 Okay, hello everyone D4 summit just finished and I'm now here with Richard Davis from 13 cubed. Thank you so much for joining me if if we If you didn't know hopefully You voted for one of us, but if you didn't know We were both nominated for the first show of the year at the For the forensic forecast awards and part of the sands D4 summit and that was just announced Yeah, Richard you anything you would like to say before I say who won I think probably everyone watching saw it, but we'll see yeah No, just did happy to be nominated. Honestly. We're definitely in good company Like all the all the folks who were nominated just a lot of respect. So it was a really great really great list and basically everyone who was nominated I think You should definitely go check out and check out their stuff. I have a blog post on it I don't know Richard. Did you do anything? I really didn't probably should have So yeah Heather might join us shortly from Celebrite and actually it was the I beg to Defer or I beg to DFIR that won this year. They have a really nice Podcast talking about a lot of different topics and I will throw that into the chat so you can see the I beg to defer Podcast but Before she joins I want to talk to Richard about 13 cube This is really the first time that I've been able to interact with Richard And I thought this this event was a good one to kind of get to know you and get to know your channel a little bit More so what can you tell me about 13 cubed? Well, it it started off as Just kind of a side project. I just one day decided. Hey, I wonder how to do the whole YouTube thing Let me just record a video and I think it was like a I don't know It's like a two or three minute video about I think it was about a tool I wrote or something many years ago and I thought yeah, this is kind of fun. It's kind of a creative outlet So maybe I'll make another one when I get around to it And then I made another one and then so on and so forth and then over the years Just kind of got into the habit my goal is to do one each month Which I know is not that much compared to a lot of other youtubers But man as you know doing this it takes a while to research and script and record and editing Yeah, it takes a while so D for diva is in the chat and she said two of my favorite channels. Thank you so much D for diva Yeah, thank you and thank congratulations on your nomination to by the way Absolutely. Yeah, so I'll tell a secret I voted for D for diva in Anyway, I'm throwing a 13 cubes episode guide in the chat as well. Definitely go check it out and Alexi is here. Hello Hello so okay, so you got started with with Just interested in YouTube, but then you make really high-quality videos like whenever I watch them I'm thinking man. The stuff I put out is nothing compared to the awesome stuff you're doing So how how did you I guess how did you get into it? Are you just interested in the video editing aspect or like? Yeah, that's That's exactly how it started out. It was just it was a challenge to learn something new About audio production and video production and how to use various editors I actually started out with just screen flow which is screen recording software for the Mac Back in the pre Apple Silicon days, right? And then when Apple Silicon came along as good as it is kind of killed the whole being able to virtualize x86 x64 Windows and Linux and whatnot So kind of switch the entire workflow over to PC at that point Which kind of made sense anyway because 99% of my content is Windows Linux So yeah, I just taught myself Premiere Pro after switching from screen flow and Final Cut Pro and then Yeah, I record stuff with OBS and then edit it in Premiere Pro And then I had to teach myself a lot of stuff about audio and choosing the right mics and It's all this kind of stuff. So it's fun. I think I had a pretty much the same thing except I haven't really Switched to Windows yet. I'm still hanging on to Linux Yeah, so I kind of kind of the same feeling but shavers and and Marcel are also in the chat Hello, everyone. We're kind of go. We got everyone. I don't know how this Okay Right, so You got into YouTube because you were just interested in it video editing and I think we're just into software and technology in general But why did you choose digital forensics as the topic? So I took I think my my very first sans class I ever took actually was 408 right which became 500 and that was back in 2014 and I was already in the information security field and at the time I was a I was a CISO at a state college in Georgia and we had, you know A decent amount of investigative type stuff that we had to do and I thought, you know, this is something I should probably learn so Took the 408 sans class like super enjoyed it was fortunate enough to get the coin I was like, this is awesome. I want to keep going So I just kept absorbing all of the material that I could reading and learning and setting up labs Which is like by far the best way to learn something right to just set up a test environment set up a lab and so continue with that and then You know, I guess digital forensics became more and more a part of my job the more I learned about it I was able to incorporate what I learned into investigations moved on to another job after that was able to use that knowledge and apply it and Then, you know still today it just became my like my main job So yeah, I just really like the field so excellent So how do you choose topics then because I find all of your topics to be extremely practical you really walk us through Step by step everything about how