Eric Zimmerman is one of the most amazing digital forensics people that I have run across in the last few years. He’s a combination of passion, digital forensics skill, and sharp programming abilities. He has created a whole host of digital forensics tools to help the good guys catch the bad guys. He’s a credit to the digital forensics community as well as his employer who happens to be the Federal Bureau of Investigation (FBI). As Eric points out at the end of this interview, his answers reflect his views and not the views of the FBI unless clearly stated otherwise.
Professional Biography of Eric Zimmerman
Eric Zimmerman is a Special Agent assigned to the Cyber Squad of the Salt Lake City FBI field office where he has been investigating child pornography and computer intrusions since early 2008. He is a member of the Utah ICAC and has provided training and assistance to dozens of local, state, federal and international law enforcement agencies. Eric has a degree in Computer Science and has developed several computer programs to aid in the investigation and prosecution of child exploitation matters.
Eric is an EnCase certified examiner and has several other certifications from CompTIA and SANS.
A Fistful of Dongles Blog: What was your path to the FBI? What made you decide to join?
Eric Zimmerman: My path into the FBI was somewhat out of left field. I moved to Chicago in late 1998 to work at a 3rd party logistics start up company called Con-way Integrated Services. I was the 7th employee and over the years we grew the company to about $70 million/year in revenue. Around 2005, we started the process of merging with a sister company of ours, Menlo Logistics. They were a billion dollar company and as such, their culture won. After this happened, what used to take me two days would take two weeks. Things slowed down dramatically and I was no longer able to move at a pace I was comfortable with. As the years went by, I started asking myself "Who am I benefitting being here?" I applied to a few other places and did some interviews, but nothing panned out.
In late 2005, my brother, who has been in the Army since he graduated from high school in 1994, recommended I look into such places as the CIA and Secret Service. Neither of those agencies appealed to me for various reasons. I then took a look at the FBI in January 2006 and felt it was a much better fit. I sent in an application that same month and soon after the pieces started falling into place. In September, 2007, I was given a slot in New Agents Class 08-01. I graduated on March 5, 2008 and reported to Salt Lake City soon after that.
The reason I wanted to join the FBI was to be a part of something bigger than myself and to have the opportunity to serve our country. I had lost my passion for what I was doing in the private sector and if you do not love what you are doing, it becomes very hard to get up every morning to go to work. Now I look forward to going to work every day (well, almost every day!).
In short, I left the red tape of corporate America behind to dedicate my career to serving the public, and now, as a FBI special agent, I am able to help the most innocent among us -- our children.
I know there are a lot of other people who go to work day in and day out in the law enforcement field who have enormous responsibilities and more work than they can address effectively due to budget and time restraints. I try to think of ways to make their jobs easier and provide tools and techniques to make their work more efficient at very little to no cost.
I have been given amazing opportunities at the FBI to solve problems and design things to help a lot of people both in the United States and across the world. It hasn't been without its challenges along the way, but it has definitely been worth it and I think the results speak for themselves.
AFoD: Can you tell us what you are currently doing for the FBI and how you came into that position?
Zimmerman: I am currently assigned to the Cyber squad in Salt Lake. We are responsible for both criminal and national security investigations. I have been assigned to this squad since arriving in Salt Lake City as I am a cyber agent. By this I mean my career path is designated ‘cyber’ as opposed to counter intelligence, counter terrorism, and so on. This isn't to say we do not regularly help other squads with things as there is a computer involved at some level in just about any crime these days. My day to day work involves general case work (both criminal and national security as we do not have dedicated squads for each), some programming and the occasional bout of reverse engineering various things.
I have also been actively involved with the Utah Internet Crimes against Children (ICAC) task force since arriving in the division. A lot of the forensic programs I have written were due to my involvement with the ICAC and the FBI Innocent Images program.
Due to the success of these programs, I also spend time supporting these tools to include basic tech support, training, and so on. I provide my cell phone number and email address to everyone who uses my programs so they can contact me any time should they have an issue. I recall sitting in a presentation at the last ICAC conference in Atlanta where a vendor, in all seriousness, essentially said “If you aren't paying for software, its junk.” My guess is he was insinuating free software isn’t supported or kept up to date.
