Peer-me a Connection Reset

If you are working with a jailbroken device for testing purposes, take notice of the lightning cable you’re using – its age and intended use. Meaning, did the cable originally come with an old device, like an iPhone 5s? Are you testing with a newer device? Is the cable consistently working for you, or are there instances when it does not charge your test device? Are you having issues connecting to the device using SSH. If you’re having connectivity issues, then check the lightning cable. Doing so could save you some brain-ache.

Recently, I wanted to connect to my device using iPhone Tunnel. I was all set to go, but instead, encountered the following message in Terminal when I tried to SSH in:

kex_exchange_identification: read: Connection reset by peer

This wasn’t the first time encountering this message. A few hours prior, I received this message while attempting to connect to the device. After disconnecting, reconnecting, and restarting my laptop, the error message was no-more. But, where I was… again… with the same ol’ message.

To take things even farther back in time, I had encountered this message about a year ago, and it had something to do with incorrect RSA keys. I had wiped my device, and started fresh. That meant establishing a new trust relationship – something I didn’t know about at the time. After poking around on Google, I tracked down the solution that worked – finding the old keys in a file on my Mac, deleting them, and establishing a new handshake with my test device. It took me forever to identify the underlying issue (or so it seemed). However, this time I had not wiped my device. So why was I seeing this message?

I looked at my device’s screen, and noticed the battery icon was not in charging status. So, I jiggled the lightning cable, which had worked just a few hours before, and couldn’t get the charging status to show. I switched out the cable for one I had recently purchased, and immediately got my device to charge. I was subsequently successful in connecting to my device with iPhone Tunnel. Prest-0, change-0. On to some testing.

I know this was a really long story for just a little bit of information. It could’ve gone – if you encounter [message], then switch out cable. But, I like to provide extra details around issues that end up having a simple solution, but feel a tad-bit complex in the moment. I recall Googling the “…reset by peer” message (originally – a year ago), and didn’t see any solutions talking about lightning cables. So, here we are, and there it is. I hope this can help someone in the future.

Momentum and Inspiration – SANS DFIR Summit 2019

The 2019 SANS DFIR Summit is over, but not forgotten. At least not for me – a first year attendee. I had a blast during the two day conference, and I hope to attend next year. Here are a few things that come to mind when thinking back on my two-day trip to Austin:

1. I had a front row seat to see and hear, what I’ve only experienced watching YouTube-replays of summit talks.  I heard the passion each presenter had for the content they delivered.
2. I was exposed to different subjects outside of my comfort zone. One example was a talk on finding evil in Windows 10 compressed memory. It was new for me and I was in awe of the work put into this talk!
3. I spoke with different people in the community, each with a passion for what they do.
4. I absorbed the energy the summit brings to life in the DFIR community, and will use it to create momentum for myself and those I work with.

Expanding on points 4 and 5…

Point 4 – Meeting new people
It’s always good to shake hands with someone new, or with someone you’ve only connected with through social media. The former lets you learn about someone new, and possibly, something new. There are so many people working in the DFIR space that, getting to know someone and what they do can open up your eyes to new and exciting things. Perhaps, you’ll find a new interest during your meet and greet (topic within DFIR), and more importantly, you have the opportunity to make a new friend (someone in the private sector if you’re in government, or vice-versa).

If you’ve only communicated with someone over social media, then meeting face to face is a great thing to strive for. Social media posts are great for spreading thoughts far and wide, but personally, there’s nothing like meeting someone in person, and just chatting. It doesn’t have to be about DFIR – you can chat about your love for, let’s say… bourbon!

Point 5 – Inspiration and motivation through osmosis
I left the summit inspired and motivated to learn, dig-deep (research things known and unknown), and overall, get better at what I do. My goal is to bring inspiration and motivation to my teammates, so we can continue helping others, asking questions, finding answers, and reaching project goals. How did these feelings of sharing and caring take shape? Seeing others speak passionately about areas of DFIR. It brings out the best in the person absorbing the information.

It’s exciting to hear about the way someone went about researching a problem, and the excitement of finding new information. It’s exciting to hear about a new way of using existing information in a particular case-scenario, as well. For example, Heather Mahalik and Sarah Edwards presented on information that can be used to assist in distracted driver investigations. In addition, Alexis Brignoni and Christopher Vance presented on information left behind by mobile applications after they are deleted. I found the information to be very relevant to my casework. So, the presentations are definitely a source for motivation and inspiration when I return to work, and review analysis I’ve done to date.

By attending the summit, you’ll get a chance to hear the passion in everyone’s voice. People are very excited to share what they see and do in the community, and how they feel about helping others facing the same data sets or problems. My suggestion is – absorb that passion in the air, find your own passion, and dig in to something new. Or, take something old (I use this term loosely), try to look at the same problem from a different perspective, and try to find a solution. Ask questions, ask for feedback, and don’t be scared to… (insert your own end results such as – arriving back at square one, arriving at a different conclusion, a feeling like everything is falling apart).

We need a break from repetitiveness, protocol, standard operating procedures and policies. We need a break from responding to emergencies. We need a break in order to refill our tank with some unicorn magic juice, so we can continue to work effectively, and professionally with our teams. Much like the skills you can take back to work after a SANS class, I am walking away from the summit with momentum and inspiration. I will take both back to my lab, and support a focused work environment . Most importantly, I’m going to help my teammates enjoy what they do.

The Journey Begins

Thanks for joining me!

Good company in a journey makes the way seem shorter. — Izaak Walton


My blogging journey begins thanks to Phill Moore of  I don’t know how he does it, but he maintains an incredible wealth of knowledge, on a weekly basis.  This includes a post on starting a blog, which is why I say – thanks Phill.  After a strenuous five minutes involving things like choosing a domain name, and clicking a few option buttons, this blog has taken its first baby steps.

A bit and byte about myself (did you see what I did there) – I live and work in the northeast U.S.  I work a caseload involving mobile and computer forensic examinations.  The work includes data analysis, as well.  What about the road leading up to my current job?

I strongly believe that, my path to digital forensic began in my younger years, while downloading viruses to my Compaq Presario.  Hard drive reformatting became one of my hobbies, and I only needed tech support on two occasions, to walk me through the process.  In my semi-older years, I took this love for drive-formatting, and supplemented it with a few courses in cybersecurity.  Thereafter, I just fell in love with everything having to do with digital forensics.  As a result, I wish to pass along some information that I’ve found useful during my journey.  All you need is a spark!

Here are a few of the activities I like to classify as “research and development” to continue learning about the field:

I could go on, but I hope I’ve provided enough information, for anyone interested in digital forensics, to start their journey.  A little Google magic will help with any of the items listed above.

Before I end this first blog post, I’ll mention some of the things I want to get done in the near future:

  • Learn Python enough to create scripts for my workgroup
  • Attend SANS FOR572 (Advanced Network Forensics)
  • Continue meeting new people working in digital forensics
  • Ride-along with someone in IR (or a SOC)

Feel free to contact me with any questions, concerns, or rants.  I’m a pretty good sounding board.

Thanks for tuning in, and I promise to post some interest tidbits as they become available!