Andrew Rathbun, Co-Author of EZ Tools Manuals

The transcript below was created using output from OpenAI Whisper and separated into paragraphs using OpenAI ChatGPT.

Hi, I’m Len Epp from Leanpub and in this episode of the Front Matter podcast, I’ll be interviewing Andrew Rathbun.

Based in the Greater Lansing area in Michigan, Andrew is a digital forensics and incident response expert with experience in both the private sector and in law enforcement. Andrew is also the administrator of the very popular Digital Forensics Discord server, as well as a contributor to About DFIR and to multiple GitHub repositories, all of which we’ll link to in the transcript of this episode on the Leanpub website. You can follow him on Twitter at BunsOfRath12 and check out his work at AboutDFIR.com.

Andrew is a co-author on the Leanpub books Easy Tools Manuals and The Hitchhiker’s Guide to DFIR, Experiences from Beginners and Experts. In The Hitchhiker’s Guide to DFIR, Andrew and his co-authors published a unique crowdsourced DFIR book by members of the Digital Forensics Discord server and in Easy Tools Manuals, he offers readers the official manual for all of his colleague Eric Zimmerman’s free and popular open source command line and GUI tools.

In this interview, we’re going to talk about Andrew’s background and career, professional interests, his books, and at the end, we’ll talk a little bit about his experience as a self-published author and community creator.

So thank you very much, Andrew, for being on the Front Matter podcast.

Thank you very much for having me. Appreciate it.

I always like to start these interviews by asking people for their origin story. I know you have an interesting one. So I was wondering if you could talk a little bit about your background and how you’ve found your way into a career in DFIR.

Sure.

Yeah.

I’ll kind of start from the beginning, I guess. So when I’ll start at high school, because I don’t think before high school really matters. But so once, you know, when I was in high school, I enlisted in the United States Marine Corps as an infantryman. This was in 2004, I graduated 2005 from high school.

So I went to boot camp immediately after that. So from like June to December, I was in basically boot camp in my infantry training. And then after that, I did a semester at college, and then I went to Iraq. So I was gone for about a year, did about five months pre-deployment training and seven months in combat. So my entire 19th year on this earth was pretty much in combat in Fallujah, or training to be in Fallujah. A little bit different than probably what other 19 year olds were doing at the time. So kind of a unique, gave me some, you know, unique life perspective at such a young age.

So as a result, what’s the logical thing to do when you’re in the infantry, you know, on the Marine Corps? Well, is become a cop, you know, you know how to use weapons, and, you know, you have all the skills that you need to be, you know, a successful police officer. So I did go to college, you know, get my bachelor’s in criminal justice and sociology. And then I went to the police academy, and then I got hired at the Michigan State University Police Department, where I was for about seven years.

I was a patrol officer for four years. And then I was a detective for three years. When I was a detective, I started doing digital forensics. So I was doing like the general crime. So like, you know, hey, someone stole my laptop. Someone vandalized my car, you know, someone hit my car and then, you know, drove away, that sort of thing. Those are the kind of cases that I was working.

But also we were doing digital front or I was doing digital forensic investigations as well as you know, my my co-workers that we shared a lab that I shared a lab with. Those crimes that the digital forensic case crimes typically range from could be homicides could be child exploitation, could be extortion, kind of everything all in between was really interesting work. And I really wish I could like go back and do that work now with what I know now.

I’m sure I’ll get into that later.

So anyways, after that, I was a police officer slash detective for seven years. After that, I went to the feds HHS oig Department of Health and Human Services Office of Inspector General. I was there for a year. And basically what that was was assisting in healthcare fraud investigations. So HHS runs Medicare, Medicaid, I may have heard of it, a lot of fraud goes on naturally. So that’s typically the scope of the cases that we worked at oig. And then now I work at Kroll, where I got hired as a senior associate, now I’m a vice president, where I do digital forensic incident response, digital forensics and incident response, mostly ransomware cases and insider threat. So that’s kind of my journey. You know, I didn’t go to school to be to do what I’m doing now. I had long thought about I loved computers, you know, growing up in the late 90s with dial up, you know, I remember that I was old enough for that. I was always on a computer all throughout high school all throughout college, you know, I’m looking back on it, I probably should have done something computer science, but you know, hey, better late than never. But yeah, that’s, that’s pretty much kind of how I got here.

Yeah, thanks very much for sharing that synopsis. There’s a lot of interesting things to talk about there.

One thing, if you don’t mind talking about it, I’m sort of curious, if there was when you’re in Fallujah, if there was a kind of average day for a 19 year old Marine, you know, deployed in combat, what was what was the average day like?

Well, it was so we in Fallujah, Fallujah is about a five by five square kilometer, or yeah, five kilometer by five kilometer city, there’s about 400,000 people there at the time. And we lived right in the center of it in a government compound was actually kind of like an abandoned compound, I think used to be a hotel, I think, because we lived in in some abandoned hotel building, I was about four stories and sandbags would cover up all the windows and all that. You know, if you had to go to the bathroom, you had to go outside, which means you had to wear your flak jacket and your, your helmet, and you had to have a weapon and it had to be loaded and be ready to ready to use, you know, condition one for those who are to know their weapons. So yeah, I mean, it was, it was a unique, it was a unique experience.

We typically did five day rotation. So we do like five days foot patrols, five days vehicle patrols, and in five days, what we call fob security, fob is a forward operating base, which means there are operations that move out of the wire. So the wire is like, you know, inside the wire is you’re in in our territory outside the wire is technically enemy territory or you know, not within our compound. So a fob is where you do things outside of the wire things, you know, you sleep in the fob and then you go do patrols outside of the fob. Hopefully that explains it.

So like I said, five days foot patrol, five days vehicle patrols, five days fob security.

So fob security, there’s all these posts all around. You’re looking through basically a really thick bulletproof glass for four hours at a time, you know, four hours on eight hours off, four hours on eight hours off for five days.

Then when you do the foot patrol one, you’re going to wherever your Lieutenant and your Sergeant’s telling you to go, hey, we’re going to go hit up this area, this area, this area, the map.

So basically what you do is if you have a squad of, let’s say, 13 Marines split it in half six and seven, you basically leapfrog.

So you do that route, but you leapfrog like that.

So once half of the squad is moving into a house, you go in the house, say hi to the people, go to the, you know, get security to provide overwatch for the other one and you just kind of rinse and repeat, you know, whatever the route is. So we would do that.

Vehicle patrols, obviously you can cover a lot more, a lot more, you know, part of the city and outside of the city on vehicles. So it’s really kind of the same thing except it’s more four, four Humvees. I was typically in the front one. I was a turret gunner because I had a light machine gun that I carried. They automatically made us turret gunners whenever we were doing the vehicle operations. So I was being the front turret gunner and a little convoy of like, you know, three or four or five Humvees, you’re the one waving to people to, you know, move them out and that sort of thing. It’s just, it’s a really, looking back on it, it’s an extremely dangerous job here. You’re sniper bait because you’re the only one sticking out of the Humvee and, you know, we did have issues with sniper fire. Thankfully I never, never was subject to that, but unfortunately I do know people who were.

But you know, I’m just, yeah, I was just very, it was a very unique experience. I’m very happy that I had it at the time I did because I was so young. I don’t think I had enough independent thought. And I think if I were even a few years older with a little bit more life experience, I would have thought, Hey, this is, maybe we shouldn’t be doing this very well. This is really dangerous. This is really stupid. But I was so young and I was so fresh out of bootcamp. I was all about just doing what I was told and you know, Hey, maybe that saved my life. Maybe that saved other people’s lives that I was around because I did have that mentality and they did as well. Discipline, you know, doing the right thing when no one else is looking.

Thanks for sharing that. It’s really interesting. The observation you made about being young as well. I remember once I was in a, I was at a conference for the company I worked for in Las Vegas and I think 2006 or 2007 and there was a Marines ball I think.

Oh yeah.

And I remember thinking, boy, these guys are young. Like they were all 18, you know, and then I think, and then I remembered what I thought of myself when I was 18 and I didn’t think I was young, you know, and I thought I was a man, you know, and it’s, it was. You’re very much not.

