At the end of September, Foundstone’s Melissa Augustine (you might know her as @sketchymoose on Twitter) announced the release of her script, Total Recall, for memory parsing. What caught my eye in her blog post wasn’t the content of the script itself, but rather, her willingness to release it even though it wasn’t yet “perfect.” I caught up with Melissa to talk with her a little more about how she got to that point of confidence.
Christa: You’ve been involved in digital forensics since before it was “cool.” How did you first become interested in the field? Was memory forensics always something that piqued your curiosity?
Melissa: I went to Hilbert College for Economic Crime Investigation, and did a dual in Computer Crime and Financial Crime. I found the Computer Crime side much more enjoyable and exciting so I decided that would be the route to try. I remember chaining together the FAT on a floppy to recover documents… I shudder to think about trying to do that manually now given the size of hard drives today!
I actually first remember memory forensics when working at the DoD and running strings against the page file…. I thought “well this is getting me nowhere” as I could not associate strings with an process, module, etc. I went to a DoD CyberCrime conference where I attended a talk about these guys from University of MD who were creating a memory parsing tool called “Volatility”… the rest is history really.
I find it amazing how much you can pull from a memory dump, and there have been people thinking about this since “way back when”. I also remember going to DFRWS in Pittsburgh and listening to the passion these guys have, and it gets you really excited!
Christa: You actually earned a DoD scholarship to GWU. How did that come about, and how did it help shape your career?
Melissa: How do most things come about at that age? Your mother tells to you do it! I was not sure what I wanted to do really, and I had a few job offers for a Criminal Investigator at a few agencies (again though with the White Collar Crime) but it didn’t really appeal to me at the time. My mother had found out about this scholarship and really pushed me to sign up.
The DoD scholarship was amazing, it allowed me to focus on my graduate program, provided me a job in the government when it was all said and done, and, most importantly, put me in the middle of it all in Washington DC. Networking was rampant. The program even got us business cards and hosted events so we could meet the movers and shakers currently in the government.
Now it’s my former classmates who are the movers and shakers, and they still take time to go back to the campus and meet the scholarship students to talk about their careers and help out where they can. I will always be grateful for that scholarship because it put me on the road to where I am today.
Christa: What advice would you give to aspiring female forensicators whose moms don’t take such an active interest in their careers — if not scholarships, what other options do you feel would afford women similar opportunities to network and learn?
Melissa: You hit the nail on the head — networking. It’s key. There are tons of meetups where forensics geeks can mingle with pen testers, reversers, etc to meet people in the industry.
Also, colleges and universities generally have sessions where talks are given on a certain topic and then there is a Q&A session afterwards. The George Washington University, where I got my Masters, was amazing at this. Even Hilbert College, where I went for undergrad, was offering us opportunities to refine our resumes, partake in mock interviews, and offer us job openings based on connections in the field.
If you are outside the academic realm now, there are tons of groups and seminars to go to. The big ones are of course Black Hat and DefCon in Las Vegas, however the are local DefCons which have monthly meetups and there is B-Sides as well… and they are FREE.
Get out there, have a beer, and go talk to some like minded people! These venues are also great places to give a talk/presentation, as they are smaller and there is a bit less stress in presenting. Everyone is good natured
Christa: I really love that you freely admit “Yes yes I know I am not a coder and my code sucks.” What made you push past that and decide to just share the code?
Melissa: It came down to helping out the community. As an analyst I always try and figure out ways to make life a bit easier. This script I hope will help myself in future investigations to pinpoint potential badness. I figure if it works for me, why not see if others can use it?
I think Harlan Carvey once blogged about contributing to the community, and it just makes sense. If you see an issue or a problem, figure out a way to address it and share it with the world. Chances are someone else has ran into the same problem and would really appreciate your tool/script/howto.
My fiance is a bit of a coder himself and when he saw my code I knew he was thinking “If I was her team lead….” and not in a good way! However, he and others really gave me some pointers on how to think more like a programmer, rather than just patching the problem. Also with open source someone else out there may have a suggestion or idea for the code, making it more efficient! It’s all about learning and sharing ideas.
Christa: What pointers did you receive from your fiance and others to think more like a programmer? How did that advice help you to improve this particular code, and your overall skills as a forensicator?
Melissa: I would encounter a problem and would be trying to modify the code to address the issue. He would ask, “Does that solve the underlying problem or just this problem?” It forces you to think about what you are really trying to fix and write code to account for it, rather than applying a quick band-aid.
It makes sense as in the forensics field, blocking a simple IP from beaconing out is a temporary solution, wouldn’t you rather plug the initial infection vector so you don’t have to worry about that attack again? He simply showed me I should expand that thought to coding as well.
Christa: What’s up with the name “sketchymoose”? I used to live in Maine and never thought of moose as sketchy…
Melissa: I honestly do not remember… I remember being fascinated by moose in high school and somehow ‘sketchy’ got thrown in there. It just sorta stuck. I also do not consider myself the most graceful of creatures and moose themselves always look awkward and ready to fall over. I have even gone on road trips to Algonquin in Canada to find moose– Maine may be the next place to look!
Want more? Check out a short video of Melissa recapping her presentation at CRESTCon & IISP Congress 2013: “Memory Forensics – Helping to find what isn’t there“: