For this interview I am pleased to share someone who is one of the two people that have been so important in my learning the DFIR skills outwith my work colleagues. His name is Richard Davis but you will know him as 13Cubed, along with Eric Zimmerman for his tools Richard’s videos have been so important for me learning not just how to use a bunch of tools I now use daily/weekly but also what the artefacts the tool is working on is and why we are looking for it.
As 13Cubed his videos are amazing quality in not just how they are shot and edited but in content also, here is what I mean.
If you go to the website over YouTube he has this page https://www.13cubed.com/episodes/ which gives you actual series of his videos. I have worked through the ‘Introduction to Windows Forensics’ and would tell anyone getting into DFIR to make it one of the first stops on your training journey.
If you click into each series, you get details on each video with it telling you the title, description, length and has the link to the video and I find it easier to work through this way as there is an option to download as CSV so you can mark along as you watch.
I want to mention he also has a 13Cubed store that is not really well advertised out there which I only found after googling ’13Cubed store’ as I wanted a t-shirt so if you want to support him along with patreon you can go here.
If you have ANY interest at all in DFIR then you just have to check him out if you haven’t already.
And with that, enjoy…
First up I must ask about the name 13 cubed and how it came about, I have been trying to think about it and seen an article explaining about in maths terms like picture a box where all the sides are 13 and the volume of the box is the same as 13 cubed so when the exponent is 3 (aka cubed) and the base is 13, you simply multiply 13 by 13 by 13 to get the answer Is this right, didn’t know If there was some digital forensics meaning too it, I am still new in the field ??
In 1991, I decided that I wanted to teach myself C. I was able to get ahold of a copy of Borland Turbo C, and I started writing a few simple programs as part of an independent study in my high school computer class. A year later, I decided I wanted a bigger challenge and set out to write a BBS door game, for those old enough to remember what those were.
The game was inspired by Trade Wars 2002 (https://en.wikipedia.org/wiki/Trade_Wars) and incorporated a universe that was generated from a three-dimensional array that was 13 x 13 x 13, or 13 cubed. I named it X-Space 2197, with 2197 being the year in which it was supposed to take place, and by no coincidence it was the value of 13 cubed (13 x 13 x 13 = 2197). When I was thinking about a creative and unique name for the channel, this was my first thought, so I went with it!
How did you get into forensics, I seen that you were a CISO (Chief Information Security Officer) before making the jump, were you already dabbling in DFIR or training in it, how did the jump from what I would class as a more boardroom executive role to digital forensics?
I was a CISO for a state college in Georgia, and later for a large aeronautical university. During my time in those positions, we would have a decent number of investigations that took place each year. This mostly started out with log analysis and some creative Splunk searches, but I could foresee the need to gain a better understanding into forensics as those cases became more complex. I took SANS FOR408 (which later became FOR500) in 2014 and the rest is history, as they say.
So, five years ago you uploaded the first YouTube video on the channel (maybe not the first but the oldest still there) ‘Parse Email Headers and Files for GeoIP Location Data’. What was the thought or the drive to create the channel and videos?
The first video I uploaded was basically a test to see how the screen recording/video editing process worked, as well as how YouTube worked. As I had recently written the GeoIP parsing script (https://github.com/13Cubed/Abeebus), I thought that would provide some easy content. I enjoyed it more than I thought, and immediately decided to find my next topic!
When you started as well did you have a plan of what the first say 10 videos were going to be?
No! No plan at all. I just found topics that interested me, and that I thought would be of interest to others in the community.
On that note how do you decide what to record on, do people request certain videos on a specific tool and comment on videos of what to do next?
As far as what to record next, yes, I receive a lot of suggestions – many from my Patreon supporters and from others on Twitter. Those suggestions often turn into videos, with the most recent example being MemProcFS. Other episodes incorporate things I’ve run across as part of investigations I’ve worked on, or other skills or things I’ve learned as part of that real-world experience.
I love finding out abut how others who release learning and training content, and courses keep learning themselves, any channels, books, reddits, podcasts that you like and follow?
Absolutely! Here are some of my favorites:
This Week in 4n6 (website, podcast), DFIR Training (website), The DFIR Report (website), AboutDFIR (website), DFIR Diva (website), DFIRScience (YouTube), Alexis Brignoni (Twitter, YouTube), InverseCos (website, Twitter), PwnFunction (YouTube), LiveOverflow (YouTube), /r/computerforensics, /r/digitalforensics, /r/dfir (Reddit), Practical Linux Forensics (book), X-Ways Forensics Practitioner’s Guide Second Edition (book), Applied Incident Response (book)… and I’m sure I’m missing some. I’m also a huge hardware nerd, so I follow other non-DFIR tech channels like Linus Tech Tips, Level1Techs, Gamers Nexus, Hardware Unboxed, Paul’s Hardware, and ServeTheHome, to name a few.
If you were teaching someone to get a job in DFIR (I know you are teaching thousands of us, but I mean from scratch) what sort of training route/path would you set out, so like Python then some networking and then your own videos etc?
Learning to code in any modern programming language is something I highly recommend. It can change the way you approach problem solving, and it can open doors for you no matter your career. I can’t stress that enough. Seriously, learn to code – it can change your life.
That aside, I think having a base knowledge of OS and file system fundamentals is critical. So, my advice is start with the basics if you don’t already feel comfortable there, and then once you have a solid understanding of those core concepts, move on to sites like DFIR Training and DFIR Diva for a multitude of learning resources, many of which are completely free. DFIRScience and I are actually planning a stream on his channel where we are going to talk about how people interested in joining the field can get started.
Read that you received your first computer in 1984 at age seven, same year as I did age 6 (well it was a joint present with my brother who was 10) but was it a spectrum 48k like me ??
It was an Atari 800XL — a joint Christmas gift from my parents and grandparents. I loved it so much I bought one new in box off eBay a few years back and still have it in my office. I really need to set it up and buy a 1050 disk drive to go along with it.
Do people ever not realise you Richard Davis are in fact 13Cubed? When I started officially in DFIR eleven months ago I was introduced to 13Cubed by a work colleague called Ollie, I then proceeded to see you mentioned in digital forensics discord, on blogs, in reddit but only after seeking you out to speak to did i then find out your name, do you ever attend courses and conventions where people have no idea?
Yes, in fact! Sometimes I’ll reference a video I made in passing and someone will say, “Wait, that’s you?” I’ve gone to a couple of industry conventions/events wearing a 13Cubed shirt and people will come up and say hi, which is pretty cool.
What are the plans for you and 13Cubed for the rest of the year and into 2023?
As for my future plans – more guests, more interviews, more collaborations with other industry folks! I’ve got some exciting things lined up, but of course, the normal content will carry on as well!
Give him a follow along at the following places.
- 13Cubed website = https://www.13cubed.com/
- 13Cubed twitter = https://twitter.com/13cubeddfir
- 13Cubed YouTube = https://www.youtube.com/c/13cubed
- 13Cubed patreon = https://www.patreon.com/13cubed
- 13Cubed Github = https://github.com/13cubed
- 13Cubed store = https://13cubed-merch.creator-spring.com/?
- Richard Davis twitter = https://twitter.com/davisrichardg
Take it easy