homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. DFIR Hero: Michael Cloppert Interview
370x370_Rob-Lee.jpg
Rob Lee

DFIR Hero: Michael Cloppert Interview

March 4, 2009

The SANS Security Heroes project is to help introduce you to people that have made a difference in information security and the digital forensic community. We believe there are a lot of people contributing to make computer forensics work, and we want to introduce you to them.

Interview with Michael Cloppert by Rob Lee

1. Tell us how you became interested in IR or Forensics.

In 2001, while in college, someone hacked my Linux server by exploiting a relatively recent (at the time) WU-FTPD vulnerability. By the time I discovered the compromise, my server was full of warez. I knew very little of computer security at the time, but in the ensuing investigation to figure out what happened, I learned a lot and found that I enjoyed the process greatly. I was also pretty ticked at the guy who did it and my subsequent loss of internet innocence, so I locked my system down so far that even I could barely use it. Here again, I learned more. Throughout the experience I developed a strong belief that, even with individuals like my perpetrator out there, secure and networked computing do not have to be contradictory goals. My career hence has been a silent act of vigilantism stemming from this event.

2. What gives you the most satisfaction while working on a case?

The mere act of discovering a compromise or intrusion gives me a feeling of pride. This is especially true when using new or innovative techniques. Sure, I can stare at an IDS console until a specific, high-fidelity alert triggers and work an intrusion from there, or be handed a system that is known to be compromise and find the point of entry, but in most cases for me that feels like going through the motions. On the other hand, if I can mine terabytes of data to discover a previously-unknown C2 channel, or discover a new way to link ostensibly distinct intrusion campaigns suggesting a single actor, I feel I've contributed to the field and from this derive a great deal of satisfaction. I enjoy IR and forensics work the most when I can positively contribute to the tools and techniques available to others.

3. What forensic techniques do you find the most useful?

This is a tough question. At a low level, I frequently find myself validating tool output. If foremost tells me that I'm looking at a PE, I'll hexdump and look for the PE header starting from "MZ." If argus tells me that a particular flow has a certain number of packets and bytes, I'll use tcpdump to give the pcap a second look. Naturally, I don't do this for every bit of output, but certainly when I come across something new or different, and often at the beginning of an investigation. The things one does at the beginning of an investigation often act like a scientific axiom — an assumption, upon which the rest of your investigation rests. The earlier a mistake is made, the more dire the consequences to your conclusions. Thus, I perform far more validation of my own work, conclusions, and tool output earlier in investigations so as to not waste time or, God help me, foment false conclusions. By the end of an investigation, this is only useful to me when I find something unexpected.

4. What is your forensic tool of choice and why?

Without question, Perl. Go ahead, call me old-school (at least I didn't say LISP). Whether I'm trying to analyze a drive or dig through log files, Perl's flexibility, ubiquity, and ease of use as a high-level language make it the perfect all-purpose tool. Netcat as the hacker's swiss army knife? Like hell...

5. Tell us how a commercial tool helped solve a problem. What happened and how did it help?

I don't like endorsing specific vendors, but since you asked... I've found that one of the most difficult problems to solve in this industry is tool selection for enterprise security, forensics, and incident response. At a tactical level, many very powerful tools exist to investigate a small network, or a single computer. At a strategic, enterprise level, many watered-down tools exist which purport to solve the same problems. In large environments where real analysts work, typically neither is sufficient. Marty Roesch has successfully taken a powerful tactical tool (snort), and built an enterprise product offering that provides scalability. Their other products further enhance snort's capabilities. SIM, forensics, and vulnerability scan vendors would do well to learn from Sourcefire's model. I realize this is probably not the intent of the question, but this is the biggest and most consistent pain point I see in our field - one that interferes with our success as analysts in a very real and measurable way.

6. What area of forensics or incident response needs to be understood by every new investigator?

Forensics and incident response are sciences. Your results MUST be repeatable, otherwise you cannot defend your conclusions and they are worthless. Remember, the goal of your work is not for YOU, but for EVERYONE with a need-to-know. And besides, if your work is not repeatable, you will consistently make the same mistakes and will not improve your technique. This simple concept is predicated upon many things, including keeping a log book, following consistent processes, understanding how the tools you use produce the output they give you, and knowledge of computers, software, and networking at the most fundamental levels. If you aren't willing to embrace these aspects of forensics and incident response, you will not be successful.

7. What area of digital forensics or incident response is the most exciting development over the past few years?

The work folks are doing on memory analysis is fascinating. I wish I'd have gotten in on this sooner, but I'm very glad some seriously talented folks have started maturing this area of our field. I've seen memory analysis make cases by revealing passwords, commands issued by adversaries, and memory-only malware is more than just theoretical (although I've yet to see it in even the most sophisticated of intrusion cases). As our threat space matures, we need to be ready and waiting with tools to counter their techniques. For once, with memory analysis, I feel we're finally ahead of the curve.

8. What do you do in your free time when not working on computer forensics?

I am an occasionally-paid but mostly-amateur jazz trombonist.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
Vote_now.png
Digital Forensics and Incident Response
April 24, 2022
Which DFIR Summit Mascots do you want to see as Lego giveaways this year? Vote now!
To celebrate the 15th year of the DFIR Summit, we are letting you choose your favorite Summit mascot over the years. Which will make our Lego set?
Viv_Ross_370x370.png
Viviana Ross
read more
Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Ethical Hacking, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
Emily Blades
read more
Blog
Digital Forensics and Incident Response
February 1, 2010
It's the little things (Part One)
For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data. Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they...
SANS_DFIR-370x370.png
SANS DFIR
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cyber Security Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2022 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn