SANS Digital Forensics and Incident Response Blog

The Exam Before Christmas

I wrote this as a joke for my local HTCIA chapter. Hope you all have a Merry Christmas.

Twas the night before Christmas, when all through the lab
Not an examiner was working, except this tired crab.
All the evidence was filed and the forms were all signed,
In hopes that my work would soon be off my mind.

The drives were all wiped and in their special order,
With care taken not to be located next to the audio recorder.
I had documented I wrote to each sector a zero,
Knowing if it came up in court I would be a big hero.

When out of nowhere the doorbell did ring,
And I ran to the door opening it with a mighty swing.
It was my boss delivering me a brand new case,
And wanted it handled with utmost haste!

I hooked up the evidence to my write blocker,
I was moving so quick, just like a punk rocker.
Every action I took that was worthy of note,
Into my notebook the details I wrote.

When the image was complete,
The next step I could not cheat.
I verified my MD5 hash,
And was ready to go in a flash.

Into FTK the image did import,
I was handling the case like it was going to court.
Once all the pre-processing was done,
I was all set to start having my fun!

Into a server a hacker did intrude,
And the company thought they were quite screwed.
If customer records were read,
Then surely someone would lose their head!

If data was lost, victims must get word,
And hope that the company name was not to be slurred.
They needed me to look for artifacts left by the crook,
And document every action he took.

The attacker came in through an SSL hole,
And theft of user passwords appeared to be his goal.
But first I knew his privileges he would need to raise,
And I found his exploit, proving diligence pays.

After a bit more inspection I found a root kit,
And to Norman Sandbox I made sure to submit.
An answer came back, it was unknown malware,
And this is the point where I started to swear.

So I loaded up a brand new VM,
This trick always worked as a great little gem.
I ran the software to get a good trace,
And making such progress at a wonderful pace.

When I found the encrypted channel to a botnet,
That is when I really started to sweat.
This was a rare find, and quite good news.
I was going to give the hacker a case of the blues.

My report was wrote up with all of my work,
As I finished up I could not suppress a smirk.
The hacker's life would soon be a mess,
As I had identified his home IP address.

I sent the report out, through encrypted e-mail,
Knowing the hacker would soon be in jail.
Content to know I caused him such plight,
I sure hope he enjoys his last free Christmas night.

Jim O'Gorman, GCFA Silver 1356, works for Continuum Worldwide,lives at, and blogs at Binary Intelligence. You can reach Jim at