Regardless of what he meant, I feel confident the vast majority of the more than 2360 users (in more than 40 countries) of my software would disagree with that statement. What commercial vendor can you call and speak directly to the developer about a problem? I feel a great sense of responsibility to the users of my software and feel I would be doing a disservice to them and the community if I didn’t make myself available when questions or issues arise, especially when the users are in the field conducting a search and whatnot.
I also teach at several national conferences in the United States (specifically, the national ICAC conference and the Dallas Crimes against Children conference) and at a few international ones as well. I will be teaching at Europol's conference in October of this year for the first time. I am also a member of the Interpol peer to peer technical working group which is comprised of people from various law enforcement agencies all over the world who meet regularly to discuss the most efficient way to combat the exploitation of children on the Internet.
I initially started writing the various software programs out of necessity. Other Special Agents and law enforcement personnel were finding themselves in situations where there were no tools or techniques to aid in their investigations or the tools that were available did not work very well. A lot of the tools we currently have started from a simple phone call and a few hours of work. Over time, more features were added. This process has culminated in a whole suite of cutting edge tools that provide features no one else has at any price. Some of the tools are simple one offs and others have been in active development for several years. I maintain all the tools (currently I maintain 13 programs) in addition to my case load, so it can get quite hectic!
AFoD: So this gets to the heart of why I wanted to do this interview. You're very active in the digital forensics community and anyone who is on the same digital forensics email lists as you can see how knowledgeable and helpful you are. I also want to talk about your development work and the award you were recently given for this work. However, before we dig into that, we have many people who follow the blog who are interested in breaking into digital forensics and cyber investigations. We know your path into the FBI now, but can you explain how you ended up getting assigned to the Cyber squad? Is that something that you can choose to do as a condition of joining the FBI or is it up to fate and the Bureau once you have completed the academy?
Zimmerman: There is currently a list of "critical skills" that the FBI is looking for, at least in regard to the Special Agent position. Some of these include accounting, engineering, and computer science/information technology. If you have a strong background in one of these fields it tends to help move you through the process a bit quicker. My education is in mathematics and computer science, so I came in under the computer science critical skill.
When I attended the FBI Academy, I was assigned to the cyber career path. Other possibilities included counter intelligence, counter terrorism, and so on. While I had some say in my career path in that I ranked my preferences, at the end of the day someone else made the decision for me based on my background and education.
Part of that decision is also based on how many agents the FBI requires in the various career paths as well. While I was sure I would be tracked cyber due to my background and the fact that I had put cyber as my number one choice, there were some people who were tracked cyber who had little knowledge of computers and whatnot. All hope is not lost though. There is opportunity to change career paths once you graduate.
Once you are assigned a career path, FBI Headquarters will assign you to a field office. As with career paths, there is an opportunity to rank the field offices you want to go to, but at the end of the day it is the needs of the Bureau that make the final determination. In my particular case, Salt Lake City was 17th on my list (out of over 50 field offices).
After getting my orders at the academy (about a third of the way through the 21 week course), I received an email message from my soon to be Supervisory Special Agent in Salt Lake welcoming me to the cyber squad. I arrived in the division in March, 2007.
There really isn't a lot that is set in stone before you go to the academy and, without a compelling reason, your orders are your orders. Worst case you could always quit but with how hard it is to get into the FBI academy (last I heard 1 in 5000 Special Agent applicants are given a slot at the FBI academy), very few people choose to do so (at least based on the people in my class). There are always opportunities to go to a different field office as well should people want or need to do so.
For people looking to get into the FBI and work cyber matters, majoring in computer science or some other information technology discipline would certainly be a good start. Being able to program is also a huge help for solving problems we run into every day but I do not know how much that goes into the selection process.
Beyond one’s choice in a particular major, in my mind it is much more important for a person to have a passion for computers. This, more often than not, leads to quite a bit of personal time being spent improving one's skills beyond what is taught in college. Most college classes are not at the cutting edge of what is out there and so, in my experience at least, personal experience and learning often trump what is taught in school.
In short, the FBI decides your career path based upon your background and college major (you must have a bachelor’s degree or better) once you are at the FBI academy.