No, no, no, no. And then, and then of course, you know, the thinking then they’re there and like, I mean, this was 2005 or 2006, right? Like they’re going, they’re going to war. That’s when I was there. 06, 07.

Yeah.

And it was, I mean, like, I don’t have much more to say about it except like how kind of serious it all was and sort of real. It totally came to me just seeing, and it, and it was kind of cute too. Like, and I don’t say that in a patronizing way, cause all the young men had their girlfriends, but it was all like, you know, it was a date for the ball, right? You know?

Of course, it’s a big thing.

Yeah.

Yeah.

Yeah.

Yeah.

It’s just a formality, but you meant there’s there’s, you mentioned they’re not really sort of like sort of, you know, you’re following orders, right?

And I’ve got a couple of questions about that. One is when you said you were a turret gunner, so did you have any choice? Like in your pre deployment training, were you given any kind of options for what you might specialize in?

No, I was the new guy.

I was relatively new to the unit. I had less than a year and service in by the time we deployed. So like I said, I went to bootcamp in June of 05 and then June 1st of 06 we got activated. So technically I was 18 years old when I got activated for deployment. I was a young guy. And of course, so in a fire team, a fire team is for Marines. So there’s typically a saw gunner, which saws a light machine gun. I don’t know if you ever play Call of Duty or anything like that, but typically there’s saw on those on those games. And then like everyone else has an M16 typically. So I’m 16 is just your typical your rifle, you know, just in layman’s terms. So I am 16 about eight pounds. I saw about 24 pounds. So new guy gets to carry the heaviest weapon because no one else wants to carry it because they they’ve all done their time or they make a full seniority. So to answer your question, no, I did not really have a choice as to what I did. And so once you are a saw gunner, I mean, you’re the one in the fire team that’s going to be in the turret, you know, because no one else that I’m trained for that. I’m trained for employing the light machine gun. Everyone else can, but it’s mine, you know? So that’s kind of how that worked.” “Yeah, I’m told. And it’s interesting you were also told what your name was going to be. I gather I heard about this story from a podcast I listen to preparing for this interview. But if you could just share that story again, it’s so interesting how you got your your Twitter handle, basically.” “Oh, sure. Yep. Yep. Buns of Wrath 12. So the 12, I’ll just start with that. That comes from just when I started playing roller hockey. I’m a huge hockey fan and I’d start playing when I was 12. So there’s that. The Buns of Wrath. Obviously, my last name is Wrath Buns. So that’s pretty easy to see. But Buns is actually what I was called when I was a cop. And that came from when I was overseas. So my team leader at the time while we were overseas. So you got to think about think about the most stressful situation you’ve ever been in. Maybe one like, you know, calling 9-1-1 is bald or something like that. It’s all your fine motor stuff just kind of goes out the window and it’s all gross motor. You know, it’s you’re just falling back on habits. You’re just falling back on whatever is easiest, whether it’s right or wrong. Wrath Bun is not an easy name to say, especially when rounds are flying past you. So basically, my team leader said, I’m not going to call you Wrath Buns. I’m going to call you Buns. I’m like, aye aye, Corporal. All right. You know, what else can I say? No, you know, that’s that’s yeah. So that’s pretty much that’s pretty much where that came from. And it stuck because it’s easy to say it’s fun to say. Hey, Buns, you know, it’s a great it’s a great nickname. Yeah. Yeah.

And so and so, yeah. So so you so you sort of finished finished your service and you went to university and with the intention of becoming of becoming a cop, which you which you did. And I know that an interesting part of your story, again, I guess partly on the theme of, you know, you choose to get into it, but then where you go after that isn’t necessarily entirely up to you.

You were you were kind of the sort of tech nerd guy on your shifts, basically. And then you kind of got told you’re going into digital forensics. That’s that’s correct.

Yeah, I could type faster than probably anyone at the police department. You know, I was the one always fixing, fixing the tech issues. I work six p.m. to six a.m. during night shift. My first my first four years for the seven years I was on patrol. I worked night shift six p.m. six a.m. And, you know, the IT staff’s not there. So when people have issues, they default to the next best option. And I was that so that word just kind of got around. And, you know, I was told about a year ahead of time that, you know, hey, we’re looking to expand digital forensics and we want you to do it. You’re like, it’s the no brainer. So I did that, started my training in 2015. And then I believe it was January of 2016 is when I started as a detective and, you know, working those types of cases.

Yeah, I’m really interested actually in asking you about, you know, and of course, we’re going to sort of define digital forensics and talk about what it what it is, because it’s so it’s so interesting. But along the way, I gather from your LinkedIn profile that you wrote a master’s as well. I think, yeah, I did. And that kind of kind of to my point, how I didn’t go to school for what I’m doing now. My master’s is in human resources administration. So we got criminal justice, sociology and human resources administration. Yeah, I work in cybersecurity. So that just goes to show you about something I’m sure we’ll talk about before the podcast is over, that it doesn’t matter what your background is. You can get into cybersecurity and digital forensics.

Oh, yeah. I mean, I’m 100 percent on board with that. I’m a former English major who became an investment banker, you know. So, you know, there’s these there’s these things, these sort of skills cross cross areas if you’re if you’re willing to let them actually. And that’s a kind of important feature of that as well. You know, of course, there’s a lot of people who are like, oh, I, you know, I learned this in school, but I never use it in my job. And whenever I hear people say that, I’m like, well, I kind of feel like saying a little bit shame on you, you know? Yeah. I bet you there’s ways you could apply it if that’s if that’s so important to you that you could probably do it.

Absolutely. And your your master’s, I mean, you say it was in human resources, but when a very it was in a law enforcement related thing, I see emotional intelligence in law enforcement. And so if you could just take a couple of minutes to maybe talk about that and what you were writing about there.

Well, I haven’t looked at that in a while, so I’ll do my best. But basically, there’s a book that I really liked when I was a cop called Emotional Survival for Law Enforcement by Dr. Kevin Gilmartin. It’s a fantastic book. If you know anyone who works as like a nurse, anyone working shift work, so nurses, anything super stressful like that, vet techs, veterinarians, doctors, any emergency room doctors, it applies to them. My wife is actually a veterinary technician and she read it and it’s it’s totally applicable to her and her line of work. But strongly recommend it for any of the cops, you know, any of those other, you know, the workers, you know, those types of jobs.

But I really liked the concept of emotional intelligence and what it meant, you know, taking care of yourself, your mental wellness, and handling being in control of how you react to things, because over time that’ll compound if you reacted things poorly, you know, and you develop that negative attitude. And that book actually talks about what’s called the magic chair.

So it’s like the 12 hours that you work, you’re you’re very you’re hyperactive, you’re hyper vigilant.

But then when you get home, you’re just like a zombie to the world. And you just sit in your chair, you watch TV and you’re like, yeah, whatever, honey. You know, you’re just you’re a zombie. It’s it’s that magic chair, and it’s all about trying to avoid falling into that. That routine of like you are your best version of you at work. But then at home, you know, you’re just you’re a zombie and you’re just kind of letting life pass you by. And then, you know, that refers to suicide rates, refers to divorces, the high rate of divorce, you know, within those those lines of work, you know, emergency medicine, law enforcement. You know, we all know we’ve all heard it. Even the military, you know, people in the military should read this as well. Really great book.

So I wanted to just talk or I wanted to get trying to figure out the prevalence of emotional intelligence within the law enforcement community, because it’s like I knew the answer, like it’s not really present for the most part. But I mean, without data, you can’t really say that. Right. So, you know, I worked at a big 10 university, Michigan State University. And so the data set was from all the other big 10 universities. So I, you know, put out a survey, had all the questions and the group that I surveyed was just officers at the big 10 universities. And so it was just really cool. You know, I should I should go back and read that. And it’s been a few years, but, you know, I felt really good about it because I know the outside of that book and maybe a couple of the ones like I love a cop and other. I think there’s spiritual survival for law enforcement. I think really outside those three, there’s not really a lot out there in terms of better understanding emotional intelligence within law enforcement. So I kind of felt like I was, you know, it was a gap and it needed to be filled. And, you know, quite frankly, someone could keep going beyond that.

