Tonight, I'm giving away a copy of Harlan Carvey's book, Investigating Windows Systems.
If you want a chance to win an author-signed copy of Investigating Windows Systems , be sure to register your email in the book giveaway group: https://www.social.dfir.training/groups/viewgroup/3-dfir-book-giveaways
The drawing will be tonight (Oct 31) at 7pm (PDT). I'll notify the winner via email after the drawing. I'll blog/tweet about the winner after confirming that the winner wants the book.
I've had a few questions on this book giveaway, so here goes:
What is the catch?
No catch. The books are free. The shipping is free. It's free (to you). Everything is paid by the book authors (if they donate a book, which they have to buy and ship), and me (to buy the books authors don't donate, and shipping). The only thing that can be considered a catch is that you are limited to winning one book, ever (at least from this challenge).
How is the winner chosen?
I export a list of email address from the book giveaway social group to a spreadsheet. I number each email. I use an online random number generator to pick 4 numbers, one by one (email addresses are not entered online for the drawing). The first number is the winner, unless the winner wants to pass and try for the next book. Then I go to the next person on the list.
Why do I have to sign up in a social group?
Because this is the easiest way for me to keep track of who wants a book. Plus, sign up once and you're entered for every book for as long as I do this. That is at least one book a month and up to three books a month. You can use any email address you want. Your real one or a fake one. Just be sure to check your email in case you win, otherwise, you have about a day before I go to the next person on the list.
As to 'yet another thing to check', you do not have to check the social group ever. If you win, I'll send you an email. As far as emails go, that is the only email you will receive for signing up in the social group. I'm not spamming, selling, or sharing the email addresses. This is just the easiest method to have a list that you control because you can remove your account at any time. Or you can leave your account active and maybe you will receive one email asking for an address to ship you a free DFIR book :)
I want to keep the book, not give it away. (a statement, not a question)
Unfortunately, I have had a few comments about wanting to keep the book instead of passing it forward. Read the reasoning behind this challenge here: https://www.dfir.training/dfir-training-categories-k2/item/160-free-dfir-books . In short, keep the book if you want. That is your decision. But remember, who ever keeps the book that they win or are gifted down the line, effectively stunts the challenge and prevents everyone else from being part of this DFIR sharing challenge . We (me and the authors who offer to donate their books), want to encourage sharing and positive communication in the DFIR community. The "books" are just a medium to facilitate this mission. No one is making money from giving away books. One point to make is that authors don't get free reign on their books. They typically receive a small batch of books to give away in hopes of a review, or to someone that may have helped with the book, family members and friends, and that's it. If an author wants a copy of their own book, they have to buy it. So, for the authors donating books, I sincerely appreciate it as I also am donating my own books too :)
The rest of the responses that I have received give me hope that we, as in the DFIR community, will have books circulating and generating conversations about the content of the books, the work we do, and just as important, speak to one another about something positive.
A personal note:
If I were to win one of these books, especially a book that I did not have and was going to buy anyway, I would not be able to wait to dig into it and finish reading it just so that I could put my name in it and find someone to pass it on. But that's just me. Well, actually I hope that it is not just me..
A tip on finding someone to give the book away, especially if you are shy to start a conversation
When at a training course, DFIR college class, conference, or your workplace, have the book sitting on your lap or on the table. Someone will say something about the book. That means they opened the door for you. All you have to do is step in the threshold! Tell how you got it. Tell that the book needs to move to the next person. Show the names written in the front of the book and the highlighted passages. And then.............wait for it.....ask if they are interested in being next in the DFIR book sharing challenge. Boom. You did it.
For those who are not shy, all you gotta say is, "Hey, have you read this book yet?"
FREE #DFIR BOOKS!
Here is the challenge that I continually give myself: Create a project that benefits the DFIR community and won’t require much effort (on the part of the community) but will contribute to the community by generating positive conversations and sharing .
