on the project (depending on how in-depth it is); when you publish it, be sure to refer to the conference, people and ideas that led you to complete it.

4. Didn’t get a chance to provide feedback to speakers? Make a point of emailing one or two speakers per day after you get back to the office. Be specific about the takeaways you gleaned. Leave the door open for further discussion.

5. Share what you learned about products and vendors with your team. Collect their questions and needs—not just about what the product(s) can do, but what they need to do their jobs better. Follow up with the vendor(s) to ask those questions and see how well they respond to your team’s needs. That response will be an important part of your purchase decision.

6. Take time to think about things you wish could’ve been different:

  • More time meeting new people?
  • Hanging out with old friends and colleagues?
  • Lecture track you would’ve wanted to attend for yourself, rather than work?

Decide to make those changes at the next conference you attend.

7. Start a Twitter, LinkedIn group, forum/listserv or blog conversation about something you learned. (Sometimes conferences have their own LinkedIn groups.)

8. Identify the 3-5 people you connected with most strongly. Make a point of calling or emailing them every so often with things you believe they’d benefit from:

  • an article that recalls your conversations
  • a speaking opportunity at another conference or with the media
  • a congratulations on one of their accomplishments. Comment on their blog; tweet @them; find them on Google+ Hangouts.

9. While you’re at it, think about the things that made you click.

  • Particular ideas?
  • Core themes that connected your conversations and ideas?
  • Shared values?

Again, see if there are patterns—finding them can help you work out where you can benefit the community the most.

10. Set a goal for yourself to speak at next year’s conference, especially if your topic is based on the ideas you heard at this one.

11. Did you meet someone you thought would benefit from knowing a friend or colleague? Make sure you email-introduce them (and perhaps even conference call) the week following the conference. And be clear about the value they would have to each other.

12. Find a way to invite the best speaker(s) to your local area. A Security B-sides event, HTCIA or other association chapter meeting, or one-day training session can be ideal. See whom you can partner with to make it happen. Or, hold a virtual event. Your employer may be amenable to a webinar, or you might suggest the speaker to an event like #DFIROnline.

13. Pace yourself while reconnecting. Follow up immediately after the conference, but then let your relationship build naturally. Remember: conferences are alternate realities. Remind the other people who you are, then let the dust settle so that the ideas you built can stand by themselves for further building.

14. Who organized the event? If you can, volunteer to do something at next year’s conference, or encourage your employer to support it in some way (if they aren’t already) by sponsoring a giveaway or networking session.

15. Between this event and next year’s, you’ll network with more professionals. How might they benefit from coming to next year’s event—especially if they’re based in other countries? Invite them based on what you’d like to learn from them, and tell them you’ll be glad to introduce them to your connections.

16. Did anything you learn at the event change your mind, or send you in a new direction? Use a blog post to write not just about what, but also about how it happened—the old idea you’d never heard expressed that way before, or the unexpected angle. Did it help you solve a problem, or are you still mulling how to apply it in your own professional life? Either way, share it with the community.

17. Join a social network that’s new to you:

  • Well-traveled ones like Twitter, or underrated ones like SlideShare.
  • Volunteer for the SANS blog (if you’re qualified).
  • Create a new Google+ Circle and spend time there daily.
  • Guest blog for your favorite DFIR bloggers.

18. Publicly acknowledge the conference and what you thought was great about it. Mention by name those who made it great: organizers, speakers, people you connected with. A video testimonial can be especially powerful.

19. Traveling to where a speaker or conference connection is based? Let them know ahead of time, and tell them you’d love to get together if they’re available. Use your notes from your conversation(s) or their lecture to drive your conversation.

20. Think beyond your constraints. We get so caught up in our day to day responsibilities, we forget the things that made conferences spark for us. Make the time to recapture it, if not in conversation (that’s not always possible), then for yourself, in your own mind, from your own notes and memories.

“…follow through is key,” Valeria wrote. “Closing the gap between promises made and promises kept builds a solid reputation, and helps you make stuff happen, too.” It takes practice for sure, but the DFIR community is forgiving as long as you’re trying your best, and values face-to-face as much as virtual relationship-building.

What are some things you do to follow through with people you’ve met at a conference?

Creative Commons License photo credit: kenteegardin

Book review: Uncertainty

As part of an ongoing discussion about contributing to the DFIR community, I’m offering a book review. It speaks to the “fear of failure” noted by numerous forensicators, and the excuses we all make up to avoid pain. Whether you’re a small business owner, a researcher, or someone with an idea you’ve hesitated to put out there: this is for you.

The need to embrace uncertainty

Uncertainty: Turning Fear and Doubt into Fuel for BrillianceJonathan Fields hooked me in the first chapter of his book Uncertainty by describing why uncertainty matters:

 When you begin, nothing is certain save the drive to create something worth the effort….

