Patreon allows anyone to create a personal webpage, create and post content to the page, and charge visitors (patrons) to access the content. That’s all there is to it.
Patreon is one of the first of these types of platforms to take a foothold in this space, and is still working through growing pains. But, all in all, it works as advertised. The vast majority of content on Patreon is not computer related. That which is computer related, even less is DF/IR related. But it is there, I have seen more DFIR pages being created and expect more to be created. You could be next to create your own Patreon page!
Of course, I’m talking about Patreon because DFIR Training has its own Patreon page where I am creating content, giving access to courses, podcasting, and blogging exclusively for members. But just as important, I want to bring Patreon to your attention for several more reasons:
Here’s the thing on training, books, references, resources, and even how time works: nothing is truly free , and even those who give everything freely, eventually cannot continue at some point. Platforms like Patreon help DFIR content creators and software developers further their efforts. Actually, they help creators develop faster like spraying nitrous oxide into an engine. As an example, Github (or any platform providing free storage for free software) is a wonderful resource of open source tools, but you will find that so many tools are started but eventually abandoned. This is not because the tool failed, but because the time and effort needed to sustain development cannot continue without eating away at other aspects of life.
There's a neat story that I like to tell in order to make a point about supporting DFIR tool/content developers. A small software was developed years ago and the developer was giving it away as freeware while asking for donations. I donated and emailed the developer that I thought his tool was really neat. I donated because I really liked the tool and hoped it be developed further. Ten years later (probably a little less?), that small free tool evolved to become a major contender in the forensic software industry. I had maybe a .000001% impact on its development with my donation and verbal support, but I surely feel good that I helped it even a little.
I will say that there are a few free small forensics tools available today, that if the developers tweaked their goals just a little, could end up in the same boat of running neck in neck with the big named forensic software companies in a few years. Unless they eventually give up development because the time required becomes too much to keep giving it away. This hurts the community and our forward momentum.
On the DFIR Training Patreon list, I selected several DFIR related Patreon accounts as potentially good DFIR references. You will recognize some of the accounts right away. Phill Moore , Eric Zimmerman , and other respected members of the DFIR field have created Patreon pages. Consider supporting those who you wish to continue in their efforts of supporting the field with what you can, when you can.
Another point on free DFIR stuff. Everyone can access the free stuff, but not everyone chooses or has the opportunity to access the non-free (especially the expensive!) stuff, like training and software. This is an unfortunate fact in any industry, in that ‘things’ cost money, and to access certain ‘things’, you have to pay for access and use, such as licensing fees. I see Patreon offering a sliver of hope of not going broke for some cool DFIR content, as much of it is still free on Patreon. Eric Zimmerman’s tools are a primary example of the awesomeness you can get for free, and support directly with what you can, when you can. Patrick Wardle is yet another with amazing tools that he gives away and at the same time, is supported on his Patreon page. Pretty cool.
As to the DFIR Training Patreon page, I plan on stuffing it with exclusive content for the members and ask that you check it out. You just might find some cool stuff :)
Here is something I do. I make it a point to write down something that I learned each month. No, I don’t sit and think about what I learned, then write a poem about it. When I learn something that impacts what I do in DFIR, I write it down as I soon as I “learned” it. By learning, I mean either I figured it out through research, or watched it in a video, or a class, or a blog. This happens several times a month…but I want to have at least one thing that I learned per month.
At the end of a year, I can look at the major things I learned and put an importance on newly learned thing by simply writing a few words about it. From this, I personally share with or teach others. I call these the “neat things”.
I know that you also learn something new every month (day?) too. We pretty much all do. But the suggestion I have for you is to jot a note down for the big ones that make you stop and think. There are a lot of fairly innocuous things we learn all the time, but sometimes, we learn something really neat that impacts what we do more than anything else.
By “impact”, I refer to those neat things that may save me time, or give me a new skill, or plainly teaches me something so cool that I can’t wait to tell someone. Your “neat things” will be different from mine, and that is the way it is supposed to work. I admit that sometimes I come across something that is neat to me, and when I tell someone else, they already knew about it ☹. Still, new to me is a personal improvement that I can make.
I keep this in mind all the time I am at a digital device, and surely, you do too. You type, click, type, click, and during the typing and clicking, you learn something about an artifact or how a tool works or some way to do something a little more efficiently. We do this and improve individually, but what we don’t do is stop and realize just how much we are learning. Note-taking helps me reflect that (#1) I am constantly learning, and (#2) I should be sharing what I learned in case someone else doesn’t know. It is also personal proof that I am not stagnant in keeping my skills up to date.
Here is something to be aware if you meet me somewhere. If something comes up that I know about (and excited about), and you have not heard about it, I’m going to fill you in on it. If it is a software that I found to be awesome and you haven’t tried it yet, guess what we will be talking about for the next 10 minutes….
A lot of what I have learned is also probably the way you learned too: Through mistakes and errors.
But that’s okay too. Any of my mistakes are burned into my cranial cavity enough to remind me for a long time. Plus, I tend to talk about how I royally screwed something up only to come out of it a better person. Basically, I tell people, “Guess what? I touched a hot stove and it was hot.” That is not as embarrassing as saying that I keep touching a hot stove and haven’t learned from it. Bottom line is that making mistakes and recognizing the mistakes is good for growth and improvement. Hiding mistakes (or worse, denying ever making mistakes!) stunts growth.
