I Got This!

I recently made the jump into the consulting side of incident response and forensics. I come from internal investigations and training. I am quick to adapt and learn, but the type of work is the same. What has changed for me is how much work. Probably not in the way you are thinking though.

In my past roles, I had a lot of flexibility in the amount of time that I could spend on cases and projects. I guess I have a bit of perfectionism in me, since I like to exhaust all of the possible options for artifact locations of a particular action before I call it quits on a case. I had reasonable expectations to meet in the time it took for me to deliver my findings, but no one was tracking the exact hours that I put into any one case. All they really cared about was the number of days until I had my report ready. I was on salary so it really didn’t matter. I was paid to get the job done, and it took what it took.

Time is Money

In the consulting world, you have people paying for your time by the hour. They want results that are good, fast, and cheap. You know the story on that one, right?
Here is a quick rundown for those that haven’t been in consulting yet. The client calls in to someone on the team that discusses the project to get an idea of the type and amount of work that will be involved. The project then gets scoped for the number of hours that it shouldn’t exceed. It gets handed off to the lead investigator who then takes over and sets the plan for work. Collection is the first step. Then into analysis and finally reporting. It seems so simple!

Better than Real Life

I want to create a scenario for you based on some fairy tales with a couple facts from made-for-TV movies. I am having a ton of fun in my new job. It has brought a new challenge to me, and I don’t back away from those!
Let’s say that you get a case with a single system and it gets scoped for 40 hours. It’s a standard scenario of an employee leaving and the client wanting to confirm or deny that data has been taken, and it starts you off feeling pretty confident. You think, “I have a full week to poke around on this disk? I got this!” It sounds like a lot of time to analyze a system for the typical artifacts of data exfil.

Walk the Walk

Did I mention that your client’s office is on the opposite side of the country? Go ahead and take off two 5 hour flights because you client is paying for you to come out there. Now we are down to 30 hours.
Of course, that system has a 1tb drive in it because that was the standard option when they ordered it. There goes another 10 hours by the time you get your gear setup, disk acquired, e01 verified, and gear torn down. Down to 20 hours.
Now you lose a couple more hours because you have to either drive that evidence to the lab or ship it. The lab guys then add in hours because of the intake process, verification and backup. We can use a round number of 5 on this one, bringing the project in at 15 hours.
You need to do some processing and parsing. You don’t charge for machine time, but you do need to spend time setting up the case folders and getting all your tools ready to roll. You can’t unleash all of your tools at once, so over the next day you work on some admin stuff or reviewing results from another case with one eye on the tools. You just need to start the next tool when the last one completes. All together it probably takes 2 hours of your time. Now you have 13 hours left.
It feels a bit tight, but 13 hours leaves a fair bit of room for you to wander the disk. That is until you remember that you still have to write a report. Ever done one of those? Don’t forget that you also have peer reviews that need to get done before it can be finalized. I will be nice to you and say that you were able to blaze through this in 6 hours.

Putting the ‘Min’ in Examination

You went from a full week of examination time to just 7 hours. It happened without you even realizing it! You have gigabytes of data that have been parsed into output files in all sorts of different formats, though many of them are just text files.
Do you still have that pep in your step that you had when you first took on the case? Of course you get used to this after a while (I am hoping so, at least. :). You are now under pressure to perform a thorough exam in less than a day’s worth of work. You better get steppin’!

Deliverables

I hope you read that in a fun tone of voice. The same tone that I wrote it in. I wanted to share my experience so far with those who have not been in the consulting world. I knew things would be different. Some things were much easier than I anticipated, but others caught me a little off guard. The hours I described above is one of those on the tougher side.
I am learning a lot from all of my awesome team members. I have so many of them reaching out to me and offering help. The toughest part is figuring out which one to call!
I wanted to face a new challenge and work with a team I can really learn from. I have joined the right team for this, and I look forward to many years of continued learning.
Keep yourself challenged, and you will find a lot of happiness in your job!
James

2 thoughts on “I Got This!”

  1. I shudder when I see things such as “…exhaust all of the possible options for artifact locations…”, “… poke around on this disk…”, or “…wander the disk…”. The entire process should begin with someone engaging directly with the client to clearly establish the goals of the examination, and then set the client's expectations. with respect to the results.

    If the client wants you to “wander the disk”, that's fine…and 40 hrs to do so, *after* the acquisition is complete isn't bad. That 40 hrs may include report writing, as well…but for a single image analysis, that should not take more than 8 hrs (including writing and QA), as there should be standard reporting methodology set up.

  2. For one thing, I hope you understand that many of these phrases were made in the context of being light and fun about the topic, and in no way represents how I (or anyone else) should or do speak with any clients.

    For someone, like you, who is experienced in the consulting world, 8 hours may sound like it allows plenty of time for analysis. I haven't had the need to track the number of hours I put into any exams, so this was a big change for me. I think that many investigators out there would be in a similar situation, and that is the reason I posted this.

    Having a standard reporting methodology is definitely a help, but it still requires a lot of time to fill in all that information. Even if it is laid out in a MadLibs style with blanks to copy/paste!

    Thanks for the feedback! It shows me that I have a lot of room to improve my processes to make them more efficient.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s