Did you get any, I guess, kind of, you know, probably the terms wouldn’t have been used, but kind of emotional intelligence training as part of your Marine training? Oh, no, no. The emotional intelligence training in the Marine Corps is more so to just kind of get over it, you know, move past. It’s all about mission accomplishment, that sort of thing. So, I mean, maybe it’s different now, but, you know, back then, while we’re at the height of the Iraq War in the infantry, I mean, that’s that’s just not what it was about.

Yeah, that’s that. I mean, that corresponds to what I’ve heard from from from people. I know that it’s kind of like break you down and build you back up and make you into that’s exactly a machine, you know. And that’s great. Yes, that’s great for that environment. That’s what you need in Fallujah, in Ramadi, in Baghdad, in the mountains of Afghanistan. That’s what you need.

People got to learn to be able to turn that off. You know, once you reintegrate back in society, I think that’s where like some of the struggle happens, because if you are so good at doing that over there and then you try and apply those same principles back in society, I mean, it just it doesn’t work like that, you know, and that’s probably where some of the issues come from with maybe with suicides and, you know, alcohol abuse is just that’s how they cope.

Like I was really successful here. Why am I not here? You know? And I mean, that’s a whole rabbit hole that I’m not really that qualified to talk about, but that’s just how I see it based on what I know and my experiences.

It’s really interesting, actually.

One thing I was thinking about preparing for this interview was noticing, like, you know, from the bios from some of the authors from the The Hitchhiker’s Book and just sort of, you know, sort of looking around. I realized that a lot of people in digital forensics and particular incidents response are sort of like often both former law enforcement and military.

But one of the interesting things, one of the sort of like through lines, I think, is when you go on your shift, anything can happen because you’re dealing with you’re often dealing with bad actors who need to who can be as as bad as they want to be about about anything. And they can be in any particularly imagine when you were on patrol, for example, like they could be people in any state of mind, you know, at any kind of point in their life, you encounter them maybe at their every night you encounter five people on their worst night of their life or something like that.

That’s exactly it. Yes. Yeah. And sort of trying to keep that kind of in mind that like that’s not what normal people are normally like. It must be one of the big challenges of doing that kind of work. Absolutely. The cynicism, you can’t escape it. Everyone who’s ever worked in law enforcement and probably even the military, too, I would say, is going to have that level and nurses, too, right?

I think they everything that goes through a hospital door, I mean, they see it all. They have to deal with it. It’s their problem. You know, often I would I should say often, but it’s not. But it’s not uncommon for sometimes when law enforcement can no longer handle an issue, an issue with a subject like they have to go to the hospital and like there’s nowhere that the hospital can dump them off to like they got to deal with it. So, yeah, I mean, you can only expect some cynicism is going to come out of it. Everyone’s got it a little bit.

You know, I haven’t been a cop for three and a half years now, but I still I still have that some of that cynicism, you know, as you get further away from it. Naturally, it’s just like, you know, when I got out of the military, I wasn’t as vigilant, you know, loud noises still make me jump, of course, because that’s not fun, but I don’t know if that’ll ever go away. But, you know, the further you get away from an event, especially something that shaped you so much like boot camp or like the police academy or whatever, naturally, it’s got some of it’s going to stick, but not everything will, you know.

Yeah, it’s you’re you’re reminding me of, you know, sort of friends and relatives I have. You know, I’ve got a cousin who’s a fire firefighter and stuff like that. And, you know, it’s it’s fun. It’s funny. I don’t know why this occurred to me. But like, you know, sometimes when I’m a friend of mine who’s a nurse, for example, and sometimes when I’m sort of I’ll sort of be complaining about something in my life and they’ll give me that like professional look. It’s kind of like this big problem. Yeah, you’re right. Right.

It’s all relative, though.

I mean, I don’t know if you’ve ever seen the show Generation Kill before. Yeah.

You have. OK, so there’s you remember the reporter, the Rolling Stone reporter?

Yeah.

So there’s one particular scene where like there’s a firefight going on.

And I think his name is Lieutenant Fick.

He goes up to him and the reporter’s like, oh, you know, all worried, you know, because there’s rounds going through.

But the firefight’s like 100 meters over there.

And he gives him this. It’s the awesome speech.

It’s like a minute long video on YouTube.

And the key phrase is it’s all relative, you know.

So like what may be a big deal to you is like not a big deal to someone who’s a cop, who’s, you know, an ER nurse, that sort of thing. So when you said that, it reminded me of that scene. And I always refer back to that. It’s all relative, you know, something that’s a crisis to you. It’s like just a Tuesday for someone else, you know.

Yeah, it’s for anyone listening who isn’t familiar with the Generation Kill was a mini series that came out. I don’t I don’t know when, like, I think in the Aughts or something like that. It was it was quite a while ago. It was like I want to say it’s like 2006 ish, something like that. It was made by the guy who made the wire. So if you like the wire and you haven’t seen Generation Kill, you absolutely need to watch it. It’s like I think it’s like seven episodes, many series. So it’s just one season. It’s fantastic. I would say it’s arguably the most realistic portrayal of the Iraq war, I would say. Actually, I think it was 2008. That’s that’s coming to me now. I’m I’ll fact check myself after this, but I’m pretty sure it was.

Reminds me, actually, this is a very specific thing. But you’ve mentioned when you were when you were in Fallujah, you had these shifts and before hours on and eight hours off. What did you do in your time off sleep? Pretty much that was kind of like here, because often you wouldn’t sleep a lot on the foot patrol cycle. So sometimes you’d be out outside the wire on foot for a total of 16 hours a day sometimes. But that’s not all at once. That’s like you do a three hour patrol here, five hour patrol, few hours later, four hour patrol here. So there’s that prep time in between, you know, quick eat something. I mean, the up tempo, the operation tempo, I should say up tempo was just it was not. Yeah, it was it was crazy.

So yeah, I did just very specifically, I guess, because like it’s interesting how these things changed quite rapidly. And I only know this from like, you know, Modern War Institute podcasts and stuff like that. But like, did you have Internet access like and like smartphones and stuff at that point? No smartphones. We did have really slow Internet access, I think. So we had about one hundred and twenty Marines, I would say, maybe about ten or so that lived in this abandoned four story hotel. And I remember we had a room on one of the sides of the first floor of the hotel. I think there were like three or four computers at most. So we did have it. It was slow. We had a thing called River City. River City was where if we took casualties for twenty four hours, all phones, all Internet is shut off because it’s all about the family finding out officially from the government rather than, oh, man, you know, so-and-so got got shot or whatever. Because I think earlier in the war, that was an issue where they were finding out from buddies rather than from the government. And that’s obviously not good. So, yeah, we did have it, but we were in River City a lot because we took a lot and a lot of casualties.

Yeah. Not that not that we need to go down all this particular path.

But I gather that part of the communication coming the other way can be a problem as well. And it’s something that I think the people in the military is still kind of grappling with that. Like, you know, it used to be maybe you got your Dear John letter or something and you got your Dear John letter in the mail and, you know, kind of write a letter back and, you know, see what would happen. But now you can be like real real time. Sure. And experiencing personal problems with someone on the other side of the planet or like hearing bad news from home, you know, and then all of a sudden you, you know, I mean, if you’re if you’re on the on the team or you’re a commander and it’s all of a sudden that that soldier just got bad news. Oh, yeah. That too. Part of their mind is back home. And that’s dangerous. That’s really dangerous.

Yeah. But it was it wasn’t so much that when I was there, because back in 06, I think that was shortly after like Facebook changed to Facebook and Facebook. Like so it was very early in the social media world, you know, and it was I think that’s back when it was like actually wholesome. There wasn’t like, you know, ads and all this stuff that it is nowadays. I don’t use it as much, nearly as much anymore. Yeah. But you’re in good company on that note. But yeah, but so so anyway, so that’s all super interesting.

And then you found yourself in this digital forensics world. So can you talk a little bit about what digital forensics is? And then we’ll talk about incident response a little bit a little bit after.

