dfir blog

All about dfir.

I only do 10%.

I only do 10%.

I’m on the second day of a conference for the second time this year and 90% of the time, I am hearing information that is more or less, a “refresher”.  Before you take that as a complaint, stop right there.  If anything, I am complimenting that there is 10% that is super great information, in effect, “refreshing” information.  My goal is to find that 10% so I don’t waste time on the 90% I don’t need right now.

Most likely, you are like me in that time is scarce to not only spend learning the latest and greatest things, but scarce in trying to keep up with the field.  To solve this problem, I have my 10% rule.  I focus only on 10% of what I need at the time I need it.   The trick is quickly figuring out the 90% to avoid wasting time on it.

I also know how I learn, which is probably the most important thing to know in any line of work.  If you learn by doing, but spend all your time trying to learn in classrooms, you won’t be effective in learning.  For me, I am a visual-hands-on learner. I watch and physically repeat what I saw (listening is important too, but primarily if I ‘see it’, I can ‘do it’).

For any task or skill, I immerse myself in it completely, ignoring everything else, with the goal of mastering 10% of the skill quickly and soundly.  From there, learning the remaining 90% will come through practice as I get to it.  But I have to master the 10% first.   As an example, take the Windows registry.  You don’t have to master the entire registry to be an expert for the most common artifacts of the registry.  Master the basics first.  Learn the advanced as it comes.

Little things I do to learn in the DFIR include;

-Taking copious notes.  I write down everything. I have notes in every DFIR book I own. I have highlighted my books in every color ever manufactured. I do this because I most always need to refresh what I learned or check back on a point I made to myself.  Don’t worry that the book you bought cost more than $50. Write in it! Highlight it!

-30 minutes a day dedicated to something in DFIR, every day.  I spend 30 minutes every single day, unless I am physically incapacitated with an illness, to consistently learn something specific.  This comes out to over 100 hours a year if you count the days that I simply can’t spend 30 minutes to study.   The level of skill you will achieve doing this will make you an expert in that subject within a year.  Don’t believe me? Try it for a year.  Get up 30 minutes earlier every day for a year, sit down and learn one thing for a year.  You..will..be..an..expert..in..that..subject.  I promise.

-I am super selective in who I learn from.  Because of I have spent way more time that I wanted with poorly written books, incompetent instructors, travel, and high tuition of courses that I will never get back any return of investment, I have become extremely choosy.  I have cut my conferences down to only two per year, maximum, whether I am attending or presenting.  It’s not the cost of attending as much as it is 90% of what I don’t need.  And for each class I take, I prefer to take from someone who I know knows what she or he is talking about. 

-Repetition saves me.  If I can repeat what I see, I can learn it. If I can learn it, I can master it.  If I can see it more than once, it speeds my process of mastering it.   This is the biggest reason I am a fan of recorded courses, because I can rewind, watch, practice, rewind, watch, practice, master the skill. 

I have said on many occasions that I am not a fan of cheaply made videos (Udemy and YouTube come to mind) for several reasons (http://www.dfir.training/index.php/blog/free-dfir-training-is-great-except-when-it-s-not), which I won’t repeat in this post.  I like training videos.  Correction, I thrive on training videos, but only the good ones. Yes, even a cheaply made can have great info, but I don't have the time to spend the time to weed through a dozen hours of videos to find 10 minutes of gold nuggets.

Some tips on avoiding the 90% of material you don’t need:

  • Don’t read books cover to cover.
    1. Read the sections you need, when you need it.
    2. Read the rest of the book when you have nothing else to do.
    3. I read and write/highlight and move on.
  • Don’t take any course that you don’t need.
    1. Sure, “Conducting Memory Forensics Underwater” sounds cool, but is it necessary?
    2. You already took “Bootcamp 101”? Do you really need to take it again?
  • Check the conference agenda BEFORE registering.
    1. “Just because everyone attends” is not good enough reason.
    2. Go to the breakouts that matter. Skip everything else.
  • Staleness
    1. Is the thing you are looking at more than 2 years old? Is it still relevant?
    2. Some things never change, some things change weekly.
  • Choose what you want to learn and only what you want.
    1. Ignore the rest.
    2. Focus (master) what you want/need to learn.

As far as training vs education vs self-learning, I do all three.  But I only do 10% of it.

ps...If you teach anything in DFIR, be sure to teach the 10% and don't fill time with the 90%.  And if you find someone who teaches the 10%, stay with that trainer or organization for the biggest time saver you can have when mastering skills.


Forensic 4:cast Awards
3 Tips to Keep Your Name out of the News


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Sunday, 30 April 2017
If you'd like to register, please fill in the username, password and name fields.