The DFIR Training website
I'll also admit that I am learning and re-learning so many neat things with the DFIR Training website. It takes time to manage, but my personal benefit is entering 1,400 different software applications, reading dozens and dozens of white papers, and now going through one forensic artifact at a time. My motivation is both selfish (I want to learn!) and altruistic (I want you to learn too!). Here is where I am finding the biggest learning experience with DFIR Training; the forensic artifact database. Although it is new and has a lot more to go before being the go-to artifact database, it is incredible as to what you can learn by going over an artifact by curating white papers, tools, references, and videos about each artifact. So cool to do and I hope to be cool to you too.
I suspect the forensic artifact database to easily reach over 1,000 artifacts in time. Given over 1,000 DFIR tools and soon enough to be over 1,000 forensic artifacts , all cross referenced by tool-to-artifact, artifact-to-tool, and citable references, this is a very cool undertaking that I can learn by putting together and anyone can learn by simply searching or browsing for what is needed.
Spreading the news about the neat things
So over at the DFIR Training Patreon page , I’m going to keep talking about neat things. I have software on my desk that I will comparing and reviewing, book reviews to write and make videos about, and talk about all the little things that I have come across over the years that might make someone else’s day easier.
On my podcast , I am giving some war-stories as examples to the topics I want to share. Probably every “war-story” is an incident where I fell on my face, or boogered up something, or plainly just messed up something. I am not trying to sound like I am uncoordinated or unskilled or born to be a goof, but that I have learned some things the hard way for whatever reason, and that I can share how not to do that. If one story that I tell can save someone from hours of work or public embarrassment or better yet, solve a good case, then it is worth it.
Here’s one war-story from my former law enforcement work that shows why I want to share the things I know. As a use-of-force instructor, I was giving training on a specific threat* and a specific reaction to handle that threat over a period of years (I thought it an important topic enough to repeat it often). One day, an officer in my agency was thrown into an officer-involved shooting, survived, and sought me out afterward. He gave me a hug and said that the only thing going through his mind were the words that I kept repeating in training. Of course, I was happy to be a part of the outcome of the shooting, but in all fairness, he was there and handled it, not me. The same goes to forensic work. I can give my opinions and suggestions to help, but it is the receiver who chooses to put it the words to work. I am just glad to be part of it.
More importantly, you should too.
*sorry, not going to talk about the specifics of the threat or how to handle it..
Everything you need for DFIR is ending up on www.DFIR.training. Software. Hardware. Artifacts. Resources. References. Citations. Forms. Templates. Affidavits. Keyword lists. Forensic Test Images. White papers. Books. Jobs. Videos. Podcasts. Infographics. Blogs. RSS feeds. Events. Research. And Community!
More tool listings!
Of course. More categories too since there are just so many tools to search through. If you don’t see a tool, let me know and I will add it. No tool too big or too small. Currently, there are 1,400 tool listings in 238 categories. Even cooler is that all tools are cross-referenced between the categories :)
The one field that I recently added for license type (commercial, free, multi-license) is still be populated, but when finished, you can search for tools with a filter by license type. I should have started this early on rather than when the tools hit 1,400 in number. But it will be done for all the tools. As of now, searching for a specific license will give incomplete results.
I started a forensic artifact database of sorts previously, but it was too complicated and time consuming to put together and manage. So, not only did I now make it easier to manage, but easier to find what you are looking for. As of today, the database is incomplete, but artifacts are being added and eventually, you will have a serious start for looking for artifact resources.
Here is the basic template for the forensic artifact database:
The DFIR BookShare Challenge
So far, so good, except I’m running out of author signed books! If you are a DFIR book author and want to join in, send me a note ! I want your book! They are going out all over the world and is having a good impact on the community for those who are passing them around.
Book reviews will be published from January as well. Editing what I wrote, finishing up others that I started. And learning that writing a review of a book takes more effort and time than reading the book itself!
The intention of the training listings is to have as many training providers post their training as possible. Trying to find DFIR training is not as easy as you would think, as you have to go to individual providers, or find incomplete listings. So, this endeavor hopes to capture them all to make it easier for everyone to find relevant training. You can help by suggesting to vendors to post their training at DFIR Training.
How about that Patreon Page?
Check out what is going on at the DFIR Training Patreon page for next year: https://www.patreon.com/posts/year-end-review-23648997 . I created several tiers of membership, and as each tier sells out, that only leaves the next higher tier to join. But once you join at a tier, you can stay at that price for as long as you want.
Your membership on Patreon gives you access to lots of courses and freebies, which I suggest taking a look at the Year End Review post on Patreon. In just a few weeks, membership went from zero to 135, 10 books were shipped out to one tier membership level, and new courses are being added in January, February, March, and more!
As a side note, everything on www.dfir.training is still free and the DFIR Training Patreon page is simply going way further with benefits , rewards , and exclusive content for members. Completion of the courses gives you printable proof of training that may make your employer happy with training hours and something you can prove on your CV/resume; something you can't get with Youtube videos.
2019 is the year that I start software comparisons and reviews. I will also be doing comparisons on the Patreon page in more detail, but generally, I will have the basic reviews available on dfir.training. If you are a developer and want to have your tool compared, send me a note ! I have a few apps on the desk to get through first, but I’ll take as many that I can do.
