Saturday, August 13, 2011

Is Scottish Fiddle like Digital Forensics?

A while back on a job interview, I was asked what I enjoy/how I spend my time besides digital forensics. I of course explained that I play Scottish fiddle and go mountain biking. The guy interviewing me commented that a lot of people in DFIR play music. Now, I'd not heard that before, and I have kind of wondered if it's really that prevalent, and why it might be. Is there something about DF that attracts musicians, or vice versa? And what about Hal Pomeranz's prediliction for dancing? ;) Then recently I thought of a different question - is there a similarity between Scottish fiddle (since that's my music) and digital forensics?

First a little background. I hate to break it to anyone who might think there's a trend, but I'm not a musician, or at least not what I would call one. Other than a little bit of exposure to playing piano as a young child, and playing the recorder in elementary school, I've never played any musical instrument. I certainly wouldn't call either of those experiences the makings of a musician, that's for sure! I wasn't even in band in school; I had some friends there, if that counts for anything, but I got my geek card from the fact that I had a computer. Yep, a Commodore Vic20, and all mine. ;)

I grew up listening to bagpipe music, and really enjoyed it. I thought it would be neat to learn how to play, but knew that pipes are expensive, and extremely difficult to play. As an adult listening to more traditional music, I realized that fiddle also played a prominent role, and in some cases sounded a lot like the pipes. A friend encouraged me to try to learn, as it seemed a less daunting task. What I came to find out is that no decent instrument is inexpensive, and the fiddle is also a very challenging instrument; it is generally considered to take years to learn to play well.

I'm going to take a little side trip here, and refer everyone over to Chris Pogue's blog post, How Do I Get There From Here. I enjoy Chris's blog, and really enjoyed his Sniper Forensics talk at the SANS Summit this year. Something he wrote in this one really resonated, and I thought about it a lot with the question already at hand. He wrote about needing to "get" forensics in order to excel at this work, and about having the drive to succeed. He said the following in regard to his experience breaking in to the field: "I had all of the required skills (networking, Linux, Windows), no different than any of the other applicants. But, what I had that they did not was raw desire. I wanted this job more than anything. I read anything I could get my hands on that dealt with the subject, spent my own money setting up a makeshift lab to play with tools, and perform experiments." He ended up getting the job because of these characteristics.

I can draw some lines between playing a musical instrument and digital forensics. You have to take care of your instrument, keep it clean, in good shape/working order, and so on - that's akin to updating your systems, firmware, laying down new baseline images, configuring software, etc. A good musician also stays in practice, playing every day. They learn new songs, new techniques, and explore their music. Concert musicians certainly warm up (not just musically, but physically as well) before a big performance. So too, we forensicators need to stay in practice, learn new things, and focus our minds (our warmup) before (and during) an investigation. The quality of your instrument (equipment) matters, but a good musician can play a cheap instrument and make it sing. The real power does not rest in the tools you use, but in the skill with which you use whatever instrument you have - starting with your mind. At the core I think they're both a Discipline, and they're both Fun. D+F. DF. Get it? Okay, okay, so I'm a geek. :D

Now to take it a little further and get more specific. Scottish fiddle is not like classical violin. The instruments are the same (yes, a violin and a fiddle are the same thing), but it's the language of playing that's different. Language? Yes, absolutely. Every style of fiddle music - Bluegrass, Old Time, Cajun, Appalachian, Irish, Scottish, Galician - has its own figures of speech, idioms, and nuances of bowing patterns, fingerings, as well as rhythms and tempos. Most of it relates to a dance (Hal, that's your cue). And it is a challenging instrument. It's what's known as a "vocal" instrument because it follows the human vocal range, and there are no frets or keys to guide the player to stay in tune. The player has to be able to hear very closely the changes in pitch, feel the movement of the song and subtle intonations of the music. To do this well, I posit that you have to live it, breathe it, sleep it. If you don't "get" the music, you won't be able to play it well. You'll just be playing the notes; you might be in tune, you might be on time, and you might even have some feeling in it. But you won't really be playing Scottish fiddle, because you don't really understand the language (things like burl, Scots snap, back-bowing). Ever heard a Texan who learned Spanish in high school try to talk? Ay, caramba. Que lastima, pobrecito. Yeah, it's usually pretty bad.

