This post is about DFIR Review . I want to get that out of the way first. Before I get to DFIR Review, I want to talk you into submitting your work to DFIR Review. If you are ready to submit now and don’t need to be convinced to share your work, feel free to skip the “why” and go straight to “how” toward the end of this post.
DF/IR work dynamically changes more often than any other professional field. New developments, processes, procedures, and discoveries keep happening. It never ends! This is also what makes it such an exciting field to be part of.
Just by simply by doing the daily work in the DF/IR field, we come up with creative ideas to solve both new and old problems. Some of the ideas are incredibly ground-breaking and others are small tidbits of improvements, but both are newsworthy (aka: shareworthy ). But what do you do with your work? Do you keep it to yourself or share?
Defining “work” : I am defining work to mean your ideas , creations, developments that improve the DF/IR field. Something that you labored to make something possible that was impossible, easier when it was harder, or accurate when it was wrong. I am not implying that “work” to mean your actual analysis of cases! The concepts of improvement are more important than details of a specific analysis.
My point in one-pointedly pointed statement
Share your work with the DF/IR community!
The nitty-gritty, aka: “What is in it for me?”
To do anything, there must be a benefit. Otherwise, why do it at all? The benefit can be to the receiver or the giver, or both. In the case of sharing DF/IR developments, the benefit goes to all. But how specifically does sharing your work benefit you specifically and the community?
Let me first digress a minute in the “how” and "why" to share by referencing several blog posts. I would be doing a disservice by paraphrasing these posts, and I recommend reading them in their entirety. Encouraging the sharing of DFIR work is not a new concept but does need reinforcement occasionally. Unfortunately, there are too many of us not sharing...
The Personal Benefit
Of any personal benefit, one will be more important to you than another, and the importance varies from person to person. Therefore, I am not implying that any of these are more important than another.
- It is your work.
Many of us avoid taking credit for our work. We don’t want to be in the spotlight, and we don’t want to seem arrogant in taking credit for our own work. I get it. With anything that anyone does, there is always a huge support system behind us that helped us with inspiration or labor or ideas. Taking personal credit when so many others were part of your work seems a bit too much or that we really don't deserve credit for the work that we did. That sounds strange as I say it, but it is true.
However, if you did the work, or made the discovery, or created a new process, or even validated someone else’s work, you deserve the credit for your work ! Few people want to take that away from you and most of us want to give credit to you. So, take the credit.
Conversely, if you do not take credit for your work, I can promise you that someone else will. Either they will outright steal it or do it in such a way to make it seem like they independently did it. There is no polite way to say it, but some people in the world have no morals and will openly steal the work of others, smiling while they do it, and rationalize it all the way. This is usually immoral, sometimes illegal, but always irreprehensible. Having been on the receiving end of this sort of theft, I can say that it is not a good feeling, but it is certainly a learning lesson.
Tip: Stake a claim in your work because it is your work! If you don’t, someone else will. DFIR Review does this for you.
- Professional development
If you are a team leader in an organization, you (should) understand the importance of giving credit to the team. Sometimes this bleeds over to your own individual work, where you may share credit that is deserving only to you, but you share it with others who may have nothing to do with the work. The decision to do that is up to you, but if I share credit, the credit is shared with those who deserve it.
For your professional development, no one is going to recognize you for each thing that you do. Sure, you might get kudos here and there, maybe a shout out on Twitter for something you wrote, but overall, these are fleeting moments that briefly recognize something that you did and will be quickly forgotten. It is a short-lived feel-good moment for hours or months of labor that is not going to help you in your professional development as much as taking formal credit for your work.
We document everything that we do and documenting your work in a manner that stakes a formal claim in your work furthers your professional development. By professional development, I mean this to include your resume/CV , court testimony , expert qualifications , promotional benefits , credentials , and gaining an edge to be hired over others who are not taking advantage of owning their work.
You might not be considering or even thinking about teaching in the academic field today, but a suggestion is that you also might not want to eliminate this option in your future. The academic field needs you when your time is right to teach. Part of formally claiming your work today will benefit you in the academic field tomorrow.