Here’s the plan: I’m picking two or more tools that do the same thing (or one same specific thing) and comparing both of them. What I like, what I don’t like, the output, the ease of use, speed, etc… The more tools the better and I’ll simply just rank them as I compare them. Also, I am not averse to having some prep time with a developer to make sure that I do not miss a feature or misstate something about a tool. My goal is accuracy and honesty.
My goal for you
To build up DFIR Training to be your most valuable resource for all things DFIR. That’s it in a nutshell. Although I enjoy adding to the website, it does take time. But with the traffic and emails I receive about the site, it makes the effort much more worthwhile. I do intend to add more advertisers on the website to cover expenses and time, but those to be added are truly those companies doing great work in DFIR that you should know about anyway. But don’t worry. No popups. No spam email. Nothing that will get in the way of searching for something you need in DFIR and finding it quickly and easily.
About Advertising on DFIR Training
Send me an email and I’ll send over a Media Kit. Let me help you pick out what will be the best for what you are looking for. You won’t find a more targeted audience that the visitors to DFIR Training, especially in the numbers. The numbers..quite amazing.
Some visitor stats for those interested in just how many people use DFIR Training.
Alexa (Alexa makes it easy to compare traffic, so you can see how dfir.training compares to other related websites).
Patreon Ranking (continual upward trend!)
Raw stats (excluding bots)
First the bad news
I’m re-doing the database and starting from scratch.
Now the good news
It will be so much better than I originally planned.
The intention of the artifact database
The forensic artifact database is not intended to get into the weeds of forensics. Some aspects may be detailed, but generally, this database is not going to replicate that which has already been done elsewhere and everywhere else.
With that, the database is intended to point you in the right direction to what you are looking for, quickly and easily. As an example, each category will have topics that will give you a broad overview of the artifact, training resources, software, published resources (books and papers), videos, and other direct links to citations that you can use. It's like Google, but faster, and curated specifically for each artifact. And cross-referenced as needed with other artifacts, operating systems, and forensic software apps.
Another intention is to spark ideas for your analysis. By listing clearly artifacts, the listings may give you ideas on things you may have forgotten or didn’t know, simply by entering search terms for what you need, such as searching for “USB” or “network connections”.
When will it be done?
Good question. The best answer is that it will never be completely done as artifacts will be added as they are discovered and published. It’s a living database. But you probably want to know when it will be done enough to be useful…I suspect it may be a few months before there is enough content in the database to cover the basics of what you need.
If you see something wrong with the content, or have something to suggest to make it better, I am one big ear to listen. That’s my goal: make it easy for you to use and worthwhile.
How much is this going to cost you?
Nothing. Nada. Zip. I’m making for the DFIR community to use. No strings attached.
I participated in an interesting thread on the Forensic Focus forum regarding software licensing recently.
There were good points made in response, such as suggestions to use open source tools and that the answer to the question is an unquestionable “NO”.
Countering the good suggestions were some terrible replies. Like, it’s okay to use cracked versions of software and that playing around with hacked versions of commercial tools as long as you don’t make money from it. And don’t forget the cover all excuse of ‘ everyone does it’ . Holy smokes!
That’s it. Generally, there is a software licensing agreement for all software. Some is written explicitly and specifically by the developer (name your commercial tool as any example), and other software may be uploaded to repositories using one standard licensing agreement to cover everyone’s uploaded software.
In my experience, here is how I see EULAs related to digital forensic working: You may or may not be able to copy, modify, distribute, sell, use for profit, and/or share. Know what you can do with each tool that you use. If you violate one or more permissions, your professional credibility may be damaged and the results of an examination may be inadmissible.
In particular, I have seen some freeware EULAs specifically state no commercial use of the software. One personal example, an opposing ‘expert’ in a case that I was hired to testify had used freeware in his analysis and by chance, I knew the software he used prohibited commercial use. Of course, that was brought up in court. I would not imagine him doing the same thing ever again after that day.
EULAs cover a lot of ground in a lot of small print. Using common sense, you’ll probably never violate a EULA. Cracking the software is not common sense. Trying to break it is not common sense. When in doubt, read the EULA.
For those in the DFIR community, I urge you to not even lightheartedly suggest that using cracked or pirated software is fine, regardless of the circumstance, so as not to negatively impact those working to get into the field.
As for me, no one will ever be able to say, “Brett Shavers said it was okay to use cracked forensic software, and said that everyone else does it, so I did it too”. Never will happen . Ever. You should be in the same boat.
PS: Notice I didn’t get into any of the ‘moral’ reasons to pirate or crack software, because there are none. And besides, the ‘legal’ aspect outweighs any ‘moral’ belief every time in court. I also focused only on one aspect of EULAs, in that of pirating or cracking software is generally not permitted by a EULA with nearly all proprietary code.
I'm putting together a list of guests for the DFIR Training podcasts for 2019. The podcasts will be different than podcasts currently being done. Short and sweet. To the point with a dash of humor.
The goal is to have something you can listen from start to finish in less than 15 minutes, in which you can get some nuggets to help you in your job or help get you through the next committee meeting, or while you watch a progress bar not move...you know what I mean ;)
I am open to practically guest, which means practically any guest, in addition to those I am personally seeking out. Be forewarned that I may be sending an email to you to come onto the podcast, but also, don't worry. It'll be less than 10 minutes of your time, which is less time to microwave a lunch.