AFoD: So what does a FBI cyber special agent in the Salt Lake City Field office do on a day-to-day basis?
Zimmerman: Hmm, that’s a difficult one to provide a succinct answer to.
A typical day will almost always involve paperwork of some kind, from
reading email to documenting investigative activities to requesting
authority for something. Other common activities include various types of training, meetings, and operational stuff like search warrants and arrests.
The squad you are assigned to will determine how many arrests and search warrants you are involved with. I have been lucky to have been involved with the Utah ICAC so we do search warrants and/or arrests just about every week. I have been on hundreds of arrests and searches in the time I have been in Salt Lake City. Depending on the nature of the case, you may have to travel for operational needs as well. I recently executed search warrants and an arrest on an Anonymous related case which required traveling to Ohio.
As for day to day activities, I usually have a mountain of email to answer both from internal and external sources. A portion of those emails are related to support questions for the programs I have written, others are asking for direction or how to best handle a particular computer related
matter, and others are for direct support of some initiative in the
office. I also get quite a few phone calls which come at all hours of the day.
Of course sometimes there are fires to put out so those have to be dealt
with as they come up. For example, a few weeks ago, several of us were called out to a search scene to conduct interviews and that ended up consuming the entire day.
Things tend to move in cycles a lot of the time, so there are times when
I will be buried in case work for a few weeks, followed by a period
where you are basically waiting for things to come back (a subpoena
request, search warrant return, etc.) When I am in the slow cycle of
case work, I typically focus on getting some extra programming done or
start looking into a new problem area we are seeing. I like the research
and development (R&D) side of things as it constantly presents new challenges. I tend to get bored doing the same thing over and over, so the time I get to spend doing R&D counteracts the often mundane nature of paperwork.
There are a lot of opportunities to use cutting edge software and
techniques as well. Some of these were developed by the FBI and some are commercial off the shelf software packages. For example, in a recent case I had a need to examine dozens of computers on a network but had to do so in a way that limited our exposure, both physically and on the network. Because of this, walking around to various computers and hooking up hardware to it was out of the question. I ended up using F-Response to facilitate access to all the target machines. This allowed me to view any of the hard drives on the network that were of interest. This access was completely transparent to the users of the workstations. Once the drives were exposed locally, I had a huge amount of flexibility in analyzing and reviewing computers, from taking a forensic image to pulling a few files for review.
Some of the other common activity would be reviewing evidence, imaging computers, reviewing intelligence products, going to firearms to qualify every quarter, taking various training such as legal training, defensive tactics, and specific computer related training (general classes or more specialized classes which result in industry certifications, etc.)
Cyber agents have quite a bit of mandatory training which range from A+
certification to a wide range of SANS courses. The training is divided up into four stages that roughly correspond to the first five years of a cyber agent's career. Outside of the mandatory training, there is opportunity to take various elective courses such as malware analysis and so on. The malware analysis classes are very challenging courses and, like a lot of the other classes, are taught by world class instructors and very accomplished professionals. There are also ways to pursue training which isn’t a part of the official curriculum if it can be articulated that said training is directly applicable to one’s job. For example, I was able to get my EnCase Certification since I do a lot of forensic work.
With all that said, and as I mentioned at the opening of this question, there really isn’t a typical kind of day (and that’s a good thing)!
AFoD: You are making quite a mark in the digital forensics community through your research and development efforts. What can you say in public about the work that you are doing and the investigative benefits that have come from it?
Zimmerman: The response to the tools and techniques has been overwhelming. As mentioned above, several thousand users in over 40 countries have downloaded one or more of my tools. I regularly get email from law enforcement officers and examiners with success stories as a result of using my software. These stories range from successful prosecution stories to the "I never knew that was there" kind of thing. I also regularly hear from people that they couldn't do their job without some of the software I have written.
To date I have released 13 programs ranging from file parsers and hashing tools to network monitoring tools. All of the software I write is provided 100% free of charge and, in most cases, comes with extensive documentation (some of the simpler programs do not require documentation).
