mr. eerie

“It looks like we’ve got ourselves a digital forensic mystery!”

Reflecting on 2024

Derek wrote a blog post reflecting on 2024.

Derek Eiri
, , , ,

While I continue to develop my digital forensics and investigative skills, both traditional and new, I have evidently spent less time writing on the blog. For any creative energy I did have, I spent it on graphic art. While not particularly demanding, I also dedicated time as a board member for HTCIA’s Northern California chapter.

I appeared on my first podcast with ArcPoint Forensics and Amy Moles, too. That was a wonderful experience!

It’s not an hyperbole when parents state “children grow quickly.” Before having my son, I had no real appreciation what that meant. I’m blessed to enjoy the experience of being my son’s father and witnessing his milestones; they come and go so fast. Ensuring I am at my best for those moments, I prioritized going to bed at a reasonable time on more nights than not, and stay physically active.

Chicken related: I had a hen that managed to hide 16 eggs from me. 14 hatched.

For the few posts I did write, they predominately reflect what I was addressing professionally. For every post you read, then engaged with the blog or me on social media, I am very appreciative. Thank you.

On Blog Posts

Early in the year, I encountered and learned about Accessible Max Address Configuration (AMAC). While it’s an unlikely feature that will be encountered in the wild, it was a technical topic about storage devices I was proud of. At least based on my initial search about the AMAC feature set, it was rarely mentioned in publications related to digital forensics and I perceive it to be net-new documentation on the matter.

Exploring Lionel Notari’s iOS Unified Log Acquisition tool was an especially enjoyable post to write (I enjoy writing all of my posts). I owe a lot to Notari’s overt enthusiasm for iOS Unified logs to spark my interest and really start using my Mac for forensic research. This enthusiasm carried on to write about Christian Peter’s tool, UFADE. I was especially excited how UFADE addressed an issue of retrieving data from pair-locked iOS devices as an open-source solution. Though completing FOR518 was a professional endeavor, it was particularly fun to dive deep in an operating system that has evolved considerably since I started using it as a kid.

Though I read a beta copy of Brett Shaver’s book, Placing the Suspect Behind the Keyboard: DFIR Investigative Mindset (Amazon Affiliate Program link), early in the year, I occasionally revisited the book to reflect how and where I want to grow forward.

Year of the Mac

For me, it was year of the Mac and Baader–Meinhof awareness came from it.

In 2024, SWGDE released the final publication for Best Practices Apple MacOS Forensic Acquisition. Hexordia started to schedule their classes and 13Cubed announced plans to create a Mac forensics class, as well.

The Art of Mac Malware, a book that’s been sitting on my shelf for almost two years, started to get marked up. There’s even a second volume coming out in January 2025.

For some organizations, the population of macOS machines is minuscule compared to endpoints deployed with Windows and appears likely it will continue to increase. Despite a small population, the possibility of a macOS machine being used as an attack vector exists. With a new professional focus on incident response, my goal was to establish foundational understanding of macOS, formalize a data collection plan for macOS machines and develop a rapid triage processes. It would also enable me to better understand security controls to limit the macOS attack surface.

Coincidentally, SANS accepted Doug Hitchen’s paper exploring Aftermath for rapid incident response for macOS this year. This was a very cool paper summarizing rapid response triage capabilities of Aftermath based on simulated scenarios mapped to the MITRE ATT&CK framework.

One of my highlights attending HTCIA’s Global Training Event in Las Vegas, NV was sitting in on Steve Whalen’s presentation on “Mastering Live Volatile Data Collection on Macs”. From Whalen’s presentation, I gained insight on data I might want to prioritize during an incident.

Completing FOR518 markedly matured my understanding of macOS systems. The entire section on incident response analysis gave me inspiration to adapt/adopt existing triage tools. Moreover, I can effectively understand and communicate with individuals who maintain macOS systems when making recommendations.

Convinced I needed to learn more, I completed Sumuri’s MFSC-101 by leveraging my employer’s tuition reimbursement. I aim to use tuition reimbursement again to complete MFSC-201, then attempt the CFME in 2025.