At age 28 with no prior musical background, I took up the task of learning to play Scottish fiddle. I found a guy who enjoyed (generically) Celtic fiddle, and understood the language enough to point me in the right direction while teaching me the foundations of it. I learned what I needed in order to be able to teach myself more. I took lessons for about a year and practiced an average of 6 hours per day for more than a year. I listened to Scottish music all the time until it oozed out of my pores. I started out with a cheap Chinese instrument that wouldn't stay in tune, eventually working up to a decent German one. By the way, I took after mountain biking the same way (on my department store 50-lb bike, again working up to a 26-lb aluminum hardtail), never letting any trail or obstacle daunt me. Before long I was leaving chain-ring scars on 10" logs, doing downhill nose-wheelies around hairpin turns, and climbing root-covered switchbacks without dabbing. And yes a bunch of times I wiped out hard, broke my bike, and limped home battered, bloody, and bruised. But satisified, and happy. When you really want something, and you work hard to achieve a goal, it truly feels wonderful. It's not the tool that makes this possible, it's you.

So what does this mean to forensics? Well, I think it takes a whole lot of determination, guts, and sticktoitiveness (probably not a real word, but you get the point). Like Chris said, you've got to really want it, and make it your life. After some years in IT taking care of small networks and their systems (and users), I really didn't want that any more. In dealing with malware, I'd learned about the registry, prefetch, MRUs, pagefile, hiberfil, RAM, and artifacts like ntuser.dat and user assist keys. I'd worked on hardening systems as a part of protecting the network, performed rudimentary pentesting and security auditing, trying to make sure I'd done my job. I got irritated with XP's shenanigans when it decided I'd changed too much hardware and could no longer be allowed to log on to my machine (even in Safe Mode), so in addition to reinstalling fresh I started dual-booting into Linux. Ha, take that, Windows! That stuff was the fun part, not the rest of the day to day grind. Then I found forensics, and that really piqued my interest! I was graced with the opportuntity to come on as a contractor with a forensics consulting firm to help on the back-end with a large security gig. Like Chris, I devoted myself to learning everything I could about digital forensics. I couldn't afford the good books, so I had to roll drunks at forensic conferences and get their swag (signed books, course material, etc). Just kidding! Really, I went through used bookstores regularly, constantly checking for anything vaguely relevant. I asked questions, practiced, tested, applied whatever knowledge or new technique I found, and just soaked it in. After I was hired on as a permanent employee, I didn't stop, but kept living, learning, and doing more. I've been able to attend some great training, gain a few certifications, and even buy some brand-new books. Side note - if you want to try to roll folks at a forensics conference to get their swag, beware. There's something called the #___smash (name redacted to protect the innocent)! You've been warned.

I've met a lot of really good IT folks, who express an interest in DF, but not enough to go after it. Not to mention when you say something about the registry, they respond with things like, "Sure, but what good is that really going to do?" or just look at you blankly. It takes more than just being "good with computers" to do well in this field. I've used myself as an example because that's the only one I have at hand, but don't think for a second that I'm saying I've "arrived." Not a chance. For everything I've learned, all I know is that I only know enough to know that I don't know the full extent of what I don't know. I consider myself blessed to have "found" digital forensics, to have had people who were willing to take a chance on me, and that we have such a wonderful community of folks who share their knowledge freely; people who break new ground daily and give back every chance they get. Folks everyone knows, like Rob Lee, Harlan Carvey and Chris Pogue. Others such as Kristin Gudjonnson (What, not mention the creator of log2timeline? I might lose my fanboy status!), Ken Pryor, and Jimmy Weg. These are just a few of the many wonderful people that make up our great community. Kudos to you all!

So how is SF like DF? They are both challenging and difficult to learn. Learning and excelling at these crafts takes a lot of determination, drive, patience, and understanding (not necessarily book-learning, but a gut-level perspective). Like Chris pointed out, you have to really want it - I really think this is key. You can never stop practicing and learning (and you'll probably never want to). If you do you'll lose your edge. Finally, they're both incredibly rewarding on a personal level. Nothing like it in the world! There is still the larger question about whether there's some connection between musicians and forensicators. I'm interested to hear others' thoughts on the matter.

I think that's about it. Thanks for reading, and happy forensicating!