Sure. Yeah. Digital forensics is basically doing analysis on artifacts on a a, you know, a phone, a computer, anything that holds digital evidence. So if you’re talking like, let’s say, a Windows computer, right, which most of us use every day, it’s being able to prove like, OK, what files did the suspect open? What files did they download? That sort of thing. What did they do while they while what did someone do during a certain time frame of interest and just basically making sure that I don’t think I’m going to like this answer. I’m probably going to want to redo this one. But so.

Yeah, it’s digital forensics is basically just doing it’s I kind of equate it to like a car crash. So think of it like on a highway when you have like a big hundred car pile up. OK, so there’s got to be an investigation. How did it happen? What are the injuries? That sort of thing. That’s actually more incident response. So I answer incident response because that’s that’s a better one because, yeah, I’ll do that.

So incident response is more like a kind of like a car crash on a highway. So think of like a hundred car pile up. You have all these cars. You have all these injuries. You have to basically come in after the fact, you know, just like the police officers do. How did this happen? What was the damage that was incurred? Now, more an incident response. What did the bad guy take? Because that’s a lot of things of what you’re dealing with is you’re dealing with breaches and intrusions. What did bad guy do when they come into the environment that they don’t have access to? What did they steal? What did they what did they delete? What did they encrypt? You know, that sort of thing. That’s that’s what you’re dealing with, an incident response.

Whereas digital forensics is it’s not so much that network element of like, hey, someone breached someone’s network. You know, a bad guy, a threat actor breached the network. It’s it’s just more, you know, what what did the person of interest do and being able to prove it with what artifacts that are on disk?

And a lot of times we use artifacts that aren’t there for they’re not meant for us. It’s meant to make the operating system run. But researchers over time have realized, hey, Windows records this particular thing when someone does this. So when they do that, that means they open the file or, you know, hey, this is what happens when someone creates a new file. And if that ends up being something of interest in your case, we know how which artifact to look at and how to parse it and make sense of it and be able to say, yep, this person made this file at this time. Or let’s say, you know, an employee stealing documents from a company or before they leave or get fired. You know, we know how to, you know, browsing history. There’s just so many different artifacts and new ones are being discovered all the time to prove that someone did something. So at a certain point in time.

Yeah.

And so just to maybe sort of like make it a little bit more specific and pick some specific examples, for example.

So I’m and I’m genuinely curious because I don’t know, but I once was on a jury and it was for a very kind of a relatively unique coordinated crime. And one thing we got was as the jury, we got these binders full of mobile phone records.

Oh, yeah.

They weren’t recordings, but they were showing one number called another number that’s probably cell tower dumps, I would imagine.

Oh, OK. But is that the kind of thing that you that you would that you would have worked on in your law enforcement days? Like, you know, get the data from the from the whatever devices you were allowed to get and whatever data you were allowed to get off them and sort of put it together to tell a story?

Yeah. Yes and no. So if that was like a cell tower dump, that’s obviously not something that’s from like a phone. Like you hand me a phone here. I want you to look at this phone and see what happened. Like you’re not getting that data from the phone. However, there could be like call records and obviously text and that sort of thing to indicate that, OK, this phone that had this number at this time called this contact, this contact, this contact. So there would be that. But then often what they’ll do in crimes where involving cell phones is depending on the severity of the crime, of course, is get a cell tower dump. So take all the cell towers that are that are near, you know, wherever the incident was and then try and find, you know, what activity was going to and from that device. So that’s that’s something that’s very, very common in law enforcement. And that’s something I didn’t do a ton of. So I’m not going to pretend like I’m an expert at that. But I know that’s like two different ways where you could get activity of, you know, winded device, a have outgoing or ongoing or incoming or outgoing calls either from the device itself or from a cell tower dump. Or you could even subpoena like Verizon, Rogers, whatever, whatever, you know, cell phone company if they do actually have that retained, because I think their retention rates, depending on the company, can be kind of short, like a week at most. So the crime happened two weeks ago and say they only retain it for a week. You know, you’re not going to have that data there for you.

So, would cracking passwords be something that you would be trying to do as well?

That’s not something I do, but that definitely falls under the umbrella of digital forensics and response. Absolutely.

Yeah. And the kind of crimes that we’re talking about here, I imagine there’s a wide range probably from…

I mean, I don’t know what I would pick as a sort of low level kind of crime.

But basically, it’s serious enough that some evidence has been material has been seized and then you’re looking at it and you’ve actually got the computer with you. Right. Or if it’s a computer or something like that or a hard drive or something like that.

But it’s, you know, it’s kind of like I think I don’t forget the acronym, but like CSAM or something like that. CSAM. Yep. Child sexually abusive material. Yeah. Very serious stuff. And this is where kind of like knowing proving that someone opened a file, for example, can be very material to a case that you’re.

Yes. Yep. And I’ll say quick something about CSAM as I call it. I think those in the UK call it I think it’s CM child exploitative material, I think. So there’s different things. The main thing is that we’re trying to phase out in the law enforcement community is child pornography because pornography indicates that is you’re watching it for pleasure. You know, it’s not something people should be watching for pleasure. So the more appropriate term is child sexually abusive material or the CM. It’s just trying to get away from that whole child pornography just because of the stigma of that term, because those kids are not consenting to this and it’s illegal and it’s wrong. And so many moral, ethical, legal levels, you know, so it’s not child pornography. It’s child child sexually abusive material. So just want to put that out there.

But yeah, some of the cases that I’ve worked with digital forensics, I was thinking this when you’re asking asking your question like nowadays, anything involves a phone. You know, that’s like everyone’s second brain. One of the ones that just came to me was there was a drunk driver that was recording them driving like 90 miles an hour down a road. And I think it might have been a suicide attempt, but it’s basically a T road. So you can only go left or right. You know, there’s a cornfield if you keep going straight. And what they did is they went straight going at 90 miles an hour and they recorded it. So like that was the quote unquote, you know, the crime that I think it was like, you know, operating while intoxicated, causing injury or something like that. I don’t know. I can’t remember. But, you know, the video was on the phone. So like I had to go find the video, you know, and then put it in the report, narrate the video, that sort of thing. So I mean, I don’t think anyone ever would have thought of that. Like until that case comes across your desk, you’re like, who does this? Like you never would have thought that a drunk driving case, whatever, like a phone would be relevant to it. But there, you know, there it was in front of me. Speaking of. And that’s just that’s just one of many.

So, yes. Speaking of things that people wouldn’t think about, I was wondering if you could share a story. I know you spoke about this on that other podcast where you talked about a digital faux pas or something, a forensics faux pas. But you had this great story, but you were actually on site sort of like physically searching for.

Oh, yeah. Material. And if you wouldn’t mind sharing that story, it’s yeah.

Yeah. Yeah. I remember that. So, yeah, that was that was the largest case I’ll ever work. I’ve ever worked in my career. And if you if you do if you do the math, figure out where I worked and what went on at that time, you’ll you’ll know exactly what case I was working.

So that case. So we were doing a search warrant at the suspect’s house and we were there for like eight or so hours just searching for stuff. And I’ll keep it high level. But at the end of the day, we were about to leave with whatever evidence we had found.

And one of the officers was that was like security for the outside of the house was like, hey, they won’t look at the trash.

And right now. And sure enough, because I think because there were so many cars outside the house that I think the trash had come.

But the trash truck probably could not have gotten the dumpster while there was evidence in the dumpster.

There’s a lot of evidence, actually. And so sure enough, you know, we looked everywhere except for that.

And it’s obvious it’s it’s the trash is at the end of the driveway on a day when the police show up.

So that’s yeah, it’s I think the important lesson there is like, even though that person was not.

Overly involved in the case at the time and is not the most technically savvy, as in they were not a digital forensics detective, they were still able to provide that perspective and that idea because they’re not in the weeds with us.

And sometimes, you know, when you’re when you’re so deep, you can’t see the forest for the trees and you need someone like that to just like, hey, did you do this? Insert simple thing here.

No, no, I didn’t. But I did all this other advanced stuff on the inside. Well, OK, let’s take a step back. Let’s do the simple thing. And that’s where a lot of a lot of bad stuff was.

So, yeah, it’s it’s one thing. One thing I really like about that that that story is the arbitrariness of it. That is, I imagine. Yeah.

