Forensic Grunt Work

Looking to blog and don’t know where to post it? I am happy to host your thoughts for you. Below is the first guest blog post by a past FOR585 student. If you have something to write about, please let me know. 

by Terrence D. Williams

I have revisited this same post in my mind nearly fifteen times a day. It finally hit me. It hit me a little harder than I expected but the topic was pretty apparent to me. Until I was driving down the road to work, I didn’t understand the purpose of many of the tasks I completed in my early years in the Marine Corps. When I first entered the Corps, I had a lot of functions that seemed purposeless. All these actions are something that I call “grunt work.” Grunt work can be categorized as all the long, tedious days of doing tasks that seem meaningless, but in the future, they become muscle memory.

Forensic grunt work hurt me because I did not understand why I needed to stare at a computer screen day in and day out, learning about various computer technologies. It dawned on me when I was driving down the street how I should have put in the work in the early days of my forensic career. I wanted to build a Python XML parser that could convert the output from one of the live forensic tools utilized by my team. My problem was that I did not know a lick about XML. I mean, I did not know about the root, the children, nor the elements. These are basic terms that are present in the popular XML language. I couldn’t fathom how my biggest problem in the situation is that I didn’t know the basics of XML.

Forensic grunt work helped me because the Marine Corps inadvertently taught me how to develop skills that become muscle memory. Over the course of two weeks, I read possibly twenty different articles about the structure of XML. Once I knew the basics, I began to combine my Python knowledge with my new XML knowledge. I was spending about 4 hours a day playing in Python’s interactive mode trying to see the many ways that I could build the original program that I set out to create back in July. With the help of Stack Overflow and the SEC573 SANS course, I was able to build the program that allowed me to parse the XML output from the tool to make my team more efficient.

How does Forensic Grunt Work work? It is a somewhat simple process. If we only limit the forensics world to Windows Operations Systems, Smartphones, and Network Security Monitoring you are still looking at more than a year’s worth of reading material. If you are a Mike Ross (a USA Suits reference), then this will be an easy task for you. You will be able to read each book and article one time and remember every single detail that you previously read. Unfortunately, you are most likely like me. You will read it once or twice, then use it as a reference book for the future because everything didn’t stick. This is where forensic grunt work comes into play.

2018 is the probably one of the greatest times to learn forensic skills. After reading “The Importance of Deep Work & The 30-Hour Method for Leaning A New Skill” by Azeria, I have developed my process of using Grunt Work to my advantage:

  1. The Prep Work
  2. Pick a skill that I need currently or will need in the future
  3. Open the calendar app in my iPhone, to make me a study schedule of 30 hours. Monday – Friday: 4 hours, Saturday – Sunday: 5 hours
  4. I am a tech junkie, so the best way to establish my schedule is to use technology. When a calendar alert is scheduled, my phone tells me, my watch tells me, my home system tells me, it pops up in my car, and it lets the people I share with that I have something scheduled
  5. I break my daily sessions into 2-hour sessions. One session in the morning and one session at night
  6. I know myself, so 4 hours is not the starting point for me.
  7. During my sessions, I turn off the TV and place my phone on Do Not Disturb
  8. The Grunt Work
  9. Gather the books and articles related to the subject
  10. First 10 hours of the work will be reading and note taking
  11. Build a lab environment
  12. The lab environment is a simple setup that typically involves one or two virtual machines
  13. I tend to use open source tools that are easy to obtainable to not detract from my work

iii. Lab build is 2 hours

  1. Goal setting
  2. I write down the goal from the prep work stage in multiple locations.
  3. The goal is to be able to see it to allow me to stay on task
  4. The Grunt Work
  5. The last 18 hours of my process is dedicated to the skill development
  6. I begin in the lab environment by exploring the environment in relation to the goal

1) If the goal is to understand XML, I open the document in a text editor to see the format. I open the same document with the various tools to see how the tool will present it. Then compare the tools to the text editor.

iii. I begin to replicate the examples I found in the books and articles.

1) If the goal is to build the XML parser, I copy the examples in the books and articles. I slowly transform the examples to fit the current XML file I want to analyze

  1. I now assign some challenges for myself that I think will help me get to the end goal

1) What if I don’t want all the XML file, how do I alter it?

2) What if I want to have pieces of the file that I will want consistently, how can I loop through it?

  1. Finally, I apply the goal to challenges that others have had with similar goals

1) Go through stack overflow to see the questions that are similar to my goal

2) Can I answer their questions in my lab?

  1. a) If not, revisit the examples and challenge steps above.
  2. Post Work
  3. Save the books, articles, and notes for later reference
  4. Clean the material into an easily searchable format for me

For me, the above process is excellent. For someone else, the process will not be what he or she needs. The goal is not to repeat my process verbatim, but to make you’re 30-hour process in the same way. The process is a condensed Grunt Work model that will be an introduction to a new skill. The overall grunt work process will transform you into a master of the skill the more and more you apply the skill over your career. Challenge yourself to push past your comfort point in learning. To push myself, I will eventually work up to the point where my 30 hours are broken up into 4-hour sessions. Make it work for you. Good luck in beginning the skill learning process of grunt work.

2 thoughts on “Forensic Grunt Work”

  1. Semper Fi, Devildog. Good article and quite timely for me. You’re right, we have to carve out that distraction-free time and have the discipline to do it.

Leave a Reply to Terrance Williams Cancel reply

Your email address will not be published. Required fields are marked *