Most of these programs sprung from either necessity or the fact that I was not happy with the tools currently out there. A good example of this is my hashing program. In one of the training classes I was in, we were provided a Java based hashing program which handled one kind of hash algorithm and was very unintuitive to use. Over the course of a few evenings in my hotel room, I wrote a replacement for it which included many more algorithms as well as many usability improvements. Over time I kept adding features and polishing the interface. As it stands now, Hasher is the fastest and easiest to use hashing program I am aware of.
I strive to provide intuitive interfaces in my programs which are, as we say in the FBI, "Agent proof." By this I mean the software programs are easy to use and hard to break. This isn't to say people haven't found creative ways to use the programs which I never thought of! Because of this, I have invested a significant amount of resources in providing a way to automatically report errors to me so I can fix issues as quickly as possible. This process includes sending an error report with a single mouse click which includes the complete stack trace, value of all variables, and even the line numbers where the error occurred. With this kind of information, correcting issues is much easier.
Related to this is the automatic updating feature of almost all my software. Gone are the days of having to manually check for updates on a website every few months. Now, assuming you are connected to the Internet, the software will tell you if any updates are available, download the update for you, and, when you tell it to, will apply the update and restart the program for you. This has saved thousands of hours of productivity as people do not need to be trained on the particulars of how to look for and apply updates.
Hundreds of people have downloaded my parsing and hashing utilities, but the most popular piece of software I have released is osTriage. To date, thousands have downloaded osTriage and used it to greatly extend their capabilities in the field. I am not aware of any other software at any price that provides as much information as osTriage does in such an easy to understand and consistently presented format. Most of the newer features are the result of user feedback. In most cases, new features can be added in a few hours. I am currently doing about four releases of osTriage a year, but the amount of new stuff depends on the rest of my case load.
Another major benefit is the improvement from the time a search warrant is executed to the time charges are brought against someone. Previous to osTriage, investigators may have to wait months to get back results of a forensic review. With osTriage, you have most of that data available to you before you leave the scene which can be used to pursue charges. In some states, a full forensic review is not even required anymore due to how well osTriage works.
A good portion of the forensic research I have done to date is directly available to law enforcement and forensic examiners for no cost. In any of my programs which deal with various kinds of forensic artifacts, detailed manuals are included which not only explain how to use the program, but also explain the exact layout of the files the parsers are dealing with. This lets examiners validate the tool using whatever means they choose to.
Most of this material is law enforcement sensitive and as such, I cannot get into details about the specifics of my work in this kind of open interview format. I fear we may lose some readers if we went too far down in the weeds anyways!
What I can say is that most of my work involved reverse engineering proprietary, closed source binary files and network protocols. The tools I used to reverse the files and protocols include packet capture tools, a hex editor, and custom testing programs I wrote to aid in decoding various chunks of data from the raw network captures. Some of the files were more trivial than others to reverse depending on what the purpose of the file was. Reversing the wire protocol was a significant investment of time over several weeks, but the result of the work has significantly improved our investigative efforts on certain networks.
I have also taken open source data (from Twitter for example) and written code to parse that information into a usable format. While Twitter provides a vast amount of data (as the result of a search warrant for example), it is essentially unusable in the format they provide it in. Rather than spend hours trying to correlate userIDs to usernames by hand, I spent a few hours and wrote a program to do it for me. Once that was done all it took was a little time working on a nice front end for it and now any investigator can immediately start using the return data for case work instead of busy work.
This last example is a good illustration of another major area of improvement my software has provided: the ability to automate tasks that used to be very time consuming. This includes such things as deconfliction systems which are used by law enforcement around the world to coordinate efforts related to investigating the exploitation of children online. Previous to my software, deconfliction was handled manually at just about every agency and no one had a means to share this data with each other. This resulted in a lot of duplicated effort and wasted time.
Even with all the gains in efficiency and the reduction of the more tedious aspects of various tasks, by far the best thing to come from my work is the rescue of at least 200 children who were being abused in 2011. We also saw over 300 arrests in 2011 in countries across the world.
AFoD: Can you provide a list of your tools and what they do?
