Saturday, 10 February 2018 13:41

Stop forcing the square #DFIR peg into the round hole. Featured

Written by

One thing you won’t find in the DFIR world is an agreement of the what tool is ‘best’.  The thing you that will find are arguments as to which tool over others different examiners believe to be the best.  I’d like to propose that if you find yourself arguing that one tool is better than another, to step back a second and take a breather.   You may be right but you might not be right.

Sometimes we when have a personal affection for a specific tool, we want it to do everything with it and when it doesn’t do what we need, we try to force it.  We end up working twice as hard and getting half as good an end result, all in the name of forcing our favorite tool to do something that another tool can do better.  Worse yet is clinging to a tool long past your need exists.  Don't keep using a tool just because it was the first one you learned forensics with, or because you just don't want to try other tools.

As for me, I rather drop the round peg in the round hole, then drop the square peg in the square hole, and then be done.  Forcing a tool to do something that you want it to do defeats the purpose of having multiple tools in your toolbox in the first place.   The best tool is the one that is best for the specific task at hand.   Take for instance your favorite forensic suite.  I am confident in assuming that there is something in your favorite suite that can be done ‘better’ with a different tool.  Your favorite suite is still great, but you might be able to shave off an hour or more of an analysis by using another specific tool for a specific item in your case (and get better results!).

As an example, perhaps your suite doesn’t do email very cleanly. In that case, it may be better to export your email from the case, use a tool better suited for email, and then import your results back into your case.  Most likely this will be faster, easier, and have a better end product.  Don't worry.  Your favorite tool won't be mad at you.

Big forensic suites are convenient to use because everything can be done within the one application.  But in time, I am sure you realize that some other tools, besides your favorite, could be a better choice for those one-offs and those specific artifact types that your suite isn't really designed to do as well as a smaller toolset or suite.

So, stop forcing it.  There is a tool for everything and for everything there is a tool.  Give it a try and you will be surprised at the really cool DFIR tools that are out there today that you had no idea.  

Browse around the DFIR tools that you've never knew existed :)

Last modified on Saturday, 10 February 2018 15:13

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.