DFIR Training

Friday, 16 March 2018 23:22

So many tools, so little time, and oh yeah, I forgot about that tool. ^Featured

Written by Brett Shavers

font size decrease font size increase font size
Be the first to comment!

So many tools, so little time, and oh yeah, I forgot about that tool.

One of the things that work against us in DFIR is the sheer number of tools available. We have freeware , open source , shareware , commercialware , bundled packages of any combination of these tools, and new tools being written all the time to be posted online in any number of shared hosting sites (Github as a major source). Some disappear or are no longer supported, others untested, and some law enforcement only. And the type (freeware - commerciaware) doesn't even determine if the tool is good, effective, or useful to what you need.

This is not as bad as a problem as we had years ago, because back then, when you needed something that did “email”, the choices were few or expensive, or an expensive few to chose from. Today, the issue is having so many to choose from. I’ll take the latter as a better problem to deal with as there have been times when I just didn’t have a tool to do exactly what I wanted, which resulted in working twice as hard to get the task done using what I knew existed at the time. Worse is realizing after the fact that there was a tool that would have handled the problem easily, but not remembering that tool when it was important to do so.

As one personal example, I was called by a DFIR buddy this week who said that he went onsite to collect data. On one system, he couldn’t do it due to the configuration. I wont go any deeper in the details of how it was configured, but he had to leave without capturing the data from that system. He called me to ask about WinFE and if that was something WinFE would be able to do. The answer was that this was something WinFE was designed to do.

The point is that my DFIR buddy knew about WinFE , but didn’t even remember it when he needed it the most. I believe that this happens to all of us with examples with any number of DFIR tools. We get so trained and focus to create habits in using what we use, in how we use it, that we end up reducing our vision in looking elsewhere for ‘better’ tools, or tools that simply fits a given situation ‘better’.

The tool listing on dfir.training is overwhelming and I still have hundreds of tools left to add. This is not a bad thing either. Lots of tools, but you probably only need or will ever use only 1% of them. The key is knowing when your 1% is will not be able to handle 100% of your work. The way I figure it, that one time that I don't know how to handle something will be that one time the client is breathing down my neck due to a deadline that I need to meet...while onsite...I tend to work to avoid those types of situations.

My point:

When what you have isn’t doing what you want to get done, there is probably a tool that can do it. Stop. Breathe. Think. Try another tool, maybe something you either forgot about or have to search to find online to try new. Sometimes the answer to the problem was probably already in your hand at some point. You just have to remember it when you need it. Just remember to not have just a hammer in your toolbox. You need wrenches and screwdrivers too.

Last modified on Saturday, 17 March 2018 00:18