TL/DR (too long, didn’t read)
The project: Give away DFIR books . Lots of them.
If you want to be in the drawing, sign up here: http://social.dfir.training/groups/viewgroup/3-dfir-book-giveaways .
The details
This challenge goes way beyond just giving away books. There is no secret motive behind the books or the challenge. Simply, I am going to review all of the books in detail. I will be putting the reviews on Amazon, https://www.dfir.training , www.patreon.com/dfirtraining , and anywhere else I can that will make a difference to someone looking for information on the books. I’ll be making video reviews of the books too and demonstrating some of the exercises and topics. Then I'll do a drawing to ship a book to someone. I’ll even cover the shipping to get the book to the winner. I am dedicating time and effort to give 1, 2, and maybe up to 3 books a month to different folks in the community with only one thing to ask in return (see the Grand Plan below).
You are probably tired of hearing about sharing in the DFIR community . Sure, I get it. Sharing is usually understood to be ‘getting something for free’, with free meaning not having to give anything in return. I feel that this belief to be unhealthy for the community at large in more ways than you may imagine. Too many in any community get burned out on seeing constant negativity and selfishness, especially for many of us in the tech industry. There are too many instances of negativity online, shaming, alienating, doxing, and theft of ideas from each other. We are each responsible for driving people out of this community and for keeping people in it.
To make this project work, I respectfully ask one thing: If you win a book, consider passing it on to someone else after you finish reading it.
That’s it. You get to read a book that you didn’t have, learn something new to help grow your competence and skill level, and then engage in the DFIR community when you share it by passing the book to someone else in DFIR.
Here is a little more information on this challenge. I am asking the authors of the books to sign them and highlight one or two sentences that are meaningful for them in the book so that everyone can see what is important to someone else. For any author that donates a signed copy, I will be crediting profusely the author for the contribution. For others, I’ll be buying the books and asking authors to sign the copy before I give it away.
So here is the grand plan:
- Author autographs their book and highlights a personally important passage.
- I read it, review it, highlight a personally important passage, sign it, and give it away.
- You get the book shipped to you.
- You either keep it to yourself, or
- Engage the community by reading it, highlighting a personally important passage, signing it, and passing it on.
- The next person then has a choice to either keep the book or engage in the community by passing it on in the same manner.
Personally, I would find it super cool to be handed one of these books, put my name in the book, and look forward to passing it on. Imagine having the physical book in your hand, from the author and through the hands of others in the community, with the most personal passages highlighted. I want that.
What are the community benefits (and does it even matter)?
You benefit by the book author personally handing you a book and connecting with the author. You may be #2 or #20 on the list of getting your hands on the book, but it is coming from the author with a personal note and personal passages highlighted by everyone before you.
You benefit by reaching out to someone to pass the book on and connecting with someone in the community. It can be a co-worker, someone in a college program, or a training course, or a conference, or wherever you can reach out to a fellow DFIR.
The DFIR community benefits by having us talk to each other. “Hey, John Q gave me this book and I really learned some neat things. If you haven’t read it, would you like it? Even the author signed it. And look here, this is a passage that meant the most to me professionally as a neat analysis tip. And if you don’t mind, can you pass it on to someone when you are done? Put your name in it too.”
Here are my requests and suggestions to you .
Point out your personal passage when you pass it on. Say something about the book. Ask that the receiver do the same. Hold the book in the air at a conference and say you have a book that needs a home, and needs a home after that. Put it out on social media that you were part of the book’s travels and you passed it on. If you really enjoyed the book, consider buying a copy or posting a review online. All of this is totally up to you.
I’ll do the heavy lifting.
All you need to do is sign up to enter the drawing. Sign up once and you are entered for 12-24 book drawings a year. Sign up at http://social.dfir.training/groups/viewgroup/3-dfir-book-giveaways . That’s all you need to do. If you win, I’ll send you an email and ask for a shipping address. If you already have that particular book, you can pass on the win and the next person gets it. You then can try for the next book. Keep in mind that you can only win one book so that more people can be involved.
