Some cases can’t be closed. It does not matter that you can’t figure out whodidit or howtheydidit, you just can’t close the darn file until you get something. I have quite a few of those. I regularly pull them out when I have a break to see what I missed. Sometimes I realize I overlooked a small detail, like a grammatical error, but mostly, the cases sit there. Some of the cases were here even before I got this to this desk, leftovers from someone else that used to work here.
So, here’s what I’ve done over the years to cut down on the cases I really want to be off my stack.
- Pawn them off on a new guy.
- If I can’t pawn it off, I wait a few weeks.
- Try to pawn them off on a new guy.
But seriously, I try to close every case, but there are some hard ones, especially difficult in certain areas of type of case. What I really do is go to training and read. I read a lot. Then I read more. I take training when I can get it. I have taken so much training that I have taken the same course more than once because I forgot I had already taken that particular course. I’ve done that twice by the way…same vendor too. Duh.
As much as I don’t like watching YouTube videos on forensics, I do, just in case I can find a nugget of value in the ocean of poor quality videos and commercials. Sometimes, I find a thing of value on YouTube. I read blogs a lot. You can tell by the fact that I put blogs up on the home page of dfir.training. I do that so I can find which of my favorite 180 DFIR blogs have been updated. Takes me all of 2 minutes to check 180 blogs if I check every day.
And then I take more training. Internal training and external when I can get to it. Conference and conferences to put on top of that. I have been taking online courses for the past year or so with mixed results. Then again, most of the training I have taken is mixed. Timing is important too. I took NTI's (http://www.forensics-intl.com/whatsnew.html) 5-day course because of it's reputation. When I saw that the software was all DOS...on floppies...I knew I should have gone to Hawaii that week instead. That was right about the time they shut their doors.
I admit, going to Vegas to hang around poolside, drinking and eating as much as I can without pulling out a wallet is nice. Sitting in a room full of 500 people listening to a speaker talk for an hour is OK, but only if you are close enough to feel you are in the same room (otherwise, may as well be on Youtube since I can see the screen better).
I have taken about a dozen online courses ranging from the big vendors (like the vendors that charge thousands for a dongle…) and to the little guys (like the unknown people putting on courses at Udemy.com). My opinion with online courses is that the instructor needs to know what they are talking about and if it is software based, the software better work. I took a software course for a tool that is no longer sold and the reason is because it didn’t even work in the class. Not to mention the tool, but most likely, you may have heard of it anyway.
I’ve taken courses from presenters that knew as much as about forensics and incident response as I know about building a space shuttle. When the instructor reads from a book or manual, go back to work at your office or start hitting your thumb with a hammer. I won’t bash the vendors or instructors, but if I am right, you probably feel like you took the same training and tried to use the same software that I am talking about…
An online course I just finished is Brett Shavers’ Placing the Suspect Behind the Keyboard. I mention this because just I re-opened two cases because of the course. Two cases that really need to be worked and I not only booted the cases back up, but anticipate being able to close them. The last training event I went to, I learned a few things that helped me the very next week, but those were little artifact things. The things I tried this week are different and the bosses are happy with what I’ve done. All because of a few things I learned over the weekend with an ONLINE course. Who would have figured? My faith in online training is still on the fence, because it depends on the topic and the presenter. If either are bad or unknown, I'm out. I will mention that any SANS course is worth its weight in gold, but unfortunately, one course costs about as much as two gold bars.
My points for this post is two-fold.
One, I’m bragging about cases that I won’t be able to brag about publicly, but I’m happy to brag anyway.
Two, keep taking training. Keep reading. And learn something new. It’s amazing how you can apply the simplest of ideas to solve the biggest of problems.
Clearing out old cases each day keeps the bosses away.
quick side note: my goal is to clear a lot of cases that are known to be return-to-file before I retire, which is coming up soon enough :)