The podcast will be available through https://www.patreon.com/DFIRtraining , which reminds... have you signed up yet? The earlier you sign up, the better jump-in price you get. There is even a short-run holiday special offer going on right now through January 31 (limited to only 50!). The first tier level already sold out, and I expect the next tiers to sell out as well, only because you get a lot. Take a look at some of the benefits you get through DFIR Training's Patreon:
Every week, barring sudden illness or natural disasters
Access to everything above and everything else that is coming for as long as you are a member. The first tier level of $20 sold out. The Holiday Special at $25 is already starting to go. The next tier level is $30. Then $40. Then $50. Then...
So far, in my opinion….this DFIR Bookshare Challenge is awesome !
Sure, there is some work to it. Getting the books (and signed by the authors!), getting the word out, managing the hundreds of entries, making random drawings, getting confirmation from winners, then getting the addresses, then the mailing of each book (in and out of the USA). But even at that, this is totally awesome! Awesome because so far, the winners are welcoming the challenge to share after reading the books. That is so super cool. Even cooler is that you don't need to spend a dime in buying the book, shipping fees, or anything. Just the time to enter is all that is needed and I'll mail the book to you if you win.
To get one entry per drawing, be sure to create a free account here: https://www.social.dfir.training/groups/viewgroup/3-dfir-book-giveaways . I am only requiring creating an account so that I can export a csv with email addresses...in order to make the drawing. You can use any email address you want, but make it one that you will check the emails to see if you won. If I don't hear from the winner in a few days, I'll be moving on to the next person. I prefer #1 win, but the book has got to be sent out for its new life to be passed around :)
Where have the books gone so far? Here is the current map, and remember, this will be happening every month until I run out of author signed books:
Oh yeah…..the book reviews…
I have to admit that I am behind on the reviews. I probably bit more than I can chew with giving away so many books in such a short time, which includes me reading each book in order to review them all. I plan to get through the all the reviews over the holidays.
I’ve been working on Patreon for several reasons, all to benefit everyone looking to connect with the community and get some training (and ebooks). The goal is to build up the Patreon page in order to be able to commit more time to give more, such as more courses, more podcasting, more writing, more www.dfir.training content, and more sharing.
I encourage you to check it out: http://www.patreon.com/DFIRTraining . To gain access to the courses and posts, sign up at one of the tier levels of your choice. Tier levels at $20 or higher access everything, although the $20 tier level just sold out. There are spots at the $30 tier level, and when they sell out, the next level is $40, and so forth. Get in early and enjoy the lower tier prices. And once you join at a certain tier level, you can keep the subscription price for as long as you want without any increase. But when you leave, you will lose your early discount spot and would have to come in at a higher tier when you decide to come back. Basically, innovators and early adopters get the biggest benefits, so get in early!
Back to the DFIR Bookshare challenge ...as a benefit for the Patreon members, each member at tier levels of $20 or more are getting 21 entries to win a book, each time. Everyone else receives one entry. That doesn't mean that only patrons win, but they have more chances to win.
The next big thing in the Patreon is the updated WinFE. If you haven’t heard, it will be a major update in what it can do. The current version built with WinBuilder is still valid, and will continue to be valid as the write protection method is the same. The new WinFE has a few more features that extend WinFE’s usage, which I will detail in Patreon through added videos in the WinFE course and through an ebook that you can download for free if you are a patron of Patreon. I am excited for the new update to be released and I know that you will be too ( the new WinFE is seen below running in ARM64 !). Kudos to Colin Ramsen on his write protect app!
For those who are supporting through Patreon, you folks are, well, just plain awesome! (That’s the last time I use awesome in the post, I promise..).
The visitor stats are incredible, so I appreciate the suggestions and corrections that I am sent. Keep it up. Still averaging over 35,000 unique views a month and hit 70,000 in one month recently, typically a million hits a month, a bounce rate of 13.10% (if you know about bounce rates, you know this is incredible), 15 daily page views per visitor, and visitors spending 25:15 minutes on the daily (average).
A few sponsors are coming on board, so that is nice to help compensate for time to manage the site. There are lots of items on the site and more is coming. All is free to access for everyone.
I will be adding a few new features here and there, all the while as I update the content with tool listings, event listings, artifacts, and more.
If you see something that you don’t like, or like, or could/should be different, don’t be shy to let me know via the contact form or directly via email.
We each have our own preferences in what we want to see in forensic tools. Some live and die by the CLI , where any GUI is blasphemy to the cause. Others demand that a button exist for everything and don’t even give a sideways glance at anything that requires typing a command or right-clicking to get to a function.
By the way, there’s nothing wrong with anyone’s preferences, as long as you can do the job with the tool you use. But there is something to keep in mind when you stand wholeheartedly fast in your software belief system, and it probably stems from your introduction to the tools. One thing that I have seen in introducing forensic tools, is that the manner of introduction has a long-term effect on future users. If the introduction is poorly done, the odds are that unless the student makes an effort to correct the introduction, the use of that tool probably won’t happen.
Here’s one example.
While at FLETC during BCERT , we had a 3-day class from Accessdata on FTK . FLETC (at the time at least), gave Accessdata three days to teach FTK, gave four days to Guidance Software to teach EnCase, and so forth. X-Ways Forensics had been recently released and there was no training in X-Ways at FLETC/BCERT other than, “This is what X-Ways looks like. Next.”