This is a project that you can join without doing heavy research, spending money, or writing a forensic software application. You can read something that you probably wanted to read anyway, and then you actively join the community by paying it forward . Remember the feeling when you get the book, because when you give it, that is how the next person will feel. By the way, you don’t have to know the next person. Anyone sitting next to you in a conference, or at the hotel breakfast table, or standing in line to pick up your conference badge, or wherever. Bring it up. Talk about it. No matter how shy you may be, you can do it. I bet that in a room of a 100 people, any and all would gratefully and gracefully offer to accept the book.
I hope that you will join me and others in this challenge.
Again, nothing more for you to do than to sign up to win a book. Read it. Give it away. And BAM! You deeply engaged the community. Or you can keep the book to yourself. For years, I've said that we all live on the same small planet for a short period of time together. And that's how I interact with people. I rather pull someone to their success than push them out the door. If you read this far, then I know that you feel the same.
PS: Thanks to Harlan Carvey for taking up this challenge without skipping a beat. I donated two of my books and before I could say anything, he donated two of his books. Very cool.
When I started in forensics, I had to walk 5 miles in the snow just to image a computer using a floppy…and Safeback (and other old DFIR tales).
I am certainly not a founder in the field of forensics, and didn’t really get into it until the ball was already rolling forward. However, I will say that I am a proud member of the Floppy disc imaging with Safeback club and its sister club Looking in disks using Norton Disk Editor . 
Besides the technology advances, which are to be expected, the most incredible change that I have seen is that of resources available today that never existed until the recent years. If you can imagine searching online for ‘forensic software’ in 1999 compared to today, you can see the vast difference in what we have available today for resources.
At times, it feels like I will never be able to keep up. First, there is the sheer amount of resources that come online all the time. New blogs , forums , websites. Then there is the new software and hardware that is developed. And training . Goodness! Anything you want to learn, you can learn at your computer! You can literally (yes, I said ‘that’ word) start an online course in minutes to learn a skill that once only could be learned on the job or in a college.
Then add in the dozens of communication methods like Discord and there is practically no limit to the amount of information at your fingertips.
You can take an online course in topic “x” and in a day, become practically competent in the subject matter you, on day one of your exposure, started to learn. We have instant and direct access to subject matter experts that spoon feed any topic that you have interest or need to know, at your fingertips.
On top of that, we have direct access to the entire community to ask questions and share answers. There is no obstacle so difficult that cannot be solved through personal research and requests for help. For those working in InfoSec and DFIR prior to this flood of information, we see it as being an incredible resource that is not to be wasted or taken lightly.
Using Twitter as one example, I find it incredible as to learning something new that I didn’t know before and certainly need. The suggestions for software alone are worth the time to check social media timelines.
--If you ever need to deal with files larger than 4GB, then I recommend using "010 Editor". It also is great even for loading and parsing many files not just a single 4GB file! #DFIR
— [email protected] (@binaryz0ne) October 27, 2018
Rewriting RECmd today. Added the ability to dump keys/values to json. Adding plugin support (like in Registry Explorer) next so you can get STRUCTURED data out of the Registry for things like UserAssist, etc. #DFIR
— Eric Zimmerman (@EricRZimmerman) October 20, 2018
Here is an example that i formatted to be readable. pic.twitter.com/83rkD1yB8g
And then the notices for new blog posts!
Of course, reference and resources website (dfir.training being one of these) only add to the toolbox of knowledge to draw upon.
We completely re-built our forum to ensure it works great on your phone. Now you can ask & answer #DFIR questions on the go.
— Computer Forensics World (@WorldForensic) October 26, 2018
Special thanks to @Brett_Shavers and @DFIRTraining
Check us out today. https://t.co/jaQrX6M2WZ pic.twitter.com/IoliHOzUsd
If that isn’t enough, many of the resource websites curate the information for you!
