I’m fortunate to have seen the DFIR field change well beyond anything I could have expected. I started in “computer” forensics when Encase was on floppies, SafeBack was the imaging tool of choice, Norton Disk Editor was part of the toolkit, and we would literally seize entire computer systems as evidence in case we were told to rebuild everything in court (never happened). And we called forensics images “mirror images”. And we pulled the plug...every single time. Times have changed (for the better!).
Also, the answers on how to do forensics were not on the Internet. There were a handful of books written on the subject. Every day was a new day in figuring out something. No one really shared anything. Most of what we did was guesswork and trial and error.
Then came a few things to change it all. We communicated more. We shared more. Conferences popped up to share methods. Software finally was starting to do what we needed. Books were being written on forensics. Everyone was writing white papers (aka: PDFs) on every aspect of forensics for everyone to read and learn from. We began to realize that we didn’t know as much as we thought when we started, but were catching up. This was the height of learning how to do the job, finding a new book-of-the-week on some topic being released, and blogs galore on everything. And we moved away from “computer” forensics to the more appropriate “digital” forensics and incident response. When colleges start making degree programs out of thin air, you know the DFIR field has come a long way.
But something happened lately. The number of DFIR books declined. Prolific bloggers either retired or grew tired of blogging. Conferences increased their tuition tenfold with software licenses keeping pace with the price of conferences. I still miss some of my favorite websites. I admit that Twitter has filled much of this gap, as long as the timeline is not full of politics. It seemed like the field became quieter, at least in the manner of being online to share information. Did we learn everything already? I don't think so.
As to books, pretty much the field has been inundated with every sub-topic under the sun, but I can’t help to think that the lack of new books is somehow related to over-saturation and maybe lack of putting the effort to write (that means me too). I have found that many of today’s DFIR blogs are becoming vendor websites that have a blog that indirectly or directly markets a product that they are selling. I’m not too much of a fan of those blogs, but of course, we are lacking elsewhere.
Then comes along the Phill Moore effect.
The DFIR Door Kickers
I have seen a spike in the number of blogs that have gone from inactive to active, the start of new blogs, the start of new podcasts, and the talk of new books being written on topics that I never thought of before. I partly credit (or blame) Phill for this. If you write about DFIR, don’t worry as Phill will catch it and note it in his blog. If you don’t write anymore, or you don’t write enough, don’t worry. You won't be in his blog. Don't be that person. Get on his blog by joining the conversation to share and communicate that what you do. This is the Phill Moore Effect.
This post may sound like a love letter to Phill, but my intention is that in this field, there is a constant. That constant is the number of people that you can put on a short-list that have a dramatic effect on the community as a whole. These folks put themselves out front and risk public embarrassment and failure if they screw up or say something incorrect. It takes a lot to do that. These folks are the DFIR Door Kickers. Usually, the first through the door gets shot or attacked or trips and falls. They have only hope of performing well in front of everyone else. The rest of us just follow the door kickers as they clear the way for us. Less risk for us. All the risk for the door kickers.
Understandably, some in the DFIR community simply cannot go public due to type of employment or employer. For everyone else, it is a conscious decision to remain quiet and benefit from the short-list of DFIR Door Kickers. That is the way it is and always will be. Harlan Carvey has commented a million times on the lack of sharing, which I tend to agree in total to the number of us, but disagree overall because there has always been a few that always share and communicate. Harlan has been the door kicker of door kickers. There are a select few others who will take an email question, give a presentation at a drop of a hat, write up something to post online that they worked on or discovered, and even admit when they are wrong.
If I were to make a list of those who have jumped on stage to share their research, their thoughts, or offer mentorship, I am willing to bet that your list of names would match mine. There are simply only a few, steady diehards who are first through the door with the rest following behind. Consider your DFIR book authors, instructors, and software developers as those first in the door where we all follow behind. When I have the opportunity to meet these folks, I always, without fail, give them credit for their work and a thank-you for sharing. We are human and if we don't give credit where due, eventually the effort it takes to keep sharing will dwindle if appreciation is not felt from the community. Do you want to know the most effective way of saying 'thanks' to the DFIR Door Kickers? Point out something you learned from them that directly impacted a case you worked. That is what makes the difference. An informative talk is nice, but when you can apply it to a case, that is what makes it worthwhile.
One thing you may notice with the DFIR Door Kickers is that they don't toot their own horn. I've not met an arrogant DFIR Door Kicker but every single one of them that I have met have told me that they learn as much as the rest of us every day, even when they are teaching, researching, or writing about DFIR.
As I already mentioned Harlan Carvey as being one of the earlier DFIR Door Kickers, I’d like to add Phill Moore to that list too because his blog influences every other DFIR blog out here. How do I know this? Because I wrote this post because of it.
Damn you Phill Moore………you’re making me write more… 😊