GCFA Starts Canada Day, plus many wool things. Trigger warning: scurf.
In this post: Hackathon entry & GCFA update. But first:
I've been processing some scurfy wool. Why, you ask? Why, when there's so much wool available to you, when you're literally surrounded with hundreds (yes, hundreds) of pounds of pristine, covered, handspinning wool from all over the world, would you spin scurfy wool?
I guess I like a challenge?
Last year, I ordered fleece from a UK based seller, who assured me that they could ship to the US and had incredibly affordable fleece, of the breeds you cannot get in the United States. Why, you ask, again? Well, it's incredibly complicated and expensive to ship a live sheep internationally, but not so much to ship the "ingredients". With that in mind, fleece like Cotswold or other British Longwools are available in the US but they aren't the genuine, unfiltered artifacts as grown in the UK.
So I ordered, was told it would ship the next week, then waited. For 3 months... 3 emails and 3 promises of "shipping next week" later, a BLF and a Wensleydale showed up.
Dirty, not well skirted, and one (the Wensleydale) absolutely covered in scurf.
I won't go into the details of scurf but just be aware: scurf is one of the very few conditions in which a handspinner will call a fleece unusable. It's a layer of gummy gross dandruff like flakes, sticky and flakey and impossible to get out (or so I was told).
Gross right? So why would I proceed with this? Well, look at this fleece:
Thats after scouring and drying. This is glorious. So, predictably, my reaction was - as with all imperfections - I can fix it!
I'd call that an absolute success. There's something about the texture of this yarn that I find a little off putting, but I don't plan to wear it - I plan to weave it.
And with that, let's talk hackathon. I hinted at something in the works a little while back, and I'm going to save myself some effort by just pasting the linkedin post I (claude) wrote below:
If you know me, you know that I'm a person who gets an idea and immediately starts building... so the last 9 months I'd been making myself sit on my hands and stay focused on certs instead of starting anything new. Then SANS announced the Find Evil hackathon, and it described almost exactly the thing I'd been itching to build 🤓 I took that as permission to chase the tigers tail. What came out is TRUDI, Threat Response Unit for Digital Investigation.
TRUDI isn't an analyst... It's a team of them, with swappable backends (including Foundation-Sec-8B), holding the roles usually split across people. A DAIR director runs the case as a state machine through triage, collection, analysis, and reporting, hands the analyst a strict work order each phase, and reopens a fresh triage the moment lateral movement points at a new host. An analyst runs the SIFT tools through a typed boundary and reads what comes back. An adversary works both ends: upstream, it turns the case question into competing, testable hypotheses and has to put forward at least one that isn't the obvious story, then names the exact tool calls that would tell them apart. Downstream, it tries to break every conclusion, confirming the evidence supports it and that each path, IP, and hash cites a real artifact, before anything reaches the report. A small audited curiosity budget sits on top, so the agent can still chase a thread nobody assigned it. We are all nervous about AI hallucinations, so fabrication is structurally blocked.
An old boss of mine used to say "we are all smarter than any of us." That line has always stuck with me, and became the foundation of the design.
Handed an APT case with a neat (but incorrect!) opening briefing - the malware named, the C2 named, the timeline set - TRUDI checked all three against the raw memory and disk, refuted every one, and surfaced the real implant, the real internal C2, and the correct dates on its own. It trusted the evidence over the prompt. That is enforced, not hoped for. Every finding is tiered CONFIRMED, LIKELY, SUSPECTED (or REFUTED), and a CONFIRMED claim is refused at the gates unless it links to the exact tool call that produced it. The agent can't reword its way past the bar, because the gate reads the trace, not the request.
None of this investigation is a black box: the same trace renders in a dashboard where every tool call, reasoning step, and finding is chained to the decision that prescribed it and the result it produced, so you can step through the entire life cycle of the investigation.
That was my one break from the certs. Now it's back to them, with GCFA starting July 1.
Built on the SANS SIFT Workstation. Demo and code in the comments, and if you do DFIR I want to hear where it breaks 🙏
nebulaeI feel like i should be prouder of this - It's exactly what I set out to build, it works better than I could have hoped, and I feel like I have a solid chance of placing in the top few entries.
However, this was the first project I've ever undertaken where i did not write a single line of code. This was completely created through Claude, so I don't feel like it carries any of ME in it. Maybe I think of creating software too much like an art, but I feel as though this lacks the heart and intention that I've put into every other of the (hundreds) of projects I've created. I find this really sad.
Don't get me wrong, I've used AI to assist me for years now, but not as the driver. This was different, and ultimately unfulfilling.
This experience has reinforced my desire to refocus my energy into areas of tech that don't force AI into my every day - Digital Forensics, and I start my GCFA July 1st. As a refresher, I've done GFACT (lol, easy 100%), GSEC (really filled in some gaps, still pretty beginner though, 99%) and GCIH (getting into the weeds! excellent course, learned a lot, 98%) and now I have the first elective choice, and I've chosen GCFA.
I dont fool myself into thinking that AI can't assist the forensic investigation - obviously, as I just created a 3 model AI based forensic investigator - but I do think that the human cannot be removed from the loop when it comes to law, in the way that they can be removed when it comes to nearly everything else. Also, I just want to dig for truth.
This got too long. Thanks for reading.