Zimmerman: Sure, here is a generalized list and a brief description where applicable (in no particular order).
osTriage: Live response tool that, among other things, finds image, video, encryption, virtual machine, archive, and P2P files fast. Live response data is pulled from the registry, via WMI, and various other files. This is by far the most capable live response tool available in my opinion. While it was primarily built for investigations related to child exploitation, it can be used for any investigation involving a computer as it provides such details as every USB device ever plugged into the computer (including make, model and serial #), full browser history for all major browsers, browser search history, dozens of registry keys such as MRU, PIDL, FirstFolder, TypedPaths, and many more, extracts passwords from p2p, email, chat, and other sources, full network details, ARP cache, DNS cache, open ports, running processes, installed software, and on and on. osTriage is very customizable and allows for adding additional items of interest beyond what is included. Anything 'of interest' is highlighted in red and moved to the top for easy visibility. Supports SHA1 base32 or MD5 hashes for image and video matching. There is MUCH more osTriage is capable of, but a full description would be a dozen paragraphs alone.
Hasher: Calculate file hashes using a multithreaded, easy to use interface. I have not found a faster or easier to use tool to date. Supports SHA1 base16, SHA1 base32, MD4, MD5, eMule/eDonkey, TIGER, WHIRLPOOL, SHA-256, SHA-512, RIPEMD-256, and CRC32 hashes and can recursively process files/folders. Also allows exporting of hash results directly to osTriage supported formats, Excel, etc.
Pingaling: Pings one or more IP addresses and/or host names and plays an audible alert when an IP address/host is available. I wrote this tool for use during surveillance of a suspect using a particular IP address at a hotel. Rather than watch command windows and the output of ping, this tool lets you put in the IP, start monitoring, and do whatever else you like. When the IP comes up, you will be alerted and can respond accordingly.
WMISpy: Monitor processes via WMI locally or across the network. Allows for setting up a list of executables to watch. Watched executables have their start and stop times recorded.
Web log parser: Parses Apache access logs, Apache error logs and IIS web server log files and allows for easy analysis. Also supports SSH logs and can perform DNS lookups. Has the ability to set up keywords to search for and will then give you totals of how many times those keywords were seen. I wrote this tool when I was working an Anonymous related case which involved a lot of SQL injection attacks, so I added keywords like sqlmap and Havij and then processed the web logs. I then knew exactly where the attack took place without having to do anything but open the log files. This saved me hours of time.
Twitter Parser: Takes a Twitter search warrant return and cross references Twitter IDs to usernames, allows searching and sorting of messages, and exporting into a variety of formats. Without this tool, Twitter search warrant returns are very hard to analyze.
I have several forensic programs which parse artifacts from various programs. I cannot provide details on those as they are law enforcement sensitive.
I have also written programs to generate certain types of files, monitor networks, and provide for global deconfliction of investigative efforts.
AFoD: Who is eligible to get these tools and how would they go about getting them?
Zimmerman: Anyone working for a law enforcement agency (or a company that directly supports law enforcement) as well as the military is eligible to get the tools. With very few exceptions, my software is available to every country in the world. All of the software is available free of charge.
We also provide hands on training at various conferences such as the national ICAC conference and Dallas Crimes against Children conference as well as more specialized training such as the FBI's Innocent Images basic classes.
There are also many subject matter experts around the country for the software which can provide regional training to agencies who cannot afford to send their personnel to conferences or other remote training venues. We are also looking to do some webinars for some of my programs which will provide another low cost method to provide training to users.
While live training is often ideal, great effort has gone into the manuals in order to allow for self-paced training. In the case of osTriage, reading the manual is the minimum requirement for FBI agents to use the software.
I understand everyone is at different levels of ability and knowledge and as such it was important to me to be able to provide a wide range of training options to people so as not to prohibit the use of a tool until some type of classroom training occurred. I also realize the things learned at training are not used all day, every day after the training is over. This is another reason why detailed, precise manuals are critical as they allow users to refresh their understanding of a program without having to attend some kind of refresher course or follow up training.
As to how to get the software, the URL to access the site will be provided in training or I can provide it directly to people who are interested. Since the site is not a public site, I cannot divulge the URL here, but anyone interested can email or call me and, after vetting the requester, I will provide direction for how to access the installer which allows for downloading all the software. I am easy enough to find on the mailing lists but calling the Sale Lake City field office is another way to contact me if needed.