you're doing. I saw one on I think it was Something like shell bags or something. I don't remember the episode exactly but it was specifically like looking at how updates are happening and how someone starting in the field would actually Discover that themselves and try to make those connections. So How do you choose what to do that makes sense so? Yeah, that's a good question. Sometimes it's it's real-world stuff that I've run across in Investigations that I've worked on like RDP cash like I had no idea RDP cash was even a thing a few years ago, right and then One of the people that I was working with it if my previous job stumbled across it in investigation He's like, hey, what is this thing? We're like, I don't know never seen this before so we start researching it and then it ended up being an extremely valuable Artifact and then I'm like, yeah, I should probably make a video on this kind of put together what I learned based on that So that's one way like real-world stuff and another way is just Following Twitter and looking at what the community is doing anytime. There's the cool new, you know tool or You know something new and exciting that comes out I guess the most recent example of that being memprocfs, which my boss actually pinged me a link to it and said hey Have you seen this tool? This is pretty cool and like by chance the next day will frisk on Twitter the author he reached out to me and he's like, hey, I made this this tool And I'm like that's that's awesome. I actually have it downloaded. I'm it's on my list, right? I'm gonna I'm gonna learn this and see what I can do with it and then I just took it from there And I'm like, this is this is awesome. I think I'm gonna make an episode about this. Yeah, that was a great Episode by the way. I'm trying to find the link for it But I'm sure you can find it in the episodes that I just shared so I'll share episodes again because I don't have That link handy but yeah Yeah, the memprocfs video Really interesting What about your style? Did you did you learn? Like I find your videos to be really in-depth but like Kind of expert level essentially but also extremely approachable and I based on the comments a lot of people who are new to Investigations and new to digital forensics are coming to your channel And they seem to really be getting it. How did you cultivate this style or what's your technique? You know, I just kind of One of those fake it till you make it kind of things I guess just kind of winged it at first honestly just like I'm not sure what I'm doing here I'm just gonna kind of present the information in a way that I would want to consume it if I were watching a video So basically I think what's the the classic idiom that people use I think it's something along the lines of tell them what you're gonna tell them tell them and then tell them What you told them that's kind of the flow, right? So you do the intro you do the the demo and then you do a recap to basically say, okay Here's here's the takeaway. Here's what we learned and I've just kind of revised that that same formula over time I think and just tried to You know not spend too much time with with fluff or things that people don't really care about just kind of get straight to the point Here's what we're gonna talk about. Let's do it. Let's recap. So Kind of the way I like to learn Right so what I guess if I can I'm not trying to steal your ideas or anything But what are you planning for the future on the channel? So short term the next episode that's coming out it'll go live for patreon supporters Probably I don't know this week or next week. It's what's on my BF IR box or some ID for box That's some kind of one that's been requested for a while like what tools and and Things that do I use basically on my own system? Strangely if I was actually recorded before memproc FS So you'll notice that memproc FS is missing from that but it's absolutely in my my tool belt now But all the other things from x ways to of course some guy named Eric Zimmerman Maybe you've heard of him, you know his tools Just all the different things that I use Both for lab work and you know some of it obviously for actual work work as well So that's gonna be the next one coming up and then after that one that's been in the works for a few months just because how long it took to do research and That's called impact it impediments and there's actually a really cool Well, I think it's cool cheat sheet that'll go along with it It's like five pages and it's gonna cover the impact at remote execution tools so AT exact PS exact yes and be exact so on and so forth and How you can detect the usage of those tools on a target system via Windows event logs So it's like a it's gonna be like a 40 minute long episode pretty in-depth And the cheat sheet kind of summarizes all the stuff that we cover in there. So that'll be probably Late September ish for public release So yeah, that's that's the next one and those are the two like I guess upcoming things But in addition to that I I got a camera and you know kind of a different setup And I want to try to get some people on much like we're doing here I'm just for like some some guest interviews or guest presenters or things like that. I'd like to have Zimmerman on Alexis D4diva in any of you guys Brett any of you in the in the chat you're more than welcome I think that will be really really cool. Of course, you and I are already planning something coming up But we'll alert so I think that'll be really neat to have some guests presenters Okay, so the best way to contact you is