Some great discussions on Twitter and Linkedin this week about the basics of DFIR. Harlan Carvey’s short but poignant post brought this important topic: “ Basic Skillz ”.
“… ..what constitutes "basic skills" in digital forensics?” – Harlan Carvey
As to my opinion, basic skills in DFIR are those skills that are common across the broad spectrum of the DFIR field. Or put another way, all the things that everyone in DF and IR should know as a foundation. Basics like, imaging a drive or memory acquisition. Knowing the components of a basic computer. Or basic network protocols. Or operating systems, file systems, data carving, and evidence protocols. These are the things that we should all know through training, experience, or formal education. Much of the basic skills are very basic to some. As an example, evidence control for experienced police officers is a no-brainer. Building a standard computer for experienced IT professionals is also a no-brainer. Both need the same common skillsets (evidence + computer knowledge) to move forward in DFIR. Plus the basics, no matter how simple they may seem to the learner, have far more important impact on future skills than they realize at the time.
Who is doing it right?
Several organizations have been off to a good start. FLETC and SANS are two that come to mind. Both have foundational courses. However, SANS leans heavy in IR more than legal DF, and FLETC leans heavy in legal DF more than IR. Both seem to be lacking in providing a basic foundation in both DF and IR training, although both are excellent training providers. **Magnet Forensics is an example of providing a basic course, " Forensic Fundamentals (AX100) , so not all vendors are avoiding teaching the basics (there are others).
Who is doing it wrong?
The vendors aren’t. We are. Vendors provide training without concern of the basics (not their responsibility). Since there is not a basic skill level requirement, we can jump and skip around with training. If you want, you can pay and attend the most advanced course in DF/IR without having a bit of knowledge of evidence procedures or ethics. Vendors don't care, but then again, they aren't the ones that will be potentially called on the stand for not knowing a basic skill in DFIR. This is doing it wrong.
As of today, it is up to the practitioner to get a basic foundation. There are no laws, regulations, or licensing requirements to meet any standard in DFIR. So, it is up to the individual to find the appropriate training to cover the basics. Too many of us skip the basics, and that is where the problems will start.
I’m using the word “basics” to mean core competencies, foundational knowledge, common core knowledge, etc… or whatever you want to call it.
As far as teaching the basics, the process is already tried and proven method. Many of us have already been through the process of training in the basics before jumping into the advanced skills. Some of us have been through this process sometimes several times over. The method works. Using any of the flow charts below, you can change the “boot camp” into practically any job field and see how that advanced topics are built upon the foundation. We have to stop skipping the foundation. For those who have taught forensics...I know you have had students in your classes that have skipped the basics, which results in a negative learning experience for the entire class.
The questions remain
**What constitutes the ‘basic skills of DFIR’ and what are the common topics that must be known across the entire DFIR field?
**And if there is a belief that DFIR does not need the basics in order to work in this field, why not ?