But here’s the rub. The Accessdata instructor did such a terrible job, that practically everyone in the class was bashing FTK the entire three days. It was that bad. It was the worst that I have ever seen in more ways than I can remember. Many in the course had never seen any forensic tool. let alone FTK, so the only impression was that Accessdata FTK must be terrible because the tool didn’t work and the instructor didn’t know how to use it. Luckily, I had Accessdata training prior, and been using FTK for some time before my FLETC training. The end result is that this particular FLETC course pumped out a bunch of EnCase lovers and FTK haters. All because of three days of ineffective instruction. To Accessdata’s credit, they gave a training pass to everyone to repeat the course at anytime, but I don’t know how many gave Accessdata a second chance.
The obvious intention of FLETC's BCERT was to introduce and give training in several tools so that we could choose that which will fit a case and fit our preferences, based on knowing the ins and outs of a box of software.
I don’t remember that instructor’s name who taught those three days at FLETC, but I can tell you that I used that credit to repeat the course after I left FLETC. For the repeat of this course, Dustin Hurlbut was the instructor. I remember Dustin’s name because his delivery of FTK was spot on. I subsequently had Dustin as an instructor with other Accessdata courses and every time, he did Accessdata very well. In every one of those courses, I am sure that he sent out motivated, new Accessdata users.
So, when I hear that someone doesn’t like a particular forensic tool, I ask specifically, ‘what is it that you don’t like about it?’. If I can’t get an answer that is specific, I assume that their initial exposure was negative, and they don’t really know why they don’t like it. I can work with that when I give training. Sometimes a proper re-introduction can do magic.
For me, I ‘prefer’ tools based on the situation at hand. At times, FTK can rock a specific scenario. EnCase is king in another. Magnet just kicks it in a different case. X-Ways fits the bill in another. Paraben covers a gap that no one can in a different situation. And so forth. When the results are virtually the same (output being only visually different), the tools generally do what you need to be done if you choose a tool that fits your needs. Preferences are valid when you can honestly compare tools against each other. Much like complaining that a stick shift (meaning, you have to change gears manually...and use a clutch....) doesn't work because you don't know how to drive it, isn't really a fair opinion of a stick shift when comparing against an automatic transmission. However, if you can drive both, then not only can you give your personal preference of what fits your needs, but you can pick the transmission type that fits your needs.
If someone else ‘loves’ a tool that you do not, take a step back and ask yourself ‘why?’. Why do they love it? Why do you not? You may discover that you have been missing out on a fantastic tool that could have saved you months of work and frustration as it actually fits your needs, and the only reason you didn't know is because your introduction to the tool was subpar. That’s not your fault way back then, but eventually it becomes your responsibility to find the tools that you need, regardless of any poor introductions made earlier.
Keep in mind, the more tools in your tool box, the more problems you can solve. Otherwise when you only have a little tool bag , you are going to limit your effectiveness. As for me, I prefer to fill the toolbox, just in case.
Harlan Carvey posted an important question ( http://windowsir.blogspot.com/2018/11/basic-skillz.html ) asking for opinions on what should be the basic skills in DF, which moved people to quite a bit of comments and blog posts.
Following up on Harlan's post, I wrote this one ( https://www.dfir.training/dfir-training-categories-k2/item/164-wax-on-wax-off ) to talk about basic skills in DF/IR, as in, the skills needed to achieve in at a basic, but competent, level.
But I think breaking apart "basic" is the first step in this conversation. By breaking apart, I mean that we have basic skills and basic knowledge to discuss.
Basic skills are those competencies specific to a job or task.
Basic knowledge is that information or awareness (not competence!) of a topic or topics.
Determining basic skills is easy to define, since you can choose a job and then determine which skills are necessary to do that job (as in, bare minimum, basic skills).
Determining awareness/basic knowledge is a little more difficult, as I opin that the basic knowledge should be much broader, across all jobs in both DF and IR. Just as important, I believe that a basic knowledge/awareness should not imply or require competence in any of the DF/IR jobs. It is merely awareness. I blogged a couple times about this in more detail.
In this post ( https://brettshavers.com/entry/digital-forensics-is-really-easy ), I wrote that basics should be very basic, and include only that knowledge that should be held by those in DF or IR (both should have the same knowledge in legal and technical).
In this post ( https://www.dfir.training/dfir-training-categories-k2/item/165-a-proposal-of-basic-foundational-dfir-knowledge ) I wrote a little more detail about I believe a basic foundation across both DF and IR should be.
When speaking about "the basics", we may want to consider more specifically, which "basics" to which we refer. Do we mean the skills required for a basic competence, or do we mean the basics as a "starting point" of the field to which everyone in the field (both DF and IR), should know as a foundation?
Following up on the DFIR Basic Skillz conversation ( http://windowsir.blogspot.com/2018/11/basic-skillz-pt-ii.html ) and post ( https://www.dfir.training/dfir-training-categories-k2/item/164-wax-on-wax-off ), I want to drill down deeper to the basics. First, let me define basics as I refer to the term in this post.