AFoD: Your work has been so beneficial to the law enforcement community that you were recently recognized with a major award. Can you tell us about that award?
Zimmerman: I don't think I can explain the award any better than the first
paragraph from the press release:
"Every year the National Center for Missing & Exploited Children honors
law-enforcement officers who have demonstrated exceptional efforts in
the recovery of missing children and combat of child sexual exploitation."
My particular award was under the "Law Enforcement Excellence Award
Recipients" category. I was nominated for this award by a peer who
filled out an application which was sent to NCMEC and then reviewed by
NCMEC personnel.
My wife and I were flown to Washington DC where the award ceremony took place. After the ceremony, we were given a tour of NCMEC headquarters in Alexandria, VA. It was a wonderful experience and it was an honor to even be nominated let alone selected as a recipient of the award.
The full press release from NCMEC can be found at: http://goo.gl/l1wXm
AFoD: What advice would to give someone who is in high school or college and wants to break into the digital forensics field?
Zimmerman: The best advice I can think of is to have a passion for the subject matter. Without a passion for the work, it will quickly become stale and tedious. Passion is what will take you through the mundane and grinding side of forensics. You can only look at hex for so long without passion before you go crazy.
My particular background education wise is mathematics and computer
science and I (perhaps biased I realize) think those two disciplines
serve as a strong base for a career in forensics. Both require
significant analytical skills which directly translate to working in the
field of forensics.
In my experience I have found much more satisfaction in pursuing things
beyond what is found on a curriculum. Planning and getting a curriculum
approved takes time and by the time those two things happen, the
information is rarely at the forefront of the discipline. With that
said, formal classes certainly serve to provide foundational knowledge
and provide the framework for more original work.
I also see huge value in computers being a hobby outside of formal
studies. Are you interested in protecting a network? Then setting up and
maintaining a mail server, web server, DNS server, etc. on a domain you
control is a great way to get your feet wet and learn the basics.
Protecting systems and data becomes a lot more meaningful when they
belong to you! Similarly, I find it helps immensely in terms of
motivation to have some kind of personal stake in your areas of
research. For me, part of my job is combating child exploitation. It
is very hard to be motivated about something you do not care about.
Another piece of advice I would recommend is this: Do not get hung up in
the ivory tower of pure academia. What works on paper is rarely 100% possible to accomplish in the real world. There are just too many unknowns (especially in the field; on a search warrant, etc.) to not be somewhat flexible in one's approach to forensics. You will quickly find yourself alone on an island (perhaps with a few others who cannot adapt) if you do not accept the fact that it is perfectly fine to deviate from standard operating procedure if the situation calls for it AND you can justify your decisions. As long as you can articulate your position and back it up, I do not see a reason to be fearful of going outside the box.
In other words, be a forward thinker and do not be afraid to question what is accepted as a standard just because it has been done that way forever. I think huge opportunities are missed more often than we realize because of a perceived need to "stay in the lines at all costs."
A good example of this is the movement toward live response from the
"pull the plug and take it to the lab" technique which most of us have
been trained to do for so long. The argument for the latter technique is
of course to avoid making changes to a computer and so on.
In reality, things are changing on a computer regardless if the plug is
pulled or not, so why lose data that can be of value? To me, forensics
should be based on being "minimally intrusive" vs. "do not change
anything." Of course minimally intrusive means being able to show what
changes you made to a system and the easiest/safest way to be consistent is via automation, i.e. live response programs.
Finally, I would like to comment on certifications. When it comes to
certifications I have mixed feelings. Before I joined the FBI, I was burned by people who looked good on paper but in reality could do nowhere near
what their certification made it look like they could do. Competency in
any field is much less a function of being able to pass a test than it
is to have a practical working knowledge of a subject AND the ability to
apply that knowledge to a problem.
I think there is value in certifications as it can be used to demonstrate knowledge and of course some employers like to see candidates with certain letters by their name, but do not get so hung up on getting a certification that you short change yourself in the long run by simply cramming information in your head to pass a test. For those that do, it is readily apparent to others when it is time to deliver.
