DFIR Training Blog

   


 

The Dearth of Documentation in DFIR

What a time to be in the field of DFIR! If you have being doing this work since the days of the floppy, you surely must be as excited as me. If you just entering the field, you will see even more advancements in the future than your predecessors have.

But let’s get on with one of the most important topics that is making our skill levels advance more than anything else has ever done before: Instant documentation and sharing.

Many in the field have written (and keep writing!) and about the importance of sharing and documentation. Without getting into ethical questions in the field about sharing special discoveries, I want to talk about sharing generically, but specifically in the physical manner of sharing.

 

The Internet gives us so many platforms to share information that it is practically impossible to keep up on it all. You cannot “follow” everyone. Google won’t find everything. Some platforms won’t give you access (only specific groups of people can access, such as LEO-only), and some platforms are simply too difficult to keep track of the information that flashes across the screen only to disappear into the “blackhole of great information but no one saw it”.

For the DFIR info curators, the DFIR blog is the number one source of information , mostly because it is semi-permanent, easy to find, easy to bookmark, and most always accessible to anyone with Internet access without having to have a special account to access.  

Other means of dissemination are faster to put out and faster to reach an audience. Twitter is a prime example of being able to send out a bit of information in seconds that can potentially reach millions instantly. The negatives are that most tweets are not well-thought out, lacking depth, can be deleted, and are quickly buried in seconds by hundreds of newer tweets. On top of that, if you don’t follow the tweeter and no one that you follow retweets the wonderful information, it is as if it were never typed in the first place because you will never see it. In all likelihood, there have been outstanding tweets of information that were so quickly buried that few people even saw them.

Social media platforms like Facebook and Linkedin are only a little better in the sense that the posts seem to last a little longer, but still are not going to be as in-depth as a well-written blog post on research.  Worse yet is that viewers need an account on most of these services in order to be able to see the posts.

In between the sites like Facebook and micro-blogs like Twitter, we have Discord , Slack , and other chat services. Again, you need to be a member of the group to access, the information in many of these services fly by the screen and is buried in a blink of an eye. And to even know about one of these services is to be lucky to catch the info on Twitter or be invited to the inner circle through contacts you have.

Based on research on social media content's lifespan from http://blog.hcpassociates.com/how-long-does-content-last/ , consider how the following graph relates to the DFIR information that we share.

 

Length of time content lasts on various platforms

The books and journals throw this graph out of whack since the content in a book or journal is measured in decades .  But let’s take away the books/journals. Here is what we get for content lifespan.

 

Length of time content lasts on various platforms (minus books/journals)

So here you can see that a blog’s content remains for about 2 years , but still, other social media is not even registering on the chart.  After this point of blogs, information doesn’t last longer than hours or minutes ( 18 minutes is Twitter’s lifespan! ). This chart doesn’t even include chat services like Discord, which I would imagine has a lifespan of way less than Twitter, maybe even lasting only seconds.

Add to this the closed lists, closed forums, and closed chats to get the real picture of how much information does not reach the practitioner or is stored with any permanence.  Couple this with the amount of time that anyone has to keep up on dozens of services and you get a very dark picture of how much we know compared to how much we could know.

Therein lies the issue. The faster the information is disseminated, then faster it disappears, or worse, is never seen. The slower the information is made available, the more people that have access to it, but relevance begins to fade over time. 

Some suggestions:

* Substantial/important information should be documented at least to the level of a blog post. The tweets and chats should be short bits of content with reference to the blog posts.

* Blog it on your blog

* Guest post it on other blogs if you don’t have your own blog

* Guest post it on other blogs even if you have your own blog

* Publish it formally

* Do the above, plus..

* Have it peer-reviewed and published

* Make a video about it

* You can do wonders with a short, 3-minute video

* You can embed the video in your blog post, tweet, and update when necessary

Time is always going to be an issue to research and share. Many of us barely have the time research, or fully dive into something unusual we come across in our daily duties. To require more than that is a lot to ask, but it is not unreasonable to ask to share bits and pieces as you can.

One thing I can advise, is that if you don’t share what you find, someone else will find it.   And someone else may share it and clearly take credit for something you could have taken credit for. If credit is something that drives you, you need to put your name on it. If you don’t like discovering something and someone else taking credit for it (when you never gave notice of your find), then you better share what you find. I’ve spoken to a few folks who have complained as if someone broke into their home and stole their research to publish, but in fact, who ever finds it and publishes it first is the person who discovered it, whatever ‘it’ happens to be.  

As for me, these complaints fall on deaf ears. Put your name on it or someone else legitimately will (this goes for individuals and corporations).

I use Twitter in the event that I happen to come across something really hot that needs attention. But I also know that I miss 99% of everything that comes across on Twitter because I can’t live on Twitter. The same with Discord, closed forums, and such. The time it takes to log into a service and maneuver through it to find information is mostly time I don’t have. But I monitor blogs on a daily basis. There are hundreds of blog RSS feeds at dfir.training that I check daily (many times a day sometimes) to save time in clicking bookmarks to see who has updated what on which blog. Blogs last longer enough that I can check a few days later and not miss something. If you miss 10 seconds of Twitter, you will miss something. Phill Moore also saves me a lot of time with his blog  which tends to catch things I missed.

So here's the point:

--Blog

--Blog

--Blog some more

--Tweet about your blog posts

--Let the blog curators (like me and Phill ) know about your blog to help it get traction

**Update**

More on the Rapid Peer Review for DFIR blogs is coming. There is a special ops team led by Jessica Hyde on a mission to figure something out to benefit the community, the researcher, and just as important, the reviewers. One of the issues I see is that of ownership of current methods of publishing and peer reviews competing with several options of doing this differently. Mostly I dread someone taking a stance that their way is better, regardless if it is better or not even a competing issue at all. My personal goal is to help create a system in which those would not have published before, will be able to publish now, not to take away from anything that anyone else is doing. The point is to share, make it easy to share, and make it easy to use the shared information.

Written by :Brett Shavers

{rscomments option="com_rsblog" id="31"}