I also learned about the Objective by the Sea conference and added that event to my to-do list.

On Art

As a way to unwind, I continued to experiment with graphic design. It’s especially a good excuse to try new ideas when Sticker Mule has a sale. Stickers are neat because they’re typically low cost and I have something physical to enjoy. They’re also cool things to hand out when meeting new people, or to sell to support the blog.

Inspired by a request, I adapted the original DFIR Dung Beetle sticker to an enamel pin. I found this guide especially helpful for design tips and options to consider when manufacturing an enamel pin. As a fan of patches, I also made an attempt to adapt the DFIR Dung Beetle to a 26mm PVC patch with hook backing, which turned out OK.

I also created a revision of the DFIR Dung Beetle featuring new friends.

Early in the year, a colleague thought “mreerie” was a play on “mystery”. That wasn’t my original intent, but I really liked the idea of “Mystery Machine” from Scooby Doo. Except I didn’t feel attached to the van. During Mac Camp (SAN FOR518), I thought a classic Mac might be appropriate. Instead of an apple, I picked a plum flower, which has meaning to my family.

Donglie was among the first stickers I created and I wanted to do a silly revision where a dongle (for a tool) had to do so much of the work, it became buff because of “Nintendo Forensics“. Anyone remember Nintendo Power?

Brian Maloney had a really cool OneDriveExplorer challenge coin idea in anticipation for Community Learning Day at DFIRCON and I helped him digitize his original art. This is the result.

On HTCIA

Following a few years attending meetings as a member of HTCIA’s Northern California chapter, I was encouraged to serve as a board member for the 2024-2025 cycle. As Secretary, it has given me an opportunity to invigorate and promote information sharing on effective investigative techniques in a collaborative way.

With the support of a great board, we organized several informative events for local investigators and analysts in Northern California. We started the year in February with a round table discussion of various topics on tools, techniques, and trends that were observed. In April, two of our board members, Aaron Reyes and Greg Tassone, presented case studies based on their respective corporate and law enforcement roles. In June, Peter Phurchpean presented on his experience with the app, Wasted and its capabilities to wipe data from an Android device. In August, Alexis Brignoni visited Sacramento, CA to present on the LEAPPs and related data structures. For our last meeting of 2024, Room Redux of Sacramento shared their mission in healing the lives of children. Additionally, MSAB reviewed their tools, XRY and XAMN, and guided us through a mini-CTF.

Another highlight from the HTCIA Global Training Event in Las Vegas, NV was the time I spent with the organization’s leadership. It was a great opportunity to interact with other board members and continue to evaluate how to improve the organization.

On 2025

For 2025, I would like to complete a handful of posts I drafted in 2024 and draft (maybe complete) several more. While I am not participating in the Zeltser challenge, I am looking forward to a handful of people that will.

I’m also forecasting a need to efficiently align an existing digital forensics program to business operations. A book I expect to visit often is Implementing Digital Forensic Readiness: From Reactive to Proactive Process by Jason Sachowski (Amazon Affiliate Program link). As I consider and anticipate an employer’s needs, a solution or response, according to Sochowski, should “maximize the ability to collect credible digital evidence”, and “minimize the cost of forensics during an event or incident.”

As for my role as a board member for HTCIA’s Northern California chapter, I look forward to using the momentum from 2024 to generate even more rewarding and productive learning opportunities for 2025.

Of the 14 chickens that hatched, I believe 6 are roosters and I expect a good stew from each of them very soon.

I’m looking forward to what I will experience with my son next.

I should also walk more.

Thank you for your time and attention in 2024. Lets do it again next year.

Feature image generated with WordPress’ Jetpack AI Assistant.

Amazon Affiliate Links

There are two URLs in this post that are Amazon Affiliate Program links. If you purchase a product, I may receive a small commission from Amazon to support this blog at no additional cost to you.

One response to “Reflecting on 2024”

  1. Week 52 – 2024 – This Week In 4n6 Avatar
    Week 52 – 2024 – This Week In 4n6

    […] Derek EiriReflecting on 2024 […]

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.