AFoD: Let's talk a bit about tool development. Let's also go with the same scenario again. You have someone in high school or in college who not only wants to make digital forensics their career, but they also want to follow in your footsteps and develop great tools. How would they prepare themselves to create useful digital forensics tools? Are their certain classes they should take? Are their certain programming languages they should learn?
Zimmerman: As to how to best prepare themselves to create useful tools, the first and most important thing is this: have a problem to solve. I cannot overemphasize that point. It can be anything really, but without a problem to solve, teaching oneself to code is next to impossible as the motivation will just not be there as there will always be other things vying for your time. If spending a few dozen hours learning to program can save you and others around you hundreds of hours, it becomes easy to justify learning to program. Your goal may be as grand as finding the end of the Interwebs to making a simple GUI for your kids that has a few buttons on it that tells jokes when clicked. Either way, having that goal is critical.
Some examples of typical problems in law enforcement include something like taking a flat file and converting it to XML, parsing an Apache log file looking for signs of compromise, or writing a class to parse a binary file to be displayed to an end user.
Knowing your audience is also an important aspect to being a good programmer. Anyone can learn to throw some code together, but creating powerful programs that are easy to use is a skill that takes a lot of trial and error to get right. The only way to achieve this is code, code, code! After a few years, you will look back at your first programs and laugh at what a hack you were!
In my experience, one of the biggest weaknesses in programmers in general is the belief that their users are always nice people. One need look no further than the rampant issues with SQL Injection attacks these days to see how devastating blindly trusting end users can be. What this problem boils down to is programmers not doing adequate input validation (a note to any aspiring programmers: Never, EVER concatenate strings to build SQL statements. ALWAYS use parameterized queries!) of user supplied data.
Closely related to the issue explained above is the belief that end users will use a program exactly how you, the programmer, intended it to be used. It is almost universally true that the programmer will rarely if ever make a mistake when using their own program. By this I mean the programmer knows exactly what they were thinking when writing it and therefore know the exact steps to take when using it.
However, once you give a program to someone else, all bets are off as people are very good about using a program in ways the programmer never thought of. This ranges from everything to not checking the types of data being passed into the program (string vs. integer for example) to ensuring all necessary data is available before continuing.
Finally, finding a mentor or someone to bounce ideas off of is recommended. Anyone who has built anything of significance has failed many times along the way and being able to leverage such experience can do much to improve one's skills than the cruel lessons of trial and error.
While experience is often the best teacher, finding the balance between asking questions and being pointed in the right direction by a mentor can do wonders to keep motivation high and prevent burnout.
When it comes to classes to take, almost every computer science curriculum will include several programming languages as a requirement, so people will more than likely get exposed to the basics in a few different languages. C and/or C++ will almost always be included in courses as well, especially if the class involves Unix or some BSD derivative. While I took a few C classes here and there, I never really developed anything of any significance with it because it takes a lot of work with little to show as far as GUI development goes (at least for the kind of problems I was trying to solve).
A good database class is always helpful too as you will almost always have to persist data in some way in every application. Learning how to properly create a database schema and then manage that schema is a critical skill which will save a lot of pain down the road. When it comes to databases, it is not normal to not normalize.
Taking a class on file systems is highly recommended as you will almost always be dealing with a file system when it comes to forensics. File System Forensic Analysis by Brian Carrier is a fantastic resource for jumping into file systems outside of any class that is offered in a formal curriculum.
There are a lot of excellent resources out there for things other than file systems too. Harlan Carvey's Windows Forensic Analysis is one such example that touches on a lot of key areas not only in regard to Windows, but the incident response process in general.
Personally, I bet I came close to reading one or more books like the ones mentioned above for every college class I took. More often than not, I got more out of the extracurricular reading than what was presented in class.
Finally, which programming language someone chooses to focus on really depends to some degree as to what you want to accomplish. If you plan on writing Windows programs with full blown user interfaces, either C# or VB.net would be great choices. I am a VB.net developer myself. I started using Microsoft Access and VBScript about 15 years ago and once I outgrew that, moved to VB6. Once .net came out I migrated to that platform.