Week 42 - 2018 #DFIR https://t.co/3hXkoOSK7U
— Phill Moore (@phillmoore) October 20, 2018
And the blogs! Oh my, the blogs!
I wrote a thing. Also, I'm gonna make it a goal to do this bi-monthly. https://t.co/eFY9AmJ1bw
— from da_667 import spoopy (@da_667) October 19, 2018
If you have never written a blog post, let me give a little information. It takes time to write a blog post, and depending upon how nervous you are, how much of a perfectionist you may be, and how edgy your research is, the time it takes is not a few minutes. It can be hours or days to put something together that takes only five minutes to read. But that five minutes can put you hours or weeks ahead of where you were before that blog post was published. Cred to the DFIR/InfoSec bloggers.
No, I didn’t forget the podcasts
So i have an awesome talk with Brett Shavers @Brett_Shavers ( @DFIRTraining ) Thursday 18th October 11pm UTC on @TheManyHatsClub #podcast you'll want join this as it will be something special. https://t.co/MBhEr1iC8n
— ?ĈȳβεЯيӛƈƧƫƯ? (@cybersecstu) October 18, 2018
Want more? How about the podcasts? Where can you listen to someone talk about something that you need to know. How else can you get another perspective by simply typing in an URL in a browser and turning on the sound?
How about watching someone who knows what they are doing, sharing their analysis and research LIVE ONLINE? This never existed before, but we have it now because of peeps like David Cowen showing us intimate details of how he thinks, for our benefit.
As far as dfir.training goes, I intend to keep it up with everything that I feel will benefit the overall DFIR community. From students to the (older) members of the ‘floppy disc imaging with Safeback” club. Whatever is missing on dfir.training is only missing because I don’t know about it or I believe there is already an awesome resource to fall back on (but I will certainly link to those resources!).
Kudos to the DFIR contributors and creators out there, from the hardcore software developers to those who thoughtfully share their research and (positive!) opinions! You folks have earned serious street cred !
You’re not really doing forensics if you’re not doing forensics
I had a neat opportunity to speak on The Many Hats Club podcast this week. Thanks to @ cybersecstu for the invite!
One point that I brought up in the podcast, which I know is going to rub someone the wrong way is that ‘you are not really doing forensics if it is not a legal case’.
What I mean by this is that if someone works in DFIR ( as in anywhere in the field of DFIR ), and the work they are doing has absolutely nothing to do with a legal matter, or potential legal matter, and will never see a legal complaint regardless of what is found in the data, then it isn’t really forensic work. Before the darts come at me, hang on a second and hear me out…
Definitions matter
“ Forensics ” generally is meant to apply to “ legal ”.
On top of that, “ evidence ” is also meant to apply to “ legal ”.
Just my personal opinion: It ain’t forensics if it ain’t a legal matter.
Some may be really hot about my opinion and ready to throw the darts that I am wrong because you doing forensics even though you have nothing to with any legal matter. My intention is to split a single hair, not to set someone's hair on fire.
But here is the thing; I agree that the methods, processes, principles, tools, and intentions are most times, nearly identical. Meaning, if I do ‘forensics’ in a legal matter and someone else does the identical procedures in a non-legal matter, the physical actions we take may be exactly the same. The primary difference is that in one instance, legal evidence is being obtained to potentially be used in a legal matter (civil or criminal) and in the other instance, it is not. Even though the actions, training, skills, procedures, and processes are potentially exactly the same, one is forensics in the true sense of the definition and one is not .
I would go so far to say that most of the work in DFIR is forensics in that practically anything can become a legal matter. However, I know that this distinction is not lost on attorneys or clients. Some clients or bosses demand that an incident become a legal matter (when it isn’t) and some demand that an incident not become a legal matter (when it is or should be). If you work in government, pretty much everything is going to be a legal matter, including national security and military operations. Even when the national security work rarely sees an open court (same with military operations), the DFIR work is forensic because the work (covert ops or combat) is basically a legal case.