Feature of kind of basically crime fighting. Right. Like and you could probably have like what what if, you know, that person hadn’t made that remark and like six months later, you’re I don’t know, playing golf or something.

And you’re like, oh, yeah. Yeah. I didn’t look. Yeah. And I mean, I imagine that that and like is particularly in an area where like technology is changing so much, but also you’re learning so much across time.

There is regret, a kind of feature of that kind of work or. Yeah, I would I don’t know if regrets the right word.

But the way I articulate it is I remember work in that case and I was I was relatively new at the time. I had maybe six or seven months on and we worked that case for at least a few months.

And I didn’t know what I didn’t know at the time. And I thought I knew it all that sort of thing. And, you know, looking back on it and not even just that case, but so many cases, especially involving like Windows computers, which is kind of like what I specialize in now.

You know, I think I’ve made I made strong cases or I made the best I could with what I had, the evidence I had and the knowledge I had at the time. But like I wish I could go back and have that mission of my, you know, saving saving kids from, you know, child sexually abusive material cases, homicides.

I would love to work another homicide, you know, something involving like a phone or a computer. I would love to do that. And you ask anyone who has prior law enforcement experience and now they’re in the private sector.

They would love to go back, love to go back and do that. And thankfully, I don’t think, you know, thankfully, I don’t think anything that I I didn’t know or I didn’t do like ever, you know, hurt a case or anything like that.

But like just going back, I could, you know, I drew a little scribble picture back then for my cases. I could draw a Picasso with what I know now to put it as a metaphor, you know, like, yeah. So but, you know, I’m proud of the work I did in the three or so years. It was really good experience. And, you know, without it, I wouldn’t be where I am today because that was where I learned.

And why did you decide to leave law enforcement behind and go into the private sector?

I had an opportunity. So I had an opportunity to go to the federal government, which is one I just couldn’t pass up.

And then after that, there’s a lot of red tape in the government, both at the local level and the federal level, both great for getting experience. But like once you want once you want to start doing like even this this podcast here, this I think like four lawyers in Washington, D.C., would have to sign off on me being able to do this with you. And it would take weeks just running the Discord server that I have.

I had to wait a few weeks just for them to like approve the thing I was already doing. And it had to go across four different desks of these these lawyers in Washington, D.C. And I’m just like, I want to do a lot more than what I was doing at the time. And I’m like, I don’t know if I can I can do it here. You know, it’s just going to be too much of a headache. I’m sure they eventually would have approved whatever I wanted to do. But there’s just a lot more red tape. And I think I think I’m where I need to be for sure.

And what kind of work do you do now for Kroll?

I do digital forensics and instant response. So it’s going to be a lot of, you know, responding to companies getting breached. That’s kind of the layman’s terms. So typically ransomware engagements is a lot of what we see nowadays. We’re kind of seeing more of the pre ransomware engagements where and threat actor tactics are changing, seems like every month, you know, now they’re not really deploying ransomware as much, whereas they used to six months ago. So it’s really just any time companies have, hey, I think someone who’s here is not supposed to be here. Help us figure out what they did. You know, how many let’s say they have a thousand appears in the network. How many did they access? What did they do on the ones that they did access? Did they steal anything? Did they access our file server? All of our trade secrets are sitting on this computer. Did they, you know, zip them up and exfil them the mega upload or mega Dakota and whatever it’s called now? You know, that’s kind of that’s kind of the gist of that at a high level.

There’s there’s obviously a lot of really interesting things to talk about there. I mean, people would have everybody would have heard about, you know, some of, you know, solar winds and that in the news.

I guess I guess generally speaking, just to ask you a sort of very general question, like are our companies kind of where companies jolted by some of these relatively recent events into sort of upping their security practices and things like that?

I think that the way human nature works is you don’t nothing’s really a problem until it is. So I think once an incident happens, then that’s when all of a sudden there’s budget for the IT department for cybersecurity, internal cybersecurity. So I think that’s typically how it works. And also, I don’t know why I really relate to like using metaphors and stuff.

But the way I see it is like so you mentioned, you know, like the solar winds, all that stuff. There’s so many different ways to get inside an organization. Like if I don’t know if you know what a CV is, it’s like it’s like a critical vulnerability exploit. I think that’s what it stands for. But basically, there’s like 50 of those that come out every day.

So the way I think about it and the way I relate to it, to like, you know, trying to explain to my mom, for instance, who is not technically savvy, is think about building a house.

OK, you build a brand new house, right? You get the keys today.

You go right in. I can almost guarantee you an aunt can get into your house, even though it’s a brand new house, completely brand new, should theoretically have very sealed windows, shouldn’t be any holes or anything like that.

I can almost guarantee you an aunt can get in. That’s kind of a way that I look at it with cybersecurity is like there’s just there’s just so many different ways to get in.

It’s kind of like all cops and robbers.

The robbers only got to be right once the cops got to be right all the time, you know, and that’s just an impossible standard to live up to.

It’s only a matter. It’s a matter of when not if as to when a breach is going to happen.

And it’s just a matter of how prepared you are, how much how insulated you are from the impact of that.

Do you have backups? You know, if someone were to encrypt all your files on your network right now, would that just be a minor annoyance or would it be end of the world for your business or somewhere in between?

So that’s kind of that’s kind of how I how I see that there’s there’s no way you can have an impenetrable fortress.

You know, a brand new house is still going to have probably a couple of holes that, you know, I learned that bats can go through a pencil eraser.

That’s all the bigger hole they need to get inside your your attic.

That’s nuts. You know, it’s it’s it’s impossible, impossible to completely insulate yourself from, you know, attackers.

Yeah, it’s interesting you actually would actually like to talk about that specifically about metaphors.

Right. Because I think I gather from some of the research I did for this interview that like and this is actually this is actually true in various areas of kind of I.T. when you’re trying to talk to people who kind of might be in in sort of senior decision making positions who aren’t tech savvy.

Actually being able to explain things often involves metaphor and sort of developing a shared language and things like that is really important.

One example I think I heard from some D.F.R. guys was trying to explain a particular exploit was like when people like why is it so widespread?

And it’s like, well, imagine there’s a lock company and they made this lock and the lock is really popular.

And it turns out one of the screws is defective and someone figured that out.

Now all the locks can, you know, all the locks, all the locks, you know, it’s like, how can it be all the locks?

And it’s like, well, we’re all built the same way. Correct.

And it’s interesting, too, I can say, like from my personal experience, so I’m I’m the sort of, you know, non tech person at Lean Pub.

And so anything that doesn’t directly involve programming first sort of falls to me.

So I kind of became the kind of de facto kind of security guy at Lean Pub.

And so I had to learn and I found it quite fascinating, but like how to look for like these patterns of people kind of like snooping around.

You know what I mean? Well, I’m sure you know way better than what I’m talking about.

But one thing I sort of found interesting about it was like, oh, I’m totally doing this with no training and I’m sort of fighting off these guys. And by the way, this is not a big problem for Lean Pub. We sell e-books. We use third party sort of we use Stripe and PayPal.

They’re pretty sophisticated and stuff like that. So like it’s but but but nonetheless, you know, there are, you know, there’s the odd plagiarist, for example, who tries to. And what one of the sort of super interesting things about it is the back and forth, because people will try something and you’ll catch them and then they’ll immediately try something else.

Yeah. Sure. Well, immediately try something else. And I even had interactions with people where we catch them and they get irate. You know, sure. They’re like they’re mad, they got caught. They’re mad. They’re mad. They’re mad at you for catching them, even though they were trying to do something they know is wrong. And it just there’s a sort of very curious psychological element to it all. There is. You see that law enforcement, too. You see that very same thing, you know, catch people speeding and just peeing in the bushes. You know, I worked on a college campus. So naturally that happened all the time. You know, you know, they’re they’re mad. They got caught.

Yeah. One thing I noticed that this story, I don’t want to go on this too long, but like it is it is interesting how like the infinite variety of it. Right. So I used to live in Montreal and in a very sort of densely populated neighborhood with lots of like ground floor dwellings. And I noticed what there was someone going around putting bottle caps on windowsills. And it was to see if anyone was there because there they see the bottle cap. Yeah. Right. And so they wouldn’t break into that house. They wouldn’t break if if they came back and the bottle cap was gone, they’d know they’d know someone was there. But if it wasn’t gone, very crafty, very crafty. I give them credit. So, so subtle, you know, like just all these techniques. And then but then so add on the sort of like complexity of of technology and like light speed communications and stuff like that. And it’s just such a such an interesting problem.

