Profile picture
, 9 tweets, 2 min read
My Authors
Read all threads
Let's talk about forensic evidence specialties. If you work on the blue team side, you probably feel a lot more comfortable with either host or network evidence. As a matter of fact, vote in this poll and tell me which one. 1/
The evolution of the industry dictated these specialties early on. AV beget host based tools, IDS beget net based tools, and encryption + other things beget more host based tools. Your specialty is likely based in some part by when/where you started your career in this cycle. 2/
Here's the thing though -- you can't be a great investigator without expertise in both host and network-based forms of evidence. It's a false dichotomy that is mostly perpetuated by the way training orgs segment knowledge and the history of the industry. 3/
We don't rely on course programs too much in our field. Instead, we rely on ad-hoc courses to fill gaps. Training companies know this and they cater to it, which often means a lot of artificial segmentation of knowledge. 4/
On the academic side, no thorough skill assessment of the digital forensic analyst role exists. So, degree programs are often unbalanced and rarely cover evidence realms in meaningful or thorough ways. 5/
It's reasonable to segment coursework based on evidence types, but it is not reasonable to only take one of those courses or ignore certain types of evidence. You've got to take the full gamut. 6/
I break evidence up into five categories: network, host, memory, threat intel, and friendly intel. You need a baseline knowledge in all of these to be really good. 7/
Evidence is the thing that helps us answer the investigative questions we ask. The more you know about varying evidence types, the more diverse questions you can ask AND answer. 8/
An analyst is only as good as their ability to ask and answer questions. That's how you build a timeline and make decisions. Learn to ask questions, then learn evidence types to broader the scope of your question asking abilities. 9/9
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Chris Sanders

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @chrissanders88 see all

Profile picture
Chris Sanders
@chrissanders88
We just funded about a dozen CS ed projects through @RuralTechFund today that'll reach ~2500 students. I thought I'd share some unconventional choices we make when we fund projects. 1/
First, we don't fund a project if it is only for "Gifted and Talented" kids. The greatest misnomer in CS ed is that you have to be a genius to pursue the field. We gotta fix that. 2/
Second, when possible we steer teachers away from single classroom access and more towards whole school access via library maker spaces or mobile carts. 3/
Read 10 tweets
Profile picture
Chris Sanders
@chrissanders88
What is your Mt. Rushmore of infosec books?

Mine is TCP/IP Illustrated, Practical Malware Analysis, The Cuckoo’s Egg, and Kingpin.
I chose mine based on which books I recommend the most to others and revisit lessons from often in my teaching. There are a LOT of good options and it’ll come down to how choose to evaluate value. That’s an interesting facet of making this choice.
This thread ended up with a lot of good recommendations. Although, it seems a lot of folks ought to count how many spaces there are on Mt. Rushmore.
Read 3 tweets

Related threads

Profile picture
ella
@minjiiminie
yoonmin au — ch.

jimin doesn’t consider himself a jealous person, he’s sure of himself and he trusts yoongi, but when yoongi’s ex girlfriend visits them during the time she’s in seoul, jimin starts to reflect about yoongi, his own insecurities and about ex partners.
commission for a situation involving jealousy and ex partners in ch (if you want an extra for any of my aus dm me for info)

> basically a study on coming out to an ex partner from the point of view of the new partner
> side namseok
> extra for this au:

“Does it bother you?” Yoongi asks at last. And honestly Jimin doesn’t know. Should he be bothered by it? Or should he not be bothered at all?

They were just having lunch at a restaurant, and Yoongi casually mentioned how his ex girlfriend from college was coming to Seoul.
Read 111 tweets
Profile picture
T. Greg Doucette
@greg_doucette
Texas's anti-SLAPP statute requires the judge to enter an order for the loser to pay the winner's attorney fees. It's not optional.

TCPA §27.009(a)

Twitter says you've @'d me 78 times since 6/11, with 20+ of them in just the past few hours

This seems like a pot-kettle moment for you

Definitely a reasonable assumption. Given Screech's perpetual word vomit on YouTube, there are likely some things he'll authenticate that would help on the merits of the TCPA motion too

Read 1582 tweets
Profile picture
✡️ Josh Shahryar ☪️
@JShahryar
It's late night and I'm in a mood, it's as good as a time as any to talk about my weight loss adventure. Hopefully, some of you might find something relatable in this. At worst, you'll have a laugh. But I gotta say some things I been keeping inside.
I was a pretty healthy kid. I don't know if I can call myself chubby, but when I was little, I definitely had those cheeks that aunties cannot stop squeezing. As you can see in these pictures, kinda standard issue really.
Weight was NEVER an issue where I grew up. Part of it was that very few people were not skinny or on the skinny side (I grew up as a refugee around other refugee kids, where food was a luxury). Part of it was also the culture. Being fat was a sign of wealth. It wasn't all bad.
Read 69 tweets
Profile picture
Ystriya #MeghanMurphy
@ystriyahysteria
All right, here we go.

A lengthy thread on a hitherto little known medical consequence of young women being prescribed testosterone, namely severe long-lasting pain during and after orgasm that can apparently only be alleviated by a hysterectomy.
/1
Before we start, a brief reminder that the medical interventions carried out on children and young people are novel and largely EXPERIMENTAL. There are many unknown risks and this is acknowledged, even as the experiments proceed.
For example, the NHS:
/2
So in many cases, the iatrogenic effects of transing young people will only become known as sufficient numbers of trans people start suffering them and talking about their pain.
This is a case in point.
/3
Read 84 tweets
Profile picture
Zenscara
@zenscara
[HEC thread link: Part 2]
If reballoting this round, must ensure we know where to target + improve GTVO + how we connect with each other over:
- what the ballot is about
- why voting at all matters so much
- why we recommend voting yes
It will take a lot of work, which we can do -but need v good Plan /25
I think we *could* do it, but I would feel a lot more comfortable if hearing more about a burning desire to do it right now from across the membership (may happen at HESC) whereas trend in my DMs/email is about strategising + regrouping longer term. I don't think HEC allowed> /26
Read 8 tweets
Profile picture
Leo Polovets
@lpolovets
1/ Something I've noticed recently: the more succinctly someone answers questions, the more likely we are to invest. Not a guarantee of course, but positively correlated. A few reasons behind this:
2/ If someone's consistently very verbose/long-winded, the prospect of working together closely is less exciting. This is true on both sides of the table, and also for prospective employees, customers, etc.
3/ If I come into a meeting with 20 questions and only have time to get through the first five, I leave feeling like I still have way too many gaps in my understanding. If I get through all 20 and still have time to spare, I feel a lot more comfortable about moving forward.
Read 5 tweets

Trending hashtags

#Why #TV #Buttplug #BradyBunch #malicious #intimidation #ThoughtsAndPrayers #ToryBritain #Fact #Feminist #Dishonored #shitshow #EVIDENCE #PascoProud #firewalls #FearTheBeard #taekookAU #Intimiadation #hacked #abilty #INTIMIDATE #prove #PublicDefenders #CambridgeAnalytica #Ratlines
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!