For me, when I am getting paid to touch devices or data, I know up front if I am working a legal matter or internal issue. My physical actions are always the same to meet forensic standards, regardless if there is potential for a legal case to develop or just to look at an terminated employee's laptop. The actions are the same, but one is ‘forensics’ per definition and the other is ‘forensics’ only because the processes may be the same ( which is not forensics by definition ).
Some work that I do is by definition 'forensics' and other work is not. You can't tell the difference by the processes I follow, but there is a difference by definition.
To the point…
If you work in the DFIR field and never had the opportunity or misfortune to be involved in a legal matter, you can easily move into the legal side of things with experience if you doing your work in forensically-sound methods in non-legal cases. Do the work as if you know without a doubt, that you will be served with a subpoena to testify to everything you did. Do it right. Write it up. Every time.
DFIR Training is on Patreon!
Take a look. There’s something new happening.
First things first: What’s Patreon?
Patreon is a way that you can support DFIR Training and at the same time, get some real benefits. With support, DFIR Training (the website and Patreon page) will be able to grow and try to reach the expectations I want. By try, I mean that I have high expectations with what I want to do with both the DFIR Training website and Patreon.
Next thing. Support = donations.
By supporting the DFIR Training website and Patreon page, I mean that donations are needed. The website is free to access everything on it, and will always be free . Nothing will ever be behind a paywall. However, to help it grow to way more than it is, I need support. Your support means that I can dedicate more time outside of my regular time to give more content to both the website and Patreon. I want to really go 100mph on this to make both the website and Patreon the place to go for all things DFIR, or at least, one of the top places (I have big expectations....just the way I am...).
Your benefit in supporting
I don’t want donations for nothing in return. I’ll work hard to earn any support I deserve. For that, the Patreon DFIR Training page will give you rewards at different levels of support, depending on how much you want to support. For as little as a few dollars a month to a little more, every bit helps me to spend more time on you and the community.
Some of your benefits are access to Patreon supporter only content. Content like software reviews , software comparisons , f ace-to-face interviews with practitioners in the field , case studies , business and education tips , and Patreon-only chatting it up with me and friends in the community.
Other benefits are access to training courses that I put together. Some of the courses I have, you will be able to access for as long as you are a Patreon supporter! Courses like Placing the Suspect Behind the Keyboard , the X-Ways Forensics Practitioner's Guide online course , and more. Here’s a big thing that I believe in: when you spend time learning, it is an added benefit to be able to formally document your time. The courses that I will give you access to include certificates of completion (not ‘competence’ or ‘skill’, as I can’t test your skill!). But you will have documented proof of your time to complete courses which can be beneficial for your work training records, resume, or court testimony in self-learning, formal courses, and hours of training. This is a big deal because simply watching videos on YouTube doesn’t cut it in court! And I'll keep adding courses for as long as I have something to teach!
On a related note, this is a way to get involved in the DFIR community, even if just a little as your input goes from your mouth to my ear. I am always one to sing the praises of good ideas that someone has. My benefit is seeing someone excel. My enjoyment is being able to be a part of helping someone else. Even if you are an 'expert' (we all know about that word, but you know what I mean), your support is appreciated just as much as your words and opinions. All in DFIR, all wanting to into DFIR, and all related to DFIR are part of the same community. That's the point of this Patreon and DFIR Training work forever-in-progress, forever-improving.
The bad news
I am limiting the number of Patreon supporters at each level at first . I will increase the number as time goes on, but I want to keep the community support fairly small in the beginning to really focus on those who want to support. That means I want to focus on you and provide you what you would like to see. So, if you want to get in now, by all means, jump in!