Twitter, right? Yeah, Twitter works either me personally at at Davis Richard G or 13 cubes is at 13 cube D F I R Also, just Richard at 13 cube calm. Do you want to email instead? Okay Can't get it without making a little noise. So anyway, I've posted the website and all the contact information is on the website You like you said we are planning on doing something. I do want to talk a little bit about how you got into Forensics you said that you were working at a university basically like how Without going into too much depth because we'll cover this basically later, but Let's just go if you were a new person starting today. What kinds of things would you focus on? If they wanted to go a similar career path So first off I would I would tell people you don't have to have a Degree in like digital forensics or cyber security to get in to cyber security Some people that I work with that are absolutely brilliant either have no degree or they have a degree in something That's completely unrelated to the field. So don't let that stop you That that would be the first thing Second thing is that if you learn things Don't be afraid to share those things, right? You don't have to be an expert in something to teach something and share your knowledge with others And that's a great way to learn to I found the best way to really solidify Some things to try to teach it to other people But just in terms of general advice about people who are like hey, that's that's kind of cool I want to get into the field There are so many free resources that are available now Like you don't have to pay a dime you can go out there and just get all kinds of wonderful training whether it's you know books or You know podcasts or videos like this or whatever that you can look at of course You've got you know DFI our training and DFI our diva and about DFI our and all these awesome resources Sands has obviously a lot of stuff for completely for free for posters and things like that Obviously your your channel and there's a Sands DFI our channel as well There's just all this awesome content that Most of which didn't exist when I was trying to get into it and now it does and it's it's just you know Nice and easy to find and just a great way to get started Plus you can set up home labs like on the cheap like go on eBay buy some Used Dell Opti Plex or something and throw ESXi on it or something like that set up a some Start playing around with it. It's a great way to learn and On that note D for diva had a great article about home labs, so I'm gonna post that to chat as well right Okay, so Man there's a lot we could talk about but I think I have to save it for for next time Anything you want to say to about the D for summit? Have you been watching the whole thing? Did you just tune in for the awards? So I've been watching it on and off You know as I've had time doing my my day job So I've had a laptop up next to me with streams going on so lots of great content I wish I was able to have made it in person this year I've only been once in person and like I was telling you I think it was 2019 I think And it was a lot of fun. So yeah, but even still just being able to watch it all online is awesome, too So yeah, good stuff great Okay We have a couple more minutes until Heather might join us Can you tell me a little bit about you told me you didn't tell me much about actually where you work now and what you're doing Can you talk a little bit about that and? Sure. Yeah, so they look like so I work for Microsoft directly. I work on the detection and response team or dart Aka ms slash dart jobs if you're interested, so it's aka dot ms slash dart jobs I'll just turn it into a recruiting event right, but we're hiring lots and lots of people coming up So just check that for for jobs if you're interested, but Fantastic bunch of people can't say enough good stuff as far as what a typical day looks like There's there's no typical day. It's it's all different We are you know, obviously in the business of helping our customers and you know They they come in all shapes and sizes all over the world, right? so lots of interesting cases and Lots of bleeding-edge stuff that that you would expect to see you know working at a at a big place like Microsoft So it's it's awesome. I've learned so much just in the one Let's see one year and eight months. I think I've been there. So it's been a great experience thus far and Is it because of the scale or is it more like? unique cloud opportunities or It's everything. I think it's a little bit of everything but the people more than anything We have an incredible group of people with all these different backgrounds From all over the world like we're our team is global, right? So we have I don't know. I don't know what the exact headcount is now. I'm you know 150 ish people. I don't know something like that, but And obviously we'll continue to grow but it's Just just the background that everyone brings of their experience that they bring from whatever they did in the previous Job and so, you know, I think the cool thing is is if there is a topic that you want to know Extremely in-depth whatever that is like how this particular Artifact behaves or how this thing works There's gonna be someone on the team that is a technical expert in that area at least that's been true so far It's awesome. See you start developing these go-to people like, you know, this person's the you know The go-to person for exchange related stuff, you know or for understanding web shells that are really in-depth level go to this person That kind of thing. So just the collaboration