Not knowing on day one how it’s going to end or what it will look like when it’s complete can be paralyzing for many. It’s brutally hard to act in the face of incomplete information or assurances that you’re on the right path. But it’s that very lack of assurance that also serves as proof that the journey you’re embarking on is not derivative. That the quest and the potential outcome are unique. That both will matter.”

Fields holds up inventors, technologists, artists and business owners as his examples; the book is geared toward creatives rather than any one way of making money. That’s important for DFIR practitioners, for whom forensication is as much art as science: applying the science in (ethically) creative ways, and creating new ways to refine the science.

But there’s a difference between creating for one’s own use, and creating (or communicating your creation) for everyone’s benefit. The latter is riskier, and potentially much more rewarding. Later on, in Chapter 9, Fields asks the reader to consider doing nothing at all:

In reality, there is no sideways in life…. There’s only up or down…. if you’re teetering on the edge of happiness, health, liquidity, and contentment now and if you’re stuck in a “do nothing to change” scenario, then ten, twenty, or thirty years from now, your creative life, your business, and your body of work will likely be somewhere between really unpleasant and really dead.”

He reminded me of why I quit my job over 10 years ago to become a freelance writer, and why I later convinced my husband to let me try full-time self-employment: the status quo wasn’t a happy place to be. Ultimately, I wanted our children to have the example of adults who strove for happiness and fulfillment.

Embrace uncertainty, unleash creativity

Between Chapters 1 and 9, Fields goes into detail about what it takes to “lean into” uncertainty as you pursue your dreams and goals. He effectively dissects the fear of failure and gives the reader tools to nurture creativity, to the point where it becomes possible to change plans when needed.

And so, after describing both the physiology and the psychology of uncertainty, Fields devotes several chapters to two main concepts:

  1. training mind and body through the routines of meditation and exercise, which help the creator release work from his/her mind
  2. “socializing creation,” which provides the creator with a way to get feedback even as a work is in progress.

I can think of many forensicators to whom exercise is a critical part of success, and I’m implementing Fields’ recommendations in my own daily life as a creative. However, it’s the latter concept I want to focus on, because it speaks directly to the “community” discussion.

A forensicator’s fear of looking stupid or failing is not, on its face, all that irrational. Who wouldn’t worry about how one’s employer or a courtroom will react to the disclosure that you don’t have all the answers?

But contributing to the community is not about giving something up; it’s about a give-and-take of knowledge and skill. You would not have gotten to where you are without others’ help (no matter how alone you felt at times).

Therefore, worrying about how other forensicators will react is not rational. The conversation from the last few weeks demonstrates a ready-made “hive” of trusted professionals. These people will offer feedback and advice towards anyone’s goal of creating something useful, be it a piece of software or a presentation. Do the work, and you’ll get the support.

Make it a closed hive, if you must; I’ve experienced the nasty side of hypercompetition, and the DFIR industry has no shortage of it. But Fields argues that we need judgment in order to be valuable, that creativity needs constraint to birth something useful. Involve others early on, and not only do you get that constraint; you also get the support and validation you’re fearful you won’t get.

Committing to your calling

“How committed are you to the specific endeavor?” Fields asks. “Is it a project or a calling, the thing you can’t not do? Understanding the difference informs the choices you make, but it also changes the way you act in a thousand tiny ways. It changes your personal energy and leads people either to buy in on an extraordinary level or to view your quest as something not all that important.”

In life we are all driven by the desire to be important, in varying degrees. For some, being important to one’s own children is the highest calling. For others, it’s importance to the local community as a public safety professional, journalist, or business owner. Others want to be important to a cause, such as stamping out cybercrime.

Contributing to the community is as much about self as it is about the group. Paradoxically, protecting self from the pain of failure ultimately starves self along with community; whereas contributing feeds both self and community, nurturing knowledge for all.

Edited: Over on Google+, Gregory Pendergast asked me for a more direct assessment of the book itself. Here’s what I told him:

It’s positive and practical. Nothing “The Secret”-ish about it; I was a little surprised to see such an emphasis on meditation (“attentional training”) but even that resonated because I have experienced brief times when deep contemplation or focus on exercise  (for instance, swimming) worked exactly as Fields was saying it does.

The writing itself is clean and direct, and I liked that Fields would state an idea early on, then circle back around to it once it had had a chance to percolate in the back of my head. Chapters built nicely on each other, and the book has stuck with me in the weeks since I read it, like quiet encouragement to stick with the good habits.

With thanks to Conversation Agent Valeria Maltoni for her generous gift of Uncertainty. Here’s her Amazon affiliate link if you like what you’ve read and want more.