Basics = foundation, fundamental, starting point
( SWGDE defines this topic as "awareness..designed to provide the student with a general knowledge of the major elements..." )
To make this short and sweet, I believe that any attempt to create a basic core competence for a specific job in DFIR is way beyond problematic; it may be impractical. Far too many specific jobs have varying degrees of skill levels required in a basic sense, and different skills needed in some jobs but not another. To be accurate, every single job title would need to have its own basic foundation determined individually. Think about the varying degrees of responsibility and job titles in DF/IR and then think about how you could create core competency or basics for each job. Coupled with mechanical evolution (hardware, software, tools), this is a very difficult task.
Drilling down a little more, is that the basic skills in a specific job, such as a forensic analyst will change faster than we can keep up deciding what the basic skills should be. Don’t get me started on what would than constitute the intermediate and advanced skills! An entire team of folks could spend an entire career just writing up core competencies on different DFIR job titles. When you take into consideration operating systems, types of devices, objectives of each incident or case, and the specifics of each incident or case, the basics in one instance could very well be advanced in another.
I refer to the DFIR basics as the foundation of the overall DFIR field. I take into account those skills (more aptly described as 'awareness') which are:
In another post ( https://brettshavers.com/entry/digital-forensics-is-really-easy ), I touch on this on what a basic foundation could look like:
If you work in DF/IR long enough, you will see more than a few examples of where someone should have known better, and by not knowing better, either a case was mishandled or an incident made much worse. I have seen people fired on the spot, victims lose cases which could have been won, and professional embarrassment over the most basic of skills. In nearly every instance, it was a lack of knowledge, not intentional errors, that caused the problems.
As to how deep the waters should run to have a basic foundation, I truly see no need to go beyond a broad introduction of both the legal and technical aspects that run across both DF and IR. It is not competence building, or even much more than ensuring that those in both DF and IR understand the legal and technical functions of both sides of the field. It is to raise awareness and have a basic foundation across the board in DF and IR, broken down into two components:
---Criminal and civil procedures (legal processes, report writing, etc..)
---Evidence (identification, seizure, preservation)
---A+ and Net + (OSs, hardware, networking, etc..)
---Digital Forensics (high level and specific to forensic analysis)
---Incident Response (high level and specific to incident response)
No one really teaches this. Yes, there are some courses that are considered basic, but nothing that I have seen that fits this model. I believe the reason is that few people would want to spend the time or money in a program where they come out with the same lack of mechanical skills as when they went in. Basically, people want to know how to do the work right away. Principles and concepts? Nah. We want to grab the tools and get to work! This is a bad way to do it. Actually, it is the wrong way.
You make sure that you have the basic fundamentals, regardless of any formal training. It is your responsibility. It is not the responsibility or your employer, or your college, or your parents, or the government (yet). One time in court will be more than enough to either make you seek another career or rush to find training to teach what you should have known. Start now (if not covered already) whether you never handled a hard drive in your life or have investigated nation-state hacking cases on a regular basis.
The community at large should support some level of basic fundamental knowledge. Hiring managers should require it or provide it after employment, or as a condition of employment. Universities and colleges should absolutely provide it as they are issuing degrees (in effect, certifying students!) in DF/IR.
I believe it is so easy, that anyone and everyone should take the time to cover the basics. A few weekends, books, online courses, college courses, or anything else that can cover what can be considered the basic fundamentals. Regardless if you are tip of the spear in the field, or just graduated from school, this is easy to complete, and solidifies your knowledge base. And depending on your experience, you most likely have one of the two components down already.
Just imagine how it would be if everyone working in DF or IR had a common understanding of computer systems, operating systems, networking, and legal procedures. You don’t need to be cop to know enough legal to save the day if the need arises. And you don’t need to be a computer programmer to know enough to save the day if the need arises. You just need a common foundation of the basics to make sure you don’t screw up. Because DF/IR is really really easy to screw up.
Some great discussions on Twitter and Linkedin this week about the basics of DFIR. Harlan Carvey’s short but poignant post brought this important topic: “ Basic Skillz ”.
“… ..what constitutes "basic skills" in digital forensics?” – Harlan Carvey
As to my opinion, basic skills in DFIR are those skills that are common across the broad spectrum of the DFIR field. Or put another way, all the things that everyone in DF and IR should know as a foundation. Basics like, imaging a drive or memory acquisition. Knowing the components of a basic computer. Or basic network protocols. Or operating systems, file systems, data carving, and evidence protocols. These are the things that we should all know through training, experience, or formal education. Much of the basic skills are very basic to some. As an example, evidence control for experienced police officers is a no-brainer. Building a standard computer for experienced IT professionals is also a no-brainer. Both need the same common skillsets (evidence + computer knowledge) to move forward in DFIR. Plus the basics, no matter how simple they may seem to the learner, have far more important impact on future skills than they realize at the time.
Several organizations have been off to a good start. FLETC and SANS are two that come to mind. Both have foundational courses. However, SANS leans heavy in IR more than legal DF, and FLETC leans heavy in legal DF more than IR. Both seem to be lacking in providing a basic foundation in both DF and IR training, although both are excellent training providers. **Magnet Forensics is an example of providing a basic course, " Forensic Fundamentals (AX100) , so not all vendors are avoiding teaching the basics (there are others).
The vendors aren’t. We are. Vendors provide training without concern of the basics (not their responsibility). Since there is not a basic skill level requirement, we can jump and skip around with training. If you want, you can pay and attend the most advanced course in DF/IR without having a bit of knowledge of evidence procedures or ethics. Vendors don't care, but then again, they aren't the ones that will be potentially called on the stand for not knowing a basic skill in DFIR. This is doing it wrong.
