1. Be the Bloodhound.
The Bloodhound has the best nose to find anything. A DFIR’er should be like the Bloodhound, in that if the evidence exists, you can find it.
Evidence: Where is it?
Tools: Where can I find the tools?
Training: Where is the training?
2. Think like the Squirrel.
Squirrels may look cute and innocent, but they are always thinking, planning, and being deceptive in what they do. The better DFIR’ers are constantly thinking, planning, and being a step ahead of every obstacle that comes up.
Training: Which training do I need? Which training fits me best to learn?
Evidence: What constitutes evidence in a specific analysis?
Analysis: What does the data mean? How do I interpret it? What are the connections?
Investigative: What is the adversary thinking? What was the adversary’s plan?
Reporting: How do I accurately and concisely get the point across to someone else?
3.Work like the Honey Badger
The best DFIR’ers don’t give up. They dig and dig and dig until they get what they need to solve a problem or solve a case. The only time they might give up is when forcibly taken off a case and put onto another. Otherwise, once they have been given a mission, it is followed through until completion.
Tenacity: What will it take to overcome every obstacle in this field, this case, or this one problem.
Some lucky DFIR’ers instinctly have all of these traits. Others have some or maybe only one of these traits. All DFIR’ers can learn and employ all of the traits if effort is applied and time is carved out is made.
Do you want to know the secret to getting this?
The secret is that there is no secret. The way the most famous or most competent DFIR person does it is no different than the high school student learning how to do it. For example, read a book on the subject. Watch a video. Take a class. Practice on your personal device. Search and experiment with different tools. Really. That’s it. No one has special access to special tools. Everyone has access to the same thing, however, it is what you do with what you find that makes the difference.
Take a forensic artifact of your choice as an example. It may not take extreme skill to find an artifact using any selection of a forensic tool. But, it takes the 1,2, and 3 tips to use a forensic tool artistically, scientifically, and even experimentally to exploit the artifact to get what you need in a case.
Never sit idle.
The day you think you know it all or know enough is the first day your competence will degrade. Period. As an example, if you did nothing to improve upon your job today, your skill and knowledge degraded. BUT, if you did just one thing, such as watching David Cowen’s forensic lunch, you would have learned (if you didn’t already know):
- New tools, like RustyPrefetch
- New books, like from Harlan Carvey and Brett Shavers
- Current happenings in the DFIR community
And this knowledge takes less than an hour of time with virtually no physical effort other than focusing on the discussion and taking notes when you hear something to follow up on later. Do something every day, whether it takes 5 minutes or an hour.
If you happen to be naturally inclined for DFIR work, congrats. I’m a bit jealous, but certainly not in the least bit discouraged, because I am the Bloodhound, I think like the Squirrel, and I work like a mission-focused Honey Badger. You can do the same, and maybe even better :)