and being able to share and learn from others I think it's great. And how does that work online? I know a lot of people especially with like work from home and everything they had trouble But I mean you're working at a totally different Scale so obviously you're using these remote tools Are you able to kind of split off and get the knowledge you need or do you just throw a question out there and people just answer it or Socialization work It's better than than you might think honestly. We use teams obviously And we we have so many teams channels and chats stood up with with various, you know groups and subgroups within our team And we can you know, generally very quickly You know just call someone up on a on a video call or audio call and get them on and say hey You know, can you take a look at this really quick? Can you you know make sure I'm on the right path or you know Take a look at this weird behavior. I'm seeing something like that. So the collaboration works really well We do obviously still do some on-site work and some travel But the vast majority of my work is like you said just sitting out here in this office and working remotely So yeah works out what really well Do you bring a lot of the same tools that you that you're using now into your videos or like one of the problems? I have is that I can't assume that the person person watching has access to some professional level cloud service, right? So I want to Get the knowledge out there to people who have access at the same time it can practice along with me So like are you? You find a balance with that. Are you just mostly working with offline tools? I think most the ones I've seen were mostly offline, but Yeah, so I should say I'm not the I'm not the cloud forensics expert by any means Right, but we certainly have people on our team and you know that that's what they do They they would be able to help with like office 365 intrusion type things or you know They really understand you know the cloud at a very in-depth and deep level I can do those investigations, but my bread and butter so to speak my expertise would be Windows, you know dead box forensics or you know image analysis kind of thing or a triage image analysis Windows memory forensics Linux forensics Which yes, we actually do quite a bit of Linux forensics even being Microsoft So yeah, all those things are kind of the the world I live in and as far as the tools We obviously have some internal tools that we've developed that get deployed out to our customers to collect Forensic metadata and bring it back to us so that we can then look and analyze that data A similar type thing that you might do with like a cape type of workflow And we use things like x-ways and just commercial tools of course to obviously Zimmerman tools memproc fs You know all that kind of stuff. Okay, interesting So I almost imagined that it was completely automated everything is a you know What a cloud instance or something and then you can just pull it in clone it as you see fit And it seems like there's a lot more More than what I was thinking even Yeah, so at a high level basically the the tools that we have are Able to be deployed in our customer environment They will take that forensic metadata shoot it up to the cloud to an Azure Database instance that's provisioned for us and then we can then hunt through that data at scale and actually be able to go through and You know look at thousands tens of thousands hundreds of thousands of computers at scale looking for you know Whatever it is right having it on IOC or stacking data and finding outliers any of that kind of difficult stuff And then you know using the sands funnel approach that that is taught in 508 where you start the wide part of the tunnel And then kind of work your way down We can go all the way to the tip of that funnel deep diving into disk image analysis and memory forensics If it you know if the situation warrants that obviously that doesn't scale very well But you know we can certainly but you can still pull all that remotely and just from from detection to to Deadbox acquisition and investigation. You just everything's remote now excellent. Yep. It's pretty pretty amazing It's really amazing. Yeah, especially coming from police investigation side where we're like something already happened We can't get a lot of the data. It sounds glorious Okay, well Thank you so much Congratulations on the nomination and congratulations everyone in the chat It seems like a lot of people who are nominated are in the chat to Brett Shaver with his excellent book also Absolutely have it right over there Yeah, so thank you for for joining me and it was great to finally finally meet you and I Hope I hope there's more to come for next year and we can be nominated again Okay Anything you want to leave with I Know just you know, like I said, thanks to everyone watching for for nomination and you know Like I said, just glad to be in the good company that we're in we have a great community Yeah, I mean, thank you for I guess I should say thank you not for being our congratulations for being nominated But just thank you for making such great content. I mean, I know I've learned a lot from you. So I appreciate. Thank you Same here. Okay. All right. So thank you everyone. This is Richard. I've put in Links basically to 13 Cube is just 13 cube calm. Go check out all his videos He also has a patreon where you can support him and Yeah, that's his part-time job. So Anything you can do to help out will definitely definitely help. Thank you so much and I will see everyone later Thanks