Tip to supervisors/managers/leaders: You better be encouraging your people to get credit for their work. Your duty is to develop your people. Don’t steal their work. Don’t let others steal their work. Make sure credit is given to those who earned it. Teach them. Develop them. Encourage them. Your goal is for them to be better than you.
- Push the DF/IR Community Forward
You are only doing this job with the processes and procedures in front of you because they were initially shared by someone else. Then others took that work and improved upon it. Then others improved it again. Processes, procedures, and tools are the byproduct of previous work that was shared. Had nothing ever been shared, there would be no DF/IR field.
Unfortunately, we have become lazy. We expect to be given the answers to the questions that we should be figuring out for ourselves. We demand that procedures be handed to us and that we just follow the checklist so that we don’t have to think about what we are doing. By “we”, I mean as a community, not every individual.
As a side note, there is nothing wrong with using boilerplates, templates, go-bys, or examples or affidavits and reports. But these are starting points. These are guidelines. They are suggestions and recommendations. It is your responsibility to make them fit your needs. It is your responsibility to improve upon them for appropriate use. We all use them as part of the job, but part of our responsibility is to improve them.
When you share your work with the community, you not only improve the field, but you will inspire others to take your work and expand upon it or dig deeper into a small aspect of it. Your work will be the foundation, or the starting point of new work, which exponentially propels someone into making another great find or an artifact or process or software development.
Although this is a community benefit, I promise that you also gain a personal and professional benefit! You will be inspired when someone takes your work (while giving you credit!) and builds upon it or goes in a totally new direction because of your effort. There are few things in life more satisfying than being the spark that makes a big change that benefits many or any one person.
Tip: Sharing with the DF/IR community makes the community better because of you.
But what if I am not allowed to share my work?
I get that. I have been in those shoes before. For the most part, I still am. There are valid and uncontrollable reasons for not sharing your work, but there are also workarounds for some of these reasons. As far as what to share , I am not suggesting that you share absolutely everything that you do with everyone on the planet. That would be unreasonable and unnecessary. I am targeting the work that makes a difference for the community. For example, if you write a tool that works wonders for you, most likely, it will work wonders for others. Or a process that you developed streamlines labor and saves minutes, hours, or weeks. These types of work propel the community. Share what you can, when you can, if you can.
Generally, every one of us falls into one or more of three sharing buckets.
- Does the work but doesn’t share with anyone.
- Does the work but only shares internally.
- Does the work and shares with the community.
The first bucket is that of doing work and not sharing with anyone, which seems to be most common. Whether it be shyness or lack of confidence of your work, the result is that no one sees it, it never improves beyond your ability, and eventually either fades away or someone else comes up with a similar idea. For some organizations, nothing can be shared outside the organization, regardless of what the work is. Even redacted, filtered, or sanitized portions may not be allowed for sharing. Think about work in national security being one of these instances. Those with security clearances are under heavy scrutiny in everything they do, so to share anything is either strictly prohibited or the procedure for approval is too much to bother with. This would include legal restrictions and can be quite serious criminal violations of law!
Outside of government, private organizations also have legal restrictions by way of confidentiality, non-disclosure agreements, and promises of not disclosing any aspect of any legal matter outside of a courtroom. Again, this is a legal restriction that can result in litigation against you. Abide by policies, contracts, and laws!
In either instance, I would not expect anyone to share their work that violates their legal and professional duties of confidentiality or security. However, when this is done, it can make an incredible difference, like when the NSA releases internal tools to the public.
The next bucket is related to the first, in that those working for an organization share their work within the organization, but not to the outside world. The reasons are usually the same as the first bucket in that the work cannot be legally shared outside the organization. Other times, this work is an internal tool that the organization doesn’t want to be used by competitors, but the time and expense to protect their internal work with patents or copyrights are too much to take this effort.
And then there are people and organizations that simply share their work. They are allowed to share tools developed for internal use, or they write tools outside of their organization to be shared, or the organization itself shares their work with free tools, downloads, and a blog post describing the amazing things that they are doing with some aspect of DF/IR. Think of the tools that we use constantly that are freely developed by others such as Eric Zimmerman’s tools , Harlan Carvey’s RegRipper , Alexis Brignoni’s tools , David Cowen’s Forensic Kitchen , and more). Your blog posts that you having been writing fit in this bucket!
