Brett's Ramblings

Font size: +
7 minutes reading time (1351 words)

Don’t look back.  Try to keep up.  This is #DFIR.

I do a lot of peer-reviews.  Much like a case study (another one is coming up by the way…), a peer-review of the sort I am talking about is a line-by-line read of a forensic analyst’s report.  Then reading it again, then again, and a few more times, all the while red-lining items of interest.  Basically, I am hired to read your reports and tear them apart.  Before you take that the wrong way, sometimes I am hired to read a report written by an expert that was hired by the same attorney that hired me to tear apart the report.  My aim is to make sure the report is good, insofar as my opinion goes.  I’m not a spell-checker or grammar cop, but I work on finding inconsistencies and where the analyst may be weak in their work, experience, or training.  I help with what to expect on the stand, and conversely, I help attorneys where they can focus on opposing witnesses during cross examination.

Now that this is out of the way…

Here is something I come across often: lack of continued education.

In the world of computing, if you don’t keep up your skills with today’s information, you will be outdated in a year or two.  That which you believed to be true yesterday may have been proven to be false last year or is no longer relevant.  If you plant your feet on what you know today and refuse to move forward, you will grow roots and the DFIR world will pass you by faster than a long-tailed cat running out of a room full of rocking chairs.  I would go so far to say that if you spend 5 years in college learning DFIR, by the time you graduate, much of what you learned in the first year or two will be severely outdated.

Some of the rationales to not continually attend training or education that I have heard include;

“I’ve been doing this for 10 years and know how to do it better than anyone.”

“I’ve been doing this before you got out of diapers.”

“I don’t need training because I can teach it better than anyone can teach me.”

“The technology is basically the same.”

The problem is that during a peer review, when I see a boilerplate bio or CV that shows the last training or conference attended being over two or more years ago, it screams to me “OUTDATED!”.  This is not always the case of course, but for the clear majority of us, if you aren’t updating your knowledge with some sort of formalized training or education, you might get called out on it at some point.  How valuable is a Computer Science degree from 2002 if nothing has been done since 2002 to keep up on technology?

Of course, if you are a researcher, or you publish the information you discover, or you research-teach-research, you are probably exempt from “taking a class” as you are on the cutting edge.  You are part of those who create the information to be taught in the classroom.  You are the source of DFIR information.  That looks great in court by the way.  For everyone else, be sure to sit in some classroom or conference on a regular basis or it will not look like you are working to keep abreast of the field.  If for no other reason to show that you are current, keep current.  Pick a class.  Any class, but pick one.

You don’t need to spend $20K a year on training to stay current.  You don’t need to attend conferences that are out-of-state every year either.  If you can do either or both, more power to you.  But most of us are (1) busy, and if we are not busy, we are (2) really busy.  But you can do some things.  You do these things for “credit”, aka credibility.  You need to look at what you do to stay current a little differently.  Everything you are doing outside a classroom is assumed to be informal or unstructured (aka: not credible).  I suggest that you structure your efforts to give some formality that you can use for credibility.  Turn yourself into a living classroom.  If you do something outside the classroom that would be have been good to have learned in a classroom, write it down.  

  • Read.
  • Test-practice.
  • Research.
  • Talk.

Your reading should be DFIR heavy (whichever part of DFIR that you do – DF or IR, or both).  Books are good for a few good reasons.  You put them on a shelf and you can pull them down anytime as reference.  You can list them in your CV.  You can state references to them in reports.  The book will last your lifetime because books can’t be deleted or be hacked and defaced like a website can.

On one court case, the court wanted to physically see every DFIR book I owned and had read because I said I read a lot of DFIR books.  The next day in court, I brought the books I still had (previously donated older books). This made an impact in the case, especially when I made sure to point out the extensive notes I have made in most of my books.  I needed a dolly to bring the boxes of books, more than half my books are on my iPad :)

Blogs are great because the information is hot.  Sometimes, the information is so hot that the research and testing was completed only hours before you may have read it online.  You cannot get fresher information than that than you can with blogs!  Pro-tip:  when you find something really good in a blog, download it (PDF it, download, etc…).  Blogs disappear without notice and you don’t want to reference something that doesn’t exist anymore.

Your regular work doesn’t really count for practice, but you can develop practice scenarios based on your regular work.  For example, when you put in documentation about Shellbags in a report, be sure that you have practiced it too.  If/when ever asked about “how do you know” something, you want to be able to answer with (1) I was taught in this specific class, (2) I read it in these specific books, (3) corresponded with these specific experts x, y, and z, and (4) I tested-practiced the same scenario in controlled environments.  My common answer in cross examination to ‘how do you know’ is ‘because I personally tested it’.   I saw it with my own eyes.  I have seen this exact issue in a dozen prior examinations.

Research is fun.  Seriously.  When you research for an answer and find it, the retention of what you learn is so much better than posting a question on a forum and waiting for someone to spoon feed you the answer.  When you uncover the answer yourself, you will remember it and understand it much more than you can otherwise.   Document your research because you get credit for research only when you document it!

Some of us don’t like talking with others.  The computer is an easier companion.  Sure, a computer can cause some grief by not doing exactly what we want, but generally we can make the computer do what we want.  Talking with people is a skill that we also need.  When you talk to others in the field, you are learning.  You are forwarding your knowledge.  That goes both ways because by talking with someone else about DFIR, you are both sharing and both learning at the same time.  When you can say that you conferred with another practitioner, discussed the issue, shared experiences, and walked away with more information than before, you earned credit.

I give this advice mostly because this is the one area I see totally lacking in reporting (for legal documents such as a forensic analysis report, not internal documentation on a security breach), yet it is the easiest hole to shore up.  Take a class.  Read a book.  Research and practice. Talk with a peer.  Do these things and you’ll be 75% ahead of the game.  

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Rub some dirt on it.
X-Ways Forensics & eDiscovery