And I wanted to take an example of something called time stomping because I know you made a video about it. So I can point people to it so they can watch the video. But if you could talk about just just an example of what time stomping is, how you look for it and why people would do this kind of thing.

Sure. Yeah. So time stomping is basically so I’ll explain. So in an instant response, we do what’s called a timeline. So let’s say, you know, on X day on Y computer, we think Z happened. OK, what I’ll do is I’ll timeline all of the events on the on that system on, let’s say, a Windows computer by using different artifacts. Like I said, there’s lots of locations on a Windows computer that Windows needs to record information to make the operating system function. But we leverage those as examiners, as artifacts to prove that certain things happen. So what we what we do is we do a temporal analysis. So let’s say the bad guy, you know, already, you know, RDP is remote desktop. So remote desktop is like so I have a laptop here, but I have a computer downstairs. I could remote into it, you know, if both are on and that sort of thing. So you can do that like within a big corporate network. You know, you can remote from one computer to another, you know, so you don’t have to physically be there.

So anyways, let’s say a bad guy remoted into a computer and then they were only connected for 10 minutes.

Right. Well, what happened during those 10 minutes?

Well, what they did is they went to a website and downloads tools that they’re going to leverage for malicious for reasons, whatever they want to do.

So let’s say they’re going to download a tool that’s going to steal your credentials because you have more privileges than then, you know, the account that they’re using right now.

Because what they want to do is they want to move around, get to the file server, and that’s where all your files are.

That’s where, you know, all the lean pub books are right.

Want to steal all those or whatever, or all your trade secrets or all your secret recipes or they want to get there.

So what they’ll do is like, you know, they’ll download tools and those tools, they’re going to make a mark in the artifacts.

There’s going to be a trace of it.

So what they can do is rather than it showing up during that 10 minute session, what they can do is they can change the time stamp of that file to then make it look like it happened like three years earlier.

When I am looking at files that show up on that system during a given 10 minute time frame, if I don’t look hard enough, I’m going to miss it because they changed it instead of, you know, 10, 18, 20, 22. They changed it to, you know, nine, five, 20, 17. So it looks like that file showed up on disk in 2017 when it didn’t, it showed up during that 10 minute session.

So luckily, there’s different time stamps for each file and only one of them gets changed in most cases. So you just have to know to look at the other one and like, oh, it’s going to show 10, 18 right here, even though the one they altered right here is nine, five, 20, 17 or whatever I said. So it’s just kind of hiding in plain sight. They know they can’t completely remove traces of that, so they alter it enough to where anyone doing just like the most basic analysis is theoretically could could miss it. And some people do miss it, you know, but you just got to know to look for it and be wary of it.

Typically, if you find one time stamp file or folder or whatever, there’s going to be more. And you typically don’t time stamp to the future because that would stand out. Why has this file got a 2062 date? You know, the only time stamp back in the past, but you can in the future. Just why would you? That’s too loud.

I imagine the thrill is probably not the right word, but it must be kind of like, you know, when you when you because if someone’s done this, they’ve done it because they’re trying to hide something. And they’re trying to get something from someone they know is looking for it. Correct. Absolutely. You don’t do it accidentally. You don’t trip on something you accidentally hit the time stamp button. That’s not how that works, you know.

In order to do this kind of work, you’ve got to have tools and you’ve you’ve some of these tools will probably be very, very proprietary. But some of these tools might also be open source. And I was wondering if you could talk a little bit about your easy, easy tools.

Sure. Yep. So easy tools, the easy tools manual book. It’s an official manual for Eric Zimmerman’s tools. Eric Zimmerman is a former special or former FBI special agent. He now works with me at Kroll. He has created again, I’ll talk in metaphors. So in digital forensics, we’re basically doing an assessment of what happened on a system. So think of it as like going to the doctor and you’re getting your checkup, right?

You get your temp taken, get your blood pressure taken. How do you get your temp taken with a thermometer? How do you get your blood pressure taken with whatever that thing’s called? You know, how do you get your your eyes looked at? You have a different tool for that. So think of all the little different tools that a doctor uses against your body to get an assessment of what’s going on in your body. It’s the same thing.

So, you know, examiners over years have over the years have identified on a window system that, you know, this particular artifact can be used for this. This particular artifact can be used for that. And each one of those needs a separate tool to be able to parse.

That’s what’s called parsing those artifacts and then creating output that is human readable, because a lot of this stuff is recorded in ones and zeros because that’s how computers talk and read information.

So these tools, again, the research is just mind blowing sometimes. But how to get that from computer readable or, you know, legible to computers to human readable.

That’s what these tools do. It’s really fascinating. And basically, with all of Eric Zerman’s tools, you could pretty much do a respectable digital forensic examination pretty much for free, for free. And that’s this manual is filling a gap in the community because he’s a former FBI special agent. Right. So he’s very big on the whole. Not to speak for him, but I know this because we’ve talked about this a lot. We’re big on fighting the fight. You know, the FBI deals with a lot of cases. I’m obviously former law enforcement. I dealt with a few myself. We are both no longer in law enforcement. There’s plenty of people out there that are still in law enforcement have to deal with that. And they leverage these tools. So I know I’m getting kind of on a tangent, but that’s partially why I became so involved in so various tools because I know indirectly or directly, I guess they are being leveraged by people who are doing the mission that I wish I could still do. Actually, rather than that makes sense. That’s a perfect segue to my next part of the interview. I think when we talk about your Hitchhiker’s Guidebook because we can’t realize we can’t really talk about that without talking about the Discord server that you set up.

Sure. And why there’s how it works and who is for and the demand that it and need that it meets. So maybe if you could talk a little bit about how that started and when the community that’s there. Sure. Yep. So Digital Forensics Discord server was started back in 2018, March of 2018. I was a cop at the time. I was a detective at Michigan State University Police Department. And that basically stemmed from and I actually cover this all in one of the chapters I wrote in that Hitchhiker’s book. So I’ll just paraphrase. But what started out on Google Groups was moved to IRC with like ten of us. IRC, Internet Relay Chat, basically really primitive chat for those who don’t know. It pretty much started where I was trying to send a picture of like a phone that I was working on, trying to get some data off of. And I needed to like obviously provide a picture of it to the ten other guys that I was talking to.

And IRC, that’s really kind of you can’t really do that. It’s just simple text. It’s very primitive. So I had to upload to Imgur or however you want to say it and then provide the link. But I don’t really want to take pictures of evidence and put it on that site. And then because then it’s like out there and that’s just bad juju. So I’m like, hey, we should go to Discord because it’s something I just signed up for like six months ago. I know it’s for games, but like, man, it’s got like it checks all the boxes for me. And I just I really love using it.

And so we did we moved to Discord. And what started out as pretty much like three of us, three, three became like ten, became hundred, became a thousand, became yesterday. I just checked. We’re technically over eleven thousand now, which is unreal. So it’s that the way I break it down in the chapter to kind of show you the reach of it. You know, there’s 180 some countries or something in the world.

What we decided to do at the beginning is we had roles. So if you’re familiar with Discord, you can assign people roles. So we created a role for we wanted to separate law enforcement and private sector. There’s no like if you have a law enforcement role, you see different things versus private sector like there’s not that.

But we just want to be labels. So like so, you know, a cop in Sweden knows that they’re talking to someone in the private sector, knows they’re talking to a student, knows they’re talking to whoever, you know, someone who works for a magnet, forensics or celebrate, you know, a vendor, a tool vendor.

So that’s what we did. So to bring it back to how the reach that the server has, I believe we’re at 74 different countries. So like I would do law enforcement, USA, law enforcement, UK, law enforcement, Sweden, rinse and repeat, rinse and repeat. We have 74 different countries. That’s how far this has grown.

