Profile
Mari DeGrazia loves the satisfaction of solving a good puzzle. That fascination paired with her technical abilities has made digital forensics the perfect career fit. "There is nothing like the adrenaline rush of figuring out a tough case when you find that smoking gun or vital clue that will help solve it," she says.
In her role as a SANS instructor for FOR500: Windows Forensic Analysis, Mari draws on nearly 20 years of experience in the IT industry, including 10 years in Digital Forensics and Incident Response (DFIR). "I love teaching this topic because it is the cornerstone of forensics," she says.
Mari has taken SANS training courses herself and spoken at several SANS conferences, always coming away impressed with the quality of the instructors and the students alike. She cites that as one of the reasons she chose to become a SANS instructor.
"SANS training is top-notch, and the content is always relevant, up-to-date, and applicable to the real world," she explains. A strong believer in giving back to the community, Mari also appreciates SANS's offering of the SIFT workstation and webcasts, as well as its proactive support of women in the industry.
A recent highlight of Mari's career was an invitation to be a keynote speaker at the Women in Cybersecurity
Conference, where she shared her journey into forensics and passion for it with hundreds of women. Mari's varied professional background enables her to relate to students from various career paths who attend her courses. She has worked criminal and civil cases, including providing expert testimony, run her own business where she handled many cell phone cases, and managed a team of investigators for large breach cases in her current position.
For Mari, it's important that her students gain a firm understanding of both the artifacts and the investigative process. "My goal is for every student to walk out and feel confident about working a Windows case," she says.
Of course, keeping up with the constant changes in the industry can be a challenge. In her classes, Mari helps students overcome this hurdle by focusing not just on the tools but on sharing techniques and providing a solid understanding of the artifacts. She also encourages students to stay active in the field by attending training sessions and conferences, and by following blogs and the DFIR Twitter community. "There is no magic tool that will do everything for you," she says, "so there needs to be a clear grasp of the underlaying artifacts and not a complete reliance on tools."
A great example of going beyond the tools is a case where Mari discovered Google Analytics artifacts both inside cookies and within the cache artifacts. The Internet history was deleted, and the Google Analytics artifact was all she had, so Mari researched Google Analytics and wrote a tool, then released it to the community to use. "The Google Analytics artifact literally was the saving grace of that case," she explains. "Since then, I have had numerous people tell me the tool has helped them in their investigations as well."
In addition to being a published magazine author and technical editor for several digital forensics books, Mari maintains a blog on which she shares her research and findings. Her blog has been cited as one of the top 10 blogs in digital forensics, "I am passionate about what I do and am constantly digging to find answers to questions," she says. She is also a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition.
In her spare time, Mari enjoys working on Maker projects by volunteering monthly at a non-profit Maker lab for teens. "Each month I come up with a project for the kids to build with their hands, then code it," she says. "I love seeing their reactions and sense of accomplishment after they have completed the project." Mari's overarching goal is to introduce the teens to STEM and show them how fun it can be.
ADDITIONAL CONTRIBUTIONS BY MARI DEGRAZIA:
WEBCASTS
WinSCP: Yeah you know me!, June 2020
Triage Collection and Timeline Analysis with KAPE, August 2019
TOOLS
- sqlparse.py - Python and EXE to recover delete entries in SQLite Databases
- onion_peeler.py - Python tool to batch query IP addresses to see if they are Tor exit nodes
- quicklook_parser - Python tool to parse the Mac QuickLook index.sqlite database. Contains information about thumbnails generated on aMac.
- chrome_parse.py - Parse Chrome history and downloads into TSV or TLN format.
- parse_mftdump.py - Parses the output of mftdump.exe to bodyfile format
- GA-Parser.py - Python script to parse out Google Analytic Values from E01, RAM, etc.
- GA Cookie Cruncher - Parses out Google Analytic values for IE, FireFox, Chrome and Safari.
- safari_parser.py - Parses Safari history, downloads, bookmarks and topsites
- thunderbird_parser.py - Parses out email from the Thunderbird client, to include deleted emails
AWARDS
- 2020 Women of Distinction Honoree, Girl Scouts of Greater New York - learn more