Doing things faster

Posted on by

Every once in a while I ask myself a question – what can I do to work faster?

I strongly believe that complacency a.k.a. resting on one’s laurels is the biggest enemy of the productivity; therefore, once in a while I go on a journey to hunt for the tips and tweaks that can improve my work environment. These come in a variety of forms – better hardware, newer software, alternative software, or… changing habits.

Here is a bunch of tips that you may find useful  – some are old, some are new, but these are tested and work in practice (note: these are all workstation- and Windows-centric). This is a direct continuation of my 2 older posts on how to speed up case processing and obviously, some repetitions are unavoidable 🙂

Here it goes…

  • See more
    • Use at least two computer screens; I can’t imagine working with a single screen anymore. Whether it is a programming, forensic analysis or reversing session – it’s always good to have more space for information
  • See less
    • If you do a lot of multitasking, use virtual desktops – there are lots of programs that help creating virtual desktops, but the one that IMHO nails it is VirtuaWin
    • If you use multiple computers, use RDP instead of separate screens
    • If you work at night, use f.lux
  • Multiple computers
    • If you must use multiple computers, you can use Synergy to share one keyboard and mouse
  • Speeding-up data transfers
    • Invest in fast CPU, more memory
    • Invest in SSD, USB 3.0
  • Killer-apps
    • Kill your Windows Explorer – this is the worst GUI interface to work with files; use Total Commander, or FAR
    • Use PureText to copy & paste text w/o formatting
    • Use Sizer to resize any window to an exact, predefined size – this is handy when you write reports and want to use normalized screenshots’ sizes
    • Migrate most of your tools to their portable versions; it’s very handy when you change the computer or travel (can always have the most up to date version of your software/settings w/o relying on cloud)
  • Virtualization
    • Build a fresh clone of your ‘working’ image once in a while – not only a good chance to update software, but also set up/fix settings that you find annoying (if you catch yourself doing the same thing over and over again after you revert to a snapshot -> fix the image!)
    • Move the most frequently used images to SSD drive
    • Turn the speaker off for all virtual machines – this is pretty annoying and the link I provide allows to disable it for all images
  • SSD optimization
    • Remove hibernation file – if you don’t use hibernation, just run powercfg -H OFF – this may give you a few good GiBs back
    • Remove pagefile.sys file – if you have enough memory, you don’t need pagefile
    • Use junctions – for some reason Microsoft drops tones of rarely used files on the %SystemDrive% e.g. inside %SystemRoot%\Installer or %SystemDrive%\ProgramData\ or their subfolders – these files can’t be simply deleted, but they ‘steal’ the precious SSD space; in order to gain that space back, you can use junctions to move all this rarely used stuff to a slower partition (use mklink)
    • Install less-often used software to other partitions
    • Do a clean up once in a while
  • Regionalization
    • Change date/time format to YYYY-MM-DD hh:mm:ss in both Regional Setting of your OS and forensic software e.g. Encase; it makes a HUGE difference when you look at timelines
  • Fonts
  • Reading
    • If you read PDFs, swap Acrobat with Sumatra
  • .NET decompiling
    • ilspy does it pretty well
  • Regedit
    • Add Favorites to most commonly used registry keys – you can use RegJump from Sysinternals to quickly navigate to the specific key
  • IDA, Hex-Rays Decompiler & OllyDbg
    • Build a habit of collecting plugins and scripts – sometimes even if not immediately useful, a source code of an existing script/plug-in can save you a lot of time of coding;  Hex-Rays Plug-In Contest is a good start to pick up a few plugins (note: some of them crash randomly – it’s not a production-ready code, so best is to have them disabled by default and enable when you need it; some of these plugins also slow down the decompiling)
  • Procmon/Regmon/Filemon
    • Build a list of filters and save it
    • Add highlighting for operations that modify stuff (e.g. write operation)
  • Process Explorer
    • Let’s face it – it has to be retired as it’s way behind Process Hacker
    • If you really need to use it – if you use a 64-bit system Process Explorer (which always starts as a 32-bit process) extracts the 64-bit version of Process Explorer and then runs it; you can extract this 64-bit version directly from the 32-bit .exe and rename it as procexp.exe; the alternative way is to run Process Explorer 32-bit, then copy the 64-bit version from the Temp folder – next time you run procexp.exe, you will run the 64-bit version directly – always one process less to run
  • Temp folder
    • Clean up temp. folder regularly; some forensic software drops large files into your temp and it just stays there
  • Chrome cache
    • If you use Chrome and download large files – the temp/cache files end up stored in the program’s directory forever; it’s a good habit to have a look at it once in a while and remove it (look for a ‘File System’ folder)