And then one of the stories that I mentioned in the chapter that I wrote, the history of the Digital Forensics Discord server is there was a Alaskan cop that reached out to me. It was like, man, thank you so much for making this my nearest help. I’m a one man shop. My nearest help is like three hours away. And, you know, three hours in Alaska, that’s especially depending on what time of year it is. That’s got to be treacherous. So he’s like, this has opened it up to people all over the world. You know, I don’t know everything. I don’t have the budget to go to all this training and I live in a very remote area, that sort of thing.

So like this is my lifeline, you know, and I can’t tell you how many times on the server. Someone with a law enforcement role, for instance, says, hey, I’m working a homicide right now of a 10 year old or something. I really need some help on this. And then it’s just like everyone is just focusing in on that, you know, like we’ve had stuff like that before. We’re working on a horrible CCM case, working on a homicide, working on something really awful that, you know, you just don’t it’s just unimaginable things.

And but digital evidence is involved and this community has helped those cases. And that’s there’s nothing there’s nothing greater to me than that. The fact that this server has helped even one child, you know, helped with help put someone who killed someone away, even one person. You know, something something has been posted in the server that has helped someone at some point in time to put evil away.

Yeah, it’s thanks for sharing that story. I mean, it’s so great. And it’s interesting how, like, profoundly productive it is. You mentioned budgets and training, for example, you know, some from what I gather, some like someone could have been in the experience you were in, where it’s like you’re the D.F.I.R. guy now, you know, and they were like, oh, I’ve been I’ve been a patrol cop. And now you’re what? Right. You know, and like and so they’re like, what? I don’t even know what device this is, you know, and now like all there could be people from all around the world.

In all different time zones. Right. And like, because they might be working the night shift. So they might be up during that. They might be in day, nighttime Singapore, daytime, you know, Croatia and and, you know, be able to collaborate and help each other and basically recreate that version of that story. Or like, did you look in the trash? You know, yeah. But in real time, you know, they could be like, oh, you know, there’s this way. Did you did you look in this folder? Did you look in that folder? Did you know that they found out about this exploit yesterday? You know, all that kind of stuff.

Absolutely. And the beautiful thing about Discord, one of the big reasons why we chose it over Slack was because it was free. And like, let’s say you join the server today. You have everything since March of 2018 to search. You can search. So something may have answered your question that you have three years ago. It’s just sitting there.

You just got to search for it. And so it’s such a compendium of knowledge now. You know, I’m sure there’s a lot of chitter chatter here and there, but it’s all it’s very professional.

You know, everyone knows the purpose of the server, what it’s there for. We have an off duty channel where you can let loose a little bit, but it’s it’s a self policing community.

It’s honestly it’s it’s a beautiful thing. It really is. The community runs itself. I couldn’t be more proud of it and I could be more proud of the people who are a part of it that maintain the standards that that it I mean that it’s become it’s I mean, there’s a reason why it’s one digital forensic incident response resource of the year three times in a row.

And that’s it’s not because of me. It’s because of everyone else who shows up every day, maintains that professionalism, keeps everything on topic, just trying to help each other out. You know, that’s what it’s all about. And whether it’s moving forward, you know, a breach case, an intrusion case or a case or a homicide, you know, it’s it’s it’s just really it’s poetic.

Yeah, that’s amazing. It reminded me of a much more trivial and far lower stakes version of that that we had at Lean Pub, which was we were doing all our communications with authors who had problems one on one by email. And one day we’re like, why why are we not making all of these communications like that can be made public public?

Right. Because that’s right. This author’s form on using discourse, because it’s like post your question there. I mean, if you’re willing to, like, by the way, if you’re listening, like you can just email us at hello at lean pub dot com if that’s how you want to do it.

But we’ve got this author’s form. And so all of a sudden it’s this searchable historical database of people having problems looking for answers. And this is not something, you know, this is like, you know, if you if you can do it without hiding, whatever it is you’re doing, you know, do it, do it without hiding.

It’ll help help everybody. Absolutely. Way more productive. And just just on the last thing I’d like to ask you about that specifically on that note, do you vet people?

Yeah, I mean, yes and no. So let’s say and this is why all roles are equal.

So say someone says they’re a cop in Sweden, for instance, I’m not going to call their employer.

I do so much stuff outside of my everyday job. I got a toddler, you know, like I and, you know, all the other moderators, they they have lives, too.

That’s why we just made it where if you say you’re a cop, sure, you can be a cop.

I mean, it doesn’t mean anything, really.

You know, and quite frankly, if you start talking and you do have that law enforcement role, for instance, and you’re going to be found out pretty quick.

I know cops. I know what they talk like. I know how people talk on the server.

It’s I mean, it’s going to stand out, you know, and you’ll probably get exposed a little bit.

So there’s really no incentive, you know, to vet people because there’s not like a law enforcement only channel.

You know, and we that’s something that we debated back and forth and honestly still had that debate even like about a month ago.

It’s ultimately it’s just because let’s say you’re a cop today, but you put in your two weeks notice a week ago and you’re not a cop tomorrow.

Or next week, you know, am I going to know that?

No, but then now for the rest of your life, you’re going to have access to a law enforcement only thing. And then there’s the thing where everything you post on Discord is technically not owned by you. Discord owns it. So and it’s also technically the public sphere. So don’t ever post anything that you wouldn’t want to hit the news. And that should be just, you know, anyone in law enforcement knows that it’s always less is more. Always better to say, you know, less than what you really want to say sometimes.

Yeah. Yeah, I know it’s it is it is interesting. I would say, like, I don’t have experience at this level or with this type of seriousness. But like a lot of these these things are kind of self there are self-correcting mechanisms that exist when you’re when you’re when you’re dealing with true professionals. Most yes, that, you know, it’s you you kind of have to be one to to not stand out within those kinds of communities. Yep.

And just moving on that. So now that we know what what the what the Discord server is, we can talk about your book, The Hitchhiker’s Guide to DFIR. So you sort of crowdsource this the the articles in this book from the community. Is that correct?

Yeah. Yeah. So it all started out like, you know, as as my time at Kroll has gone on, I’ve done more things in the community. I’ve done like, you know, talks at SANS and I do stuff on GitHub. I help with their experiments, tools, that sort of thing. And, you know, as you start doing some of that stuff, you kind of get I don’t want to say a check in a box, but like, OK, yep, I’ve been doing this for a little while. Like, what’s next? And so eventually got down the list where I’m like, you know, I’ve done blog posts before and never really published a book or anything like that. Never really thought about it. Never ever thought I would be ever thinking about it until all of a sudden I did. I’m like, huh? You know, so in an effort to kind of dip my toe in the water, I just kind of got an idea.

I don’t really know where I got the idea from. I got the idea of Lean Pub from someone else that I followed because they wrote, I think, a few books, three or four books on Lean Pub. Like, oh, this is a cool platform, you know, reading about it and, you know, seeing the whole 80 percent royalty, the self-published thing, you own it. I’m like, I can I can dig that. That’s cool.

But I’m like, yeah, you know, I use GitHub a lot. Oh, cool. You can write on Lean Pub using GitHub. I’m like, oh, I mean, let me look into this a little bit. So I kind of toyed around with it myself. I’m like, oh, yeah, I could I could see us basically mark down, you know, more or less.

And I’m like, I bet you it would be really cool if we could just get because no one no one wants to write a 300 page book or 400 page book with the average person. But in the community where blog posting is such a common thing, I think people could commit to a long blog post.

And that’s kind of how I went about it. Like, oh, there’s my cat. I got five of them. So you might see some more. So I basically said, hey, if you can just commit to one chapter, you know, if I can get at least like 10 people want to commit to a chapter, let’s let’s do that. You know, I’ll write a chapter. I’ll write the intro and I’ll write a chapter of my own. And then you just pick a topic. It can be a hodgepodge.

You know, this isn’t meant to be a college textbook. This is more proof of concept. What this will do for me and for anyone else who wants to do it is it’ll make you a published author.

You can say there’s an ISBN with your name on it. You know, so like that’s kind of like a who, you know, that’s all fancy and stuff.

Little did I know how easy it was to like really procure an ISBN to self publish using Lean Publix. It’s really easy. It’s really nice. And that’s why I ended up doing the second book, the easy tools one.