Similar to the PC vs. Apple debate (the PC is clearly better of course!), there is quite the battle between C# and VB.net in some circles. C# has traditionally received new features before VB but once Visual Studio 2012 comes out, the gap between VB and C# will be nearly closed. At the end of the day, any .net language would work as it all ends up as the same intermediate language (MSIL) at some point.
If I was going to recommend a language to someone wanting to learn to program it would almost certainly be Python. Not only is it incredibly powerful, but it can be run just about everywhere and that flexibility will come in handy. I would not want to develop any kind of GUI in Python (though I am sure it’s possible, it just doesn't look polished nor does it have the powerful 3rd party components that are available on the .net platform), but for general scripting and parsing programs, Python is hard to beat. Once you learn the basic constructs of programming (loops, if then statements, functions, etc.) you can then simply learn a slightly new syntax in other languages. By choosing something as commonplace as Python you are ensuring you will be able to execute your code on a wide variety of platforms.
At the end of the day the programming language one decides to use doesn't matter as much as what the program can do for people. You can be an amazing programmer and solve difficult problems, but if your program is hard to use or doesn't provide meaningful information to end users you will find people just won’t use it.
For example, if your program pulls a 64-bit timestamp out of the registry or some binary file and reports it as such to an end user, you just alienated the vast majority of computer users out there as most won’t have a clue what to do with such a number.
Now if you are writing some kind of low level API that carves files into objects or something that is one thing (and it can be argued that you should convert it to a meaningful datetime regardless), but if you write programs with the intention of "normal" users consuming such data you have missed the boat.
As I mentioned earlier, the moral of the story is to know your audience and tailor the output to that audience. Just as with teaching a class or lecturing, if you aren’t bringing things to a level where most can understand it, you aren't being as effective as you should be.
Finally, I am a believer in agile development vs. the classic waterfall approach. Simply put, agile development means letting the actual end users of the product use the tool as it evolves vs. waiting for a program to be 'finished' and then having end users request a myriad of changes as the program doesn’t do what they envisioned it to do.
Remember, the end users are not programmers (if they were they wouldn’t need you), so they will, more often than not, lack the ability to describe exactly what they want in a way that translates to crafting a program. By putting incrementally changing versions of your program in the hands of the people who will ultimately be using the product you will, in my experience, find it much easier to come up with a product people want to use at the end of the development cycle.
My recommendation after identifying a problem is to find a group of people who understand what they want to get from a program in order to accomplish their job. For example, if your problem is developing software to track pedophiles online, find a group of law enforcement officers who are experienced enough to know what they need through all stages of the investigative process AND be able to identify the gaps they currently have to deal with. It is this group of people who should be the ones using your programs as incremental changes are made so they can steer the development along to best solve the problem that caused you to undertake writing a program in the first place.
AFoD: Any final thoughts?
I would like to close by saying that it has been a privilege to be a part of the forensics community for the past few years. I have met many dedicated professionals who deeply care about their craft and are passionate about computers as well as highly motivated law enforcement officers who are underpaid and underappreciated. Your work impacts people far beyond what get to see every day.
Be safe out there everyone!
P.S. The opinions stated, unless clearly indicated otherwise, are my own and not that of my employer.
Thanks for posting this awesome interview Eric H!
ReplyDeleteIt gave me a much better insight into the FBI DF space and I especially appreciated the many programming hints that Eric Z gave.
Cheers
As a LEO that uses Eric's tools I must say that he is one of a couple of programmers out in the LE space that are really making a difference. He has taken his Private life experiences and seems to be able to negotiate the Federal hurdles to get the programs out to the guys in the field. He and a Programmer for Ontario Prov. Police Dept. (Name held for privacy..) are the real movers and shakers in the Cyber LE space when it comes to Child Exploitation work. Great Interview and Great Work... Thanks
ReplyDeleteVery interesting talk. Any chance to mention the mailing list Eric participate in and/or where to find the tools he wrote?
ReplyDeleteThanks
I work as a cyber forensic analyst for a big government contractor supporting the navy and marines, I would like to know how I can reach Mr.zimmerman to test out his tools? If he needs to verify my claim as an examiner , I can provide him my contact information.
ReplyDelete