The good news
I take you at your word and request. If you want to see something specific on DFIR Training or the Patreon page, as a supporter, I will do everything I can to make it happen. You can turn it into something that benefits you and the community, and you will be a most valuable part of all of it. You'll get the benefits that no one will by being a supporter.
Thank you!
In advance, thank you. It takes an amazing amount of time and effort to put materials together and then create a platform for the community to use those materials. Your support is so appreciated, I don’t know how to express it enough, except to say, thank you.
So there you have it!
Take a look at the Patreon page here: https://www.patreon.com/DFIRtraining
Let me know what you think . If you don’t want to support for some reason, let me know what it is and maybe I can make it happen. I try to think of everything, but more brains work better together. I’ll see you on Patreon!
A Commentary on "Top 10 Digital Forensics Tools" Lists
In searching for DFIR tools over the years, I have found lots of “Top 10” lists. I feel that there can be a few improvements made with many of these lists. Here are some pointers on what to look for when looking for the “best DFIR tools”, which is what I look for.
List Purpose
Anything list with a “Top Ten” without an accompanying specific purpose is not as useful as a list that is specific. “Top 10 Registry Forensics Tools” is much better than “Top Ten Forensic Tools”. A generic list is practically useless if you are looking for something specific to accomplish a specific task. I’ve also seen lists that had such incorrect information, that the writer could not possibly have even tried the tool chosen as a “top 10” along with tools chosen that were clearly inappropriate to the list.
Software Licensing
Even more specific, and just as important, is that of the licensing of software. Most lists that I have seen are a combination of commercial, shareware, freeware, and open source software. A much better list than “Top 10 Digital Forensic Tools” would be “Top 10 Open Source Digital Forensic Tools” or “Top 10 Commercial Digital Forensic Tools”. Some lists that I have seen have tools that are "free" but not for commercial use. This is a problem! If you can use a free tool for personal/home use, but use it for a commercial/legal matter, you could run into problems of violating the End User Licensing Agreement. Being a stickler for licensing details is not a bad thing to be.
Specificity
So, if looking for an open source, registry forensics software, I would much rather find a list titled “Top 10 Open Source Registry Forensics Tools” instead of “Top 10 Digital Forensics Tools”. Even a list titled “Top 10 Registry Forensics Tools” will be a better list than a generic list.
Apples and Orange Comparisons
A few lists that I have seen which appeared to be specific, such as comparing forensic suites, have chosen incomparable tools. For example, choosing a non-forensic suite against a forensic suite for comparison isn’t a comparison of like tools. You can’t justify a comparison of a Ford Mustang against a semi-truck in a quarter-mile race, but I have seen it on a few occasions. A comparison of two different things with two different purposes is not a comparison.
Suite vs Suite
Anyone doing DFIR more than a few years knows that each forensic suite does something better than the other forensic suites. That just means that some things in Suite A are better than in Suite B, but some things in Suite B are better than Suite C, and some things in Suite C are better than Suite A (A>B>C>A>C>B>A).
Lists that compare suites and rank them generally as one being better than another may do a disservice unless the top tool does everything better than the tools lower on the list. I don’t find that to be accurate or possible. I have favorite suites, but none of any of my favorite suites do everything better than any other suite.
List Titles
Getting drawn into a "Top 10" list of anything is easy enough, especially when the list name is so generic that it will always appear to cover what you are looking for. If you need a VSS forensic tool, and you see "Top 10 Digital Forensic Tools", well...that should cover what you need, right?
Poorly Titled Lists
Top 10 Digital Forensics Tools
Top 10 Open Source Forensic Tools
Top 10 Digital Forensic Suites
Better Titled Lists
Top 10 Open Source Registry Forensic Tools
Top 10 Commercial Forensic Suites for Email Analysis
Top 10 Open Source Suites for Internet Analysis
Is one better than the other?
Perhaps the most glaring problem with any Top Ten list is that of personal preference and bias . You can’t get away from this. If two tools can analyze email with the same