But yeah, that’s kind of where it came from is like I just made a channel on Discord. I’m like, hey, I got this idea. Let me know if you want to do it. And I got, you know, probably 15 or so hands raised and I basically said, OK, you guys work on whatever chapter you want. Once I have about 10 that are finished, right, because let’s say you book 15 people, you know, 10, hopefully we’ll finish. We’ll actually finish.

Once we get 10, let’s publish version 1.0. So we did. We got the 10 chapters or 11 intro plus 10 and published version one on August 15th of this year. And since then, we’ve released version 1.1, which was the 11th chapter. So I’m just waiting for a 12th chapter to be finished.

Anyone who’s listening to this and, you know, wants the contributed chapter just finished chapter will push out a new version. So basically thinking once we get to about 20 chapters or so that are published and finished, we’ll probably put a wrap on it and then, you know, do the print ready PDF and, you know, because I would like to have a physical book. Right. So I think we’ll end up doing that eventually. It’s just a matter of getting the amount of chapters to be really feel complete.

So, yeah, that’s kind of how that started out. And it’s been a great experience. I’ll speak for myself, but in talking with a couple of the other co-authors, they love doing it. Everyone’s relatively familiar with GitHub just by being in this field and then to do it. Writing a book is just really I think that was just kind of unique and I think it worked out really well.

And, you know, I plan on continuing to do it because I already do enough stuff on GitHub. So I might as well write a book and I’ve open sourced that book. So anyone could technically, if they find an error, they can just do a pull request on GitHub and, you know, add that comma or correct the way I spelled onomatopoeia or whatever, you know.

Thanks very much for sharing that story. That’s so great. I mean, there’s so many there’s sort of like five classic lean pub elements in there. Right. I mean, so when we started out, it was a blog to book kind of idea. Right. It’s like there’s all these people with all this content out there. Put it in a book, you know, and then, you know, sort of people from collaborating in different communities and putting things together all separately, but using using GitHub, which is like this for anyone listening who doesn’t know about it, it’s this, you know, incredibly sophisticated collaboration tool that allows people to kind of like have a kind of you could think of it a kind of main main manuscript file that people can then get themselves, make a change to and then submit a sort of a pull request or they can they can sort of send it up to the administrator, as it were, and say, hey, will you accept this change or not? And this can be as easy and you can you can actually do it all in the browser now, too.

You don’t need to learn about terminal or command line or anything like that. You can actually follow the link in the back of either of these books that Andrew is talking about to the GitHub kind of issues page. And you can submit an issue even, you know, and say and it could be a typo.

And if you’re listening like authors love hearing about typos and fixing them. And particularly one of the things that has been so popular with me in particular is that since so many of our authors are programmers, they found the sort of like conventional publishing process where it’s like it’s my book and I have to submit a change to someone else to change it. And then I have to wait for some whole process to go through. Why can’t I just go like delete, replace, you know, and then save and publish and click the publish button?

And so with something like GitHub, like someone anywhere in the world could find a typo in your book, submit it, you could get a little notification to be like, ‘oh,’ and then you could fix your typo and click the button. And you’ve got your book updated for everyone who can download it in the world right away. And so it’s just really great for collaboration and stuff like that. I love it. It’s awesome.

We control the publishing tempo. You know, I get asked from I get kind of I don’t want to say outdated. I get these outdated questions from people who are just familiar with like traditional publishing. Like, so if I complete my chapter, when can we publish? I’m like, we can publish the same day. All we got to do is review it and I can hit a button and boom, you know, we got it.

So it’s kind of changing the, you know, trying to change like the paradigm a little bit with how to write a book, at least in our community, because there’s not very many people who have written books in our community, but now all of a sudden we just added 12, you know, people who have written part of a book, and I’m sure more will come. I know I plan on doing more. It’s just it’s just a lot of fun.

I think with a lot of things, it’s really just getting over that initial barrier of entry. And I think, you know, now that I know just the basics to it with, you know, getting the ISBN number and then the way that you could do it in Lean Pub, doing something that I’ve already been doing the last two years on GitHub and contributing to various digital forensic tool projects and scripts and that sort of thing. It’s like it’s the same thing I’m doing. It’s just it’s not a forensic tool. It’s a it’s a book. You know, it’s just it’s it’s really just resonates with with me and the community, I think.

The last question I always ask on the podcast, if the guest is a Lean Pub author, is if there was one thing that you absolutely hated about Lean Pub that had you shaking your fist and yelling at the screen over or if there was one magical feature we could build for you, can you think of anything you would ask us to do? Oh, put me on the spot. The one one thing I think would be really cool.

Do you know what Markdown Monster is? No. Markdown Monster is a really cool tool. It does. It’s specifically for writing a markdown on the left and then your previews on the right. And I know there’s tons of different text editors that do that. It would be cool to have like a mark, however you say it, Markua, right? Is that how you say it? Yeah. Yeah. A Markua Monster, something where because like I know sometimes like Slick Edit, I think is like a site where it’s kind of the same thing, but it’s on the Web browser. You know, you’re typing your markdown on the left and then you’re seeing the preview on the right. It would be nice to have that of that live translation, but in your particular spec, because I think that’s where some of the issue was.

So like what I did on our particular repo was, you know, I made our chapter one dot txt, two, three, four dot txt.

But because no one really knew Markua, even though it was like pretty similar, I made chapter one dot MD, chapter two dot MD.

So like they could actually see how their chapter would have looked.

Very rarely, though, there were some cases where like what they did in Markdown didn’t totally translate.

It was very rare, but it would be nice to have that like native Markua on the left, the live preview on the right that someone could leverage.

Be it on Leanpub or on some third party site or, you know, I’m not saying you guys got to write your own tool and make it just because I’m saying this like Markdown Monster.

But, you know, it’s just dedicated to that live preview of your particular spec to the life to what’s actually going to look like.

So, yeah, thanks very much for sharing that. We have had that feedback from authors in the past.

I mean, basically the way it works for anyone listening is, you know, you sort of you’re writing you when you write a book, you write it in plain text, which means you have to type in the formatting instructions, which sounds a lot more complicated and difficult than it really is.

It’s kind of like if I want something, you know, in the old days, when people typed on typewriters and submitted their manuscripts to publishers or whatever, you had to do the same thing, right, because you couldn’t you couldn’t format things on a typewriter.

Right.

So, for example, the reason there was an underlying feature on old typewriters was to indicate I want this to be in italics.

And so Markua is basically the sort of book modern day kind of writing on a computer book version of that.

But you write in plain text. And and so what that means is that what you it’s not what you see is what you get.

Right. So you have to type this manuscript. And then what you do on Lean Pub is you click a button to create a preview and you sort of cross your fingers and hope hope it all comes out correctly.

And over time you learn. And, you know, it’s it’s not really much of an issue. But the first time you do something, and especially if you’re working and collaborating and inviting new authors on the first time they do something, they’re not quite sure what it’s going to look like, especially if you’re doing something more complicated, like tables and figure captions and things like that.

And so being able to have if you’re working in the browser mode or if you’re on some kind of tool, for example, to be able to sort of see that happening in real time instead of having to click a button and watch the sort of, you know, progress bar happen until you get your your PDF or your EPUB that you’re looking for would is it would be a big advantage.

It’s something people have asked for in the past. I’m confident that something will do someday. But, you know, we’ve got, you know, a lot of other stuff on our plate. And for now, for now, it’s kind of click the button and wait, wait a minute and you kind of see the result anyway.

But but it is definitely fair. People have asked for particularly because they know from Mark Markdown that there are these tools.

I hadn’t heard of Markdown Monster, but there are tools out there where that happens. So it’s definitely something that’s on our radar.

Well, Andrew, thank you very much for taking time out of your day to talk to me and to our audience. And thanks for being game for we covered a lot of ground. And so thanks for being game for answering all these questions where I was putting you on the spot.

And yeah, thank you very much for using EPUB for your great project. Thank you so much. I appreciate it. Had a great time. Thanks.

And as always, thanks to all of you for listening to this episode of the Front Matter podcast. If you like what you heard, please rate and review it wherever you found it. And if you’d like to be a Leanpub author, please check out our website at leanpub.com. Thanks.