Saturday, 23 December 2017 12:48

I love DFIR software.  I hate DFIR software. Featured

Written by

When my son started playing tennis in middle school, he would blame losses on his equipment (“my racket is the problem. my shoes are the problem.” etc…).  His solution was to have a ‘better’ racket and ‘better’ shoes.  To prove a point that it is not the gear, but the user, we gave him ‘better’ gear.

The result was the same.  He quickly learned that blaming the gear didn’t work.  This is not to say that any tennis racket or any pair of shoes works for any game of tennis, but the point is that blaming the tools isn’t the best way to improve.  But as soon as he realized that technique, tactics, and strategy will win the matches, he improved drastically.  Never did I hear about the ‘racket’ or his ‘shoes’ causing a loss of a match.  Losses were blamed on something he did or did not do, or did not know how to do.  Even better, he won more matches by focusing on improving his skill, not his gear.

This is no different in DFIR.  Tools matter, but the practitioner matters more. 

Personally, I am a fan of software that (in order of importance):

#1-works as advertised

#2-reliable (few or no crashes/hangs)

#3-responsive customer service

#4- runs on a basic workstation

#5- easy to use

#6-fast

#7-inexpensive (relative to the work needing to be accomplished)

If numbers 1 through 3 are unacceptable, I will not buy, renew, use, or advocate the use of that tool.  I can work with numbers 4 through 7 ONLY if 1 through 3 are acceptable.  Your personal list may be different, but when I run a tool and push a button, I expect the tool to do what it says.  If not, and I cannot figure out the problem myself, I expect customer support to help me figure out the problem.  Otherwise, to have a tool that doesn’t do what it says it is supposed to do, crashes often, and you can’t get sufficient customer support means that you are just wasting your time forcing something to do what it cannot do.

Here is my solution. 

My answer is to move onto something else that works.  Much like life, working a DFIR case/incident is short.  You need quick, accurate answers.  Spending time to fight with a tool that doesn’t give accurate results goes against that goal.  I have no time to pay a software company to help them fix their tool that I have to pay them to use.

This post is not to bash against any tool developer, but to give an opinion of what users request.  If you say your tool does “x”, make sure that it does “x”. If you say that customer support is important, then give good customer support.   That’s it. 

Like most examiners, I have a tree of dongles in a wide range of colors.  Some I have purchased for a specific case, used once, and never plugged in since.  Others are used daily.   I have had some dongles that completely failed me as a software and by the company, for which I tossed into the trash can and never looked back.  I look back on those as learning experiences that cost me hours of frustration trying to get a tool to work as it was marketed, only to feel as if I were a beta tester for the software company run by middle schoolers.

In this technology age of business disruptions, in mere months, practically any software company can cause the bankruptcy of the largest giant.  A century ago, it would take years for this to happen, but not today.  Information spreads fast.  When something works, we all know about it immediately.  When something doesn’t, we all know about it immediately.   This YouTube video has some great examples of disrupters that fit perfectly well in the DFIR tools world.

 

For the DFIR software developers that own up to mistakes, fix errors, and update their tools when needed , you are the disruptors.  For those who only update tools on a schedule, regardless when a fix is needed, you face disruption. 

As for me, I want every DFIR tool to work as advertised. I want as much competition as possible to drive down prices while at the same time drive up performance in the tools.  I want to be able to pick any dongle from my tree to do basic and advanced tasks and pull down another dongle to validate what I found.  I don’t ever want to plug in a dongle and have doubts as to if #1, #2, or #3 from my list will fail me.  I don’t expect DFIR software to be free.  But I do demand that works or I just wont use it…ever. 

I can imagine that the battle between DFIR software developers is much like the fight between Brienne of Tarth vs Sandor Clegane in Game of Thrones.   And as with this GOT fight, it is always good to see that both actually win in the long run, which means we all win.

Last modified on Tuesday, 23 January 2018 10:57

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.