Small Wins and Momentum

Photo by Joshua Earle on Unsplash

Last posting I expressed my desire to learn to do more in my DFIR play time due to having less play time. I am starting my journey into improving my non-technical skills to make myself more efficient. The past couple days I have been thinking about how I feel better when I focus on the small achievements. I have been reading Essentialism: The Disciplined Pursuit of Less, and once again, I will recommend it. One of the chapters, “The Power of Small Wins”, focuses on just this. It also reminds me of one of the core principles in The Art of War. Take a big thing, break it down into many small things, and attack each small thing. It makes the whole more manageable and allows for easier victories.

How often have you approached a large project and felt overwhelmed? That feeling slows my progress down. It makes me loose momentum and interest. I really wish I would have focused on this more in my beginning days of learning to script. Back when I was playing around with learning Rust, I really started understanding this concept in creating tests. First, I was learning a new language, so everything was that much more daunting. I wanted to make a simple MFT parser. Tests gave me a way to think of something as simple as parsing a data structure and validating attributes as small wins and a start and stop point. I could create a structure and functions that implemented functionality for that structure, then, my tests would make that achievement feel complete.

Fast forward to today. I am starting to be better at breaking my projects up into components. Making each component valuable is my playtime session’s goal. Take my current play project as an example. My goal is to provide an easy way to understand and research the correlation between user interaction and artifact. This is a very large and complex project. But, while I have the end goal in the back of my head, I focus on needed components that will achieve the end goals. Monitoring Event Trace Logs is just a small step. When you monitor events, you just get a bunch of numbers that mean nothing unless correlated with other data points. I tweeted an example of this in my early stages of researching.

Correlation to add context

There was very little context to that event. But, if the system handles were enumerated, we could provide more context. We could then map a Registry’s value name, to its respected path! Figuring that out was a small win for me and encouraged me to keep researching and start writing some code.

Now, how do we learn why that event was created? We can look at its EventDescriptor. When we do this though, we only see integers. So what do we need to enumerate to make sense of it? Enumerate event publishers. Once again, a daunting task that requires a lot of Windows API research and implementation. But, what if I look at it as its own individual component and make a tool for it? As I play with each Windows API call, I can create tests to insure that they are getting called correctly. If they pass, that’s a win and I continue to get motivated to push forward. Once I get far enough, I can make a tool. Now you have, a tool that enumerates your system’s registered publishers! It even looks pretty.

At first, it only enumerated keywords for a given provider name. That was a win for one of my play days. The next day, I figured out how to enumerate all the registered providers and created a test for the API calls. Another small win for that day. The next day, I added it to the tool so that it could recurse all the publishers instead of only one with a given name. Today, I figured out how to enumerate the Operation codes. I then added that functionality to the tool. Now you get Keywords, and Operation information for each registered publisher.

Enumerating System Publisher Metadata

I feel very accomplished and I have a way to visually see and use my accomplishment in a tool. This encourages me to continue on in another play session. I even made a list of what other metadata items I want to enumerate:

Each time I can check an item off, I will feel more accomplished and more motivated to keep the momentum going. Each one by itself doesn’t require weeks of research. After all, motivation doesn’t last very long and you have to keep seeking it.

So, where am I in the bigger picture? Not very far, but I can enumerate Keywords now to have better context of events.

Mapping Keywords to Events

Tomorrow I could add Opcode mapping which would take maybe 30 minutes and feel accomplished for the day!

Remember, accomplishments are wins, and wins lead to momentum. Keep the momentum rolling my friends.

*BONUS — I am getting relatively good at interacting with C via Python, something I thought I would never figure out.