As of today, it is up to the practitioner to get a basic foundation. There are no laws, regulations, or licensing requirements to meet any standard in DFIR. So, it is up to the individual to find the appropriate training to cover the basics. Too many of us skip the basics, and that is where the problems will start.
I’m using the word “basics” to mean core competencies, foundational knowledge, common core knowledge, etc… or whatever you want to call it.
As far as teaching the basics, the process is already tried and proven method. Many of us have already been through the process of training in the basics before jumping into the advanced skills. Some of us have been through this process sometimes several times over. The method works. Using any of the flow charts below, you can change the “boot camp” into practically any job field and see how that advanced topics are built upon the foundation. We have to stop skipping the foundation. For those who have taught forensics...I know you have had students in your classes that have skipped the basics, which results in a negative learning experience for the entire class.
The questions remain
**What constitutes the ‘basic skills of DFIR’ and what are the common topics that must be known across the entire DFIR field?
**And if there is a belief that DFIR does not need the basics in order to work in this field, why not ?
Hang on a second before assuming that DFIR Training will be going all ‘pop up crazy’ and inundate you with Adobe Flash, signups, opt ins and opt outs, and embedding spammy links everywhere. None of that is going to happen.
And don’t think that anyone will ever be charged to view anything on www.dfir.training . Everything that has been free, will still be free, and nothing will be put on www.dfir.training that requires paying anything for access. No change whatsoever.
The advertising will be things that you may really want to see. Like more event listings and extensive event listing details . And company listings . And featured tools and featured events . You’ll not see anything that detracts from the Website and only see that which probably interests you, like the same things you are seeing now. Software listings, hardware listings, and RSS feeds that are updated every few minutes from the most active DFIR blogs on the Internet.
Here is your benefit in having ads/logos on DFIR Training. It will pay to keep the site up so that you don’t have to ever think that it will come down due to costs or disinterest. Right now, the website is hosted with the fastest plan available at the webhost. And it is maintained daily. And backed up daily. And content is added daily. By having a few outstanding companies put their logo on the site will ensure DFIR Training only gets better and stays fast.
Side note: Do you want to market your tools, events, or company on DFIR Training? DFIR Training is all about tools, events, and DFIR developers. Send me a message and I’ll send you a media kit! https://www.dfir.training/advertising-on-dfir-training
Some of you have seen the DFIR Training Patreon page ( http://www.patreon.com/dfirtraining ). Patreon is like Kickstarter (you probably know what Kickstarter does). People donate to a cause that they believe in, and in return they receive rewards. The rewards I am giving and have plans to give far outweigh the donations, but I would like see more people have access to what I do without spending a paycheck on a single course.
Even some have already signed up to support the Patreon page! That is so cool! Signing up to support DFIR Training on Patreon goes to fund the Website for constant improvements. For anyone wanting to personally support me and the DFIR Training website, I am giving lots of bennies in return for your support. For example, you get access to the online courses I have and will have coming up, like:
Plus, I’m giving away the ebook versions of cheat sheet guides, like the Ultimate DFIR Cheats for X-Ways Forensics at over 100 pages, and coming soon, the Ultimate DFIR Cheats for Windows Forensic Environment. Plus a few other person things I will give away for supporters. One of the projects I will have on Patreon is setting up a small lab in small-to-medium sized police agencies. Lots more coming!
The thing to remember about the Patreon page is that you get videos, courses, and the DFIR cheat books that I am writing as my appreciation in return for your support . And if you are on Reddit , you get Reddit flair as a supporter. With over 40 hours of courses, plus the ebooks, plus some other cool little things coming up, $20 a month is not bad at all ?.
Well over a million hits a month . Sometimes hitting 50K unique visitors a month with 35K unique visitors being a low average. There are over 100 sites linking to DFIR Training and the Alexa traffic rank has DFIR Training surpassing just about every similar DFIR site. The number of daily pageviews per visitor and the length of time browsing/searching DFIR Training gives me the pressure (in a positive way) to keep the site current, relevant, and constantly improving. With the things that I have planned to put on dfir.training, the stats are only going to grow more.
If you see something missing or in error on dfir.training, send me a note and let me know. It's not bother to me to fix something or add something. If I am busy, then it may take a little bit to get to your email, but I will be on it. There is the 100% possibility that I am missing a tool. Send me the link and I'll add it. For events, contact the trainers or companies that provide training and ask them to put their events on the DFIR Training calendar. The more the merrier to have a comprehensive DFIR training calendar.
First, hats off to those authors contributing their books to the DFIR Book Share Challenge and participating in this endeavor.
And just as important, thanks to the winners of the books who are fulfilling the challenge of passing the books along after reading them. My high hope is to create positive communications in our community with the books, in that we have a chance to be in the path of where the books will travel; in that we can talk about the content of the books in a manner to share information; and in that we can talk to each other as we hand off the book from one person to another. Sign up to win a book here: https://www.social.dfir.training/groups/viewgroup/3-dfir-book-giveaways
So far, I have shipped out three books in October ( Investigating Windows Systems , Placing the Suspect Behind the Keyboard , and the X-Ways Forensics Practitioner’s Guide ) and will be shipping out two books in November ( Hands-On Incident Response and Digital Forensics , and Windows Registry Forensics/2E ). Each month from now, I will attempt to give away at least two books a month, for as long as there are DFIR books to give away (this could go on for quite a while).
