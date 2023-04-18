Over 10 years ago, I wrote a simple forensic collection batch file. I designed it to automate the manual commands I would use to collect data of forensic value on malware-infected computers. As I used the script, I learned more about forensic collection and eventually outgrew the capabilities of that batch file. I needed a more complex collection program to do what I wanted. Since nothing existed to do what I wanted, I wrote my own forensic collection program in C. When new challenges arose, I would add functionality to the software to address them. As the program improved, I learned more. As I learned more, the software improved.

During that time, I also considered ways to parse the collected data into a report that would allow me to find answers more quickly. This prompted me to create a reporting program that could read the collected data and produce a quick view of the machine to identify suspicious behavior faster.

As I encountered more investigations across multiple platforms, I converted the collection program to run on multiple platforms by porting it to the Go language, which I had never used before. This allowed me to use the same collection processes across multiple platforms — a concept I would never have considered if I had not taken the previous automation steps.

After creating the collection and reporting programs, I realized that automating the collection data processing, running the reporting program and running additional forensic analysis tools on the data could further maximize my time and improve my results. This led me to create a fully automated pipeline for ingesting and reporting forensic artifacts and telemetry.

The truly amazing part was that creating the automation pipeline was fairly simple. I had already built the components, and integrating the collection, processing and reporting components into an automated pipeline took very little time and effort.

My automated forensic processing pipeline would not exist without that original, simple collection batch script. At each step, I saw a need I had not seen before. This process encouraged me to learn more about operating systems and their internal workings and learn additional programming languages and design methods for analysis that I would not have considered otherwise.

Overall, creating automation has improved my analysis and forced me to learn more than I would have otherwise.