To Whom It May Concern

This is an open letter to a person I will never get to meet. We will never exchange greetings nor will I ever know their name or identity. I had to settle for an open letter since I’m unable to give them a proper thank you. Please don’t misunderstand my attempt at thanking them since I’m truly sincere. This is not an attempt at humor nor is it an attempt to condescend them. This is my thank you; thanking them for infecting my system so many years ago.


To Whom It May Concern,

As the holidays are approaching it’s a time of reflection. I’ve been reflecting on my “Journey into Incident Response.” There have been numerous people who helped me along the way; people who influenced me and helped make me into the Digital Forensic and Incident Response (DFIR) practitioner I am today. Reflecting on all these people I can’t help but think how you impacted my journey. You may not even be aware of the impact you had on me, but your actions are what opened my eyes to a whole new world and made me take the first step of my journey.

At the time I was in a position doing two different responsibilities. I was performing vulnerability assessments against organizations, testing networks to find vulnerabilities. At other times I was performing digital forensic examinations to determine if someone was committing fraud. I saw my two responsibilities as separate; as duties that didn’t blend together. My perspective changed when I saw your handy work appear on my computer, which was a rogue security program holding my computer hostage. That one single event is what started me on my journey; my journey of leveraging my offensive security background to improve my DFIR knowledge and skills when investigating security incidents.

I never attempted malware forensics before this, but I wanted to know if I could figure out how you were able to install your malware on my box. I successfully traced your malware to a PDF targeting an Adobe Reader vulnerability that was delivered through a malicious advertisement served up by Yahoo’s website. Some may say it was luck, but I beg to differ. I knew that in order to get a remote code execution, an exploit had to be used. The answer was clear as day once I found the PDF that was created on the system around the same time as the malware.

I know I was not even a blip on the radar screen; maybe just an IP address showing a successful install. You opened my eyes to a whole new area; an area where the offensive side of security meets the investigative side. Where knowing how to attack systems is as beneficial as knowing what artifacts are created by those attacks. How this combination of skills and knowledge can be used to obtain intelligence to help better secure organizations and people. I know I would have come to this conclusion eventually, but your actions helped me see it sooner rather than later.

My passion for information security, my motivation to learn, and my drive to share my knowledge with others took care of the rest. Little did you know you were awakening a sleeping giant. I don’t consider myself a giant but it’s the only words that come to mind when looking at the aftermath of the infection. I dedicated myself to learning and researching how to investigate security incidents. Eventually it evolved into me using my knowledge and skills to help others investigate security incidents. I started my blog as one avenue to share what I have learned. I try to help my colleagues become better DFIR investigators through presentations and sharing my thoughts. I use my skills to help home users become better equipped to secure their computers through education about what holes to close after I remove malware from their systems. I help organizations by providing them with intelligence to improve their security by analyzing the systems impacted by attacks. I am developing a graduate course to help strengthen the ranks of DFIR practitioners capable of investigating malware incidents. I’m even considering authoring a book to reach a larger audience about malware forensics. I truly wanted to show the chain of events to illustrate why it’s as if a sleeping giant was disturbed.

I bet you have never heard a user you infected say thank. I will be the first; the first to say thank you for infecting my system so many years ago. Thank you for opening my eyes to a whole new world, sooner rather than later. Thank you for showing me the first step I needed to take to become your adversary.