The book reviews may take time to complete….but I’ll have something done with the reviews on different platforms including Amazon reviews, a blog post, maybe a video review, and things like that to help market these books. When I say “market these books”, I mean that in a way of sharing that the books exist. I try to keep up on the new books coming out, but there is always a book I miss because I never saw anything about the book coming out. Part of this challenge is to throw a little marketing your way about a book that you may not have known about, but may really rock the way you do your work. As for me, if there is one book, or a page in a book, or a paragraph, or even one sentence that pushes me forward in how I do business , then it was well worth the time to read.
If you haven’t read the ‘why’ and ‘how’ of this challenge, please check out my blog post about it: FREE #DFIR Books!
I quoted Stephen King for this blog post. I find King’s quote very relevant to our jobs in both reading and writing. I'd like to add to King's quote with "and if you don't have time to read, you'll not be good at writing or reading" . Reading fiction might will help your report writing, but that is not what I am talking about. I mean that reading DFIR non-fiction will not only give you tools for you to mechanically do your job, but it will also give you tools to help you write about your mechanics. Part of our work is to solve problems. The other part is to write and talk about it. You must have both ends of the equation to be considered competent.
Being successful in DFIR requires developing a self-learning attitude. Self-learning most always involves reading books because a book on the topic you are learning will save you hours, if not days or weeks, compared to trying to figure out something that has been already discussed and detailed in a book. Learn what has already been written about in a book, and then run with that information to push it forward with your own experience and research. Don't reinvent the wheel unless the wheel is broken.
In short….read the books. As many as you can get your hands on.
When you pass the books along, I encourage you to encourage the next person to keep the books moving forward. Share the sharing of the book on social media, send me something of where the book went (city and country) and I’ll add it to the map.
The drawing will be tonight (Oct 31) at 7pm (PDT). I'll notify the winner via email after the drawing. I'll blog/tweet about the winner after confirming that the winner wants the book.
I've had a few questions on this book giveaway, so here goes:
What is the catch?
No catch. The books are free. The shipping is free. It's free (to you). Everything is paid by the book authors (if they donate a book, which they have to buy and ship), and me (to buy the books authors don't donate, and shipping). The only thing that can be considered a catch is that you are limited to winning one book, ever (at least from this challenge).
How is the winner chosen?
I export a list of email address from the book giveaway social group to a spreadsheet. I number each email. I use an online random number generator to pick 4 numbers, one by one (email addresses are not entered online for the drawing). The first number is the winner, unless the winner wants to pass and try for the next book. Then I go to the next person on the list.
Why do I have to sign up in a social group?
Because this is the easiest way for me to keep track of who wants a book. Plus, sign up once and you're entered for every book for as long as I do this. That is at least one book a month and up to three books a month. You can use any email address you want. Your real one or a fake one. Just be sure to check your email in case you win, otherwise, you have about a day before I go to the next person on the list.
As to 'yet another thing to check', you do not have to check the social group ever. If you win, I'll send you an email. As far as emails go, that is the only email you will receive for signing up in the social group. I'm not spamming, selling, or sharing the email addresses. This is just the easiest method to have a list that you control because you can remove your account at any time. Or you can leave your account active and maybe you will receive one email asking for an address to ship you a free DFIR book :)
I want to keep the book, not give it away. (a statement, not a question)
Unfortunately, I have had a few comments about wanting to keep the book instead of passing it forward. Read the reasoning behind this challenge here: https://www.dfir.training/dfir-training-categories-k2/item/160-free-dfir-books . In short, keep the book if you want. That is your decision. But remember, who ever keeps the book that they win or are gifted down the line, effectively stunts the challenge and prevents everyone else from being part of this DFIR sharing challenge . We (me and the authors who offer to donate their books), want to encourage sharing and positive communication in the DFIR community. The "books" are just a medium to facilitate this mission. No one is making money from giving away books. One point to make is that authors don't get free reign on their books. They typically receive a small batch of books to give away in hopes of a review, or to someone that may have helped with the book, family members and friends, and that's it. If an author wants a copy of their own book, they have to buy it. So, for the authors donating books, I sincerely appreciate it as I also am donating my own books too :)
The rest of the responses that I have received give me hope that we, as in the DFIR community, will have books circulating and generating conversations about the content of the books, the work we do, and just as important, speak to one another about something positive.
A personal note:
If I were to win one of these books, especially a book that I did not have and was going to buy anyway, I would not be able to wait to dig into it and finish reading it just so that I could put my name in it and find someone to pass it on. But that's just me. Well, actually I hope that it is not just me..
A tip on finding someone to give the book away, especially if you are shy to start a conversation
When at a training course, DFIR college class, conference, or your workplace, have the book sitting on your lap or on the table. Someone will say something about the book. That means they opened the door for you. All you have to do is step in the threshold! Tell how you got it. Tell that the book needs to move to the next person. Show the names written in the front of the book and the highlighted passages. And then.............wait for it.....ask if they are interested in being next in the DFIR book sharing challenge. Boom. You did it.
For those who are not shy, all you gotta say is, "Hey, have you read this book yet?"