DFIR Tools are evil, but only if you are using the wrong tool.



Published Date
May 11, 2022

By "evil", I mean that if you use the wrong tool for a task, you will call that tool every name in the book, even though that tool is doing exactly what it was developed to do...

Today at Techno Security (Myrtle Beach), I gave a talk based off a post written some time ago (https://brettshavers.com/brett-s-blog/entry/the-most-important-tool-in-dfir-that-you-must-have).  The entire presentation can be summed up in the title:

It’s Not The Tool, But The Examiner That Does The Forensics

This was the first time that I ever gave this talk and the intention was to give as many gold nuggets of skill building advice as possible, in the shortest amount of time, that would cover anyone who was listening.  I planned on stuffing 3 hours of talk into 1 hour.  Sometimes, that means skimming so fast over everything that nothing gets retained, but I think I did what I wanted to do in getting some points across.

If you were there, you heard it already, and if not, I may do a webinar repeat of it in more detail at some point.

There were a lot of tidbits of tips and guidance that I gave, but the primary objective was to be somewhat of a coach to the room, telling everyone to do better every day with a gameplan laid out in front of them. I also said that I’m not their mother, so don’t expect me to validate poor effort when better effort is needed.

One of my motivations about the talk of tools in this presentation was spending a few hours on the vendor floor, speaking to as many as I could (I couldn’t stay the entire conference…so I had to be a little picky…).  There has not been a conference where I have not been impressed with the increased functionality of today’s DFIR tools.  For the vendors where I stopped to talk, I didn't want to leave your booth....and I still couldn't get to every booth...

There was not a tool vendor that I spoke with that did not have an amazing tool, whether it be hardware or software. Some of those I put up on the big screen because I wanted them in my DFIR collection 😊

With that, there has not been a conference where I have met such a great group of people working toward the same goals, having amazing personalities and perspectives. Great people all.

To those who heard my presentation, you’ll be happy to hear that for the three days here, I wrote three things down of something that I learned. One of those things I described in the talk. The two others…those are mine to reflect upon.

And to the sponsors of Techno Security vying for everyone's attention, keep up the great work in development and training!


User comments

There are no user comments for this listing.