DFIR Review https://dfir.pubpub.org/
How-to submit to DFIR Review
Go to DFIR Review ( https://dfir.pubpub.org/ ) and submit your work. That's all you need to do! The actual link to submit your work is on EasyChair at https://easychair.org/conferences/?conf=dfirr2020 , but the DFIR Review website should answer any question that you may have and give guidance for submission details. It's not difficult at all.
I have written about DFIR Review in the past as an idea for practitioners to get peer-reviewed credit for their work. The eventual team that got this project moving forward and in motion is deserving of the credit. Check out the DFIR Review committee and consider that everyone volunteers their time, effort, and personal funding to get this project going for the community!
Before you fret over having to think of a project, then plan that project, then research it, then write it, then edit it, and eventually submit it…STOP!
DFIR Review was created for the work that you have already completed. The title of this post is the point of DFIR Review. You wrote a blog post, so now why not have your post peer-reviewed? Having your work peer-reviewed is much more important than you may know. It is one thing to write a blog post, but quite another to have that blog post formally peer-reviewed and stamped with “The DF/IR community checked it. It is good and accurate.”
There are so many benefits to peer-reviewed work that I have written about constantly over the past years. My biggest complaint of peer-review is the length of time that it takes. A published book is a peer review method, as is submitting white papers through academic peer-review. Both of these take LOTS of time to gain approval. DFIR Review is a fast track to peer-reviewed work, especially for the work that you may have already finished.
Evolution of ideas
DFIR Review as it stands today did not start as it is. There were ideas, trials, and errors, and it evolves into a better system as we work on it. Your ideas work the same, so be hesitant with submitting your work.
As a historical reference of how we got here, a few of the posts that I’ve written (others have written as well) are below. The “Rapid Peer Review” name was part of the development process of picking a name that finally became DFIR Review .
Publish your DFIR Research – June 19, 2018
Publishing or Perishing in the DFIR World – June 16, 2018
If Peer Review is so Important, Why Doesn’t Everyone Do It? – June 24, 2018
The Rapid Peer Review – June 27, 2018
DFIR Review is here! – January 23, 2019
Take a look at your past blog posts. Is there something that you did that others use? Consider submitting it to DFIR Review. The tangible benefits are a DOI number (proof of community peer review), official recognition for your work on DFIR Review, along with a badge for you to put on your blog as a peer-reviewed work that you did. For the intangible, refer to all the benefits that I previously mentioned.
I bet that you have done work that you never put in a blog. If that thought crossed your mind, open up your word processor, and get started! Post that blog and submit the post to DFIR Review.
Here is more good news on DFIR Review: Unlike the traditional academic peer-reviewed white papers, we (practitioners and researchers like you), want the practical information. We are not looking for MLA or APA standards with fluffy words or highly academic-worded white papers. We are looking for the practitioner work that other practitioners can put to use today.
Think about this for a second. For a traditional peer-reviewed paper, it can take a year or more before it hits the stands, so to speak. By that time, the information may be stale and outdated. And maybe the information went around the community before the peer-review process was complete, negating the purpose of getting the word out formally in the first place. With DFIR Review, the hottest research is available sooner than any other method and can be spread throughout the community more than a single blog post.
One example is this type of information.
Would you rather wait for your work to be peer-reviewed in a year or 10x faster so that practitioners can use your work now? When you take work like this, put out to the community in the speed that DFIR Review can do, in a year’s time, the follow-up research on Chromebook acquisition will be years ahead than traditional peer-review. And your name (or your team) will be on it permanently. And don’t worry. Reviewers don’t bite.
What if you got nothing to share?
If you are a practitioner, and have knowledge is a specialty area of the field (Windows, Mac, mobile, cloud, anything!), consider being a reviewer of submissions. We need reviewers, as the more reviewers we have, the faster we can get papers released.
Which bucket are you in now?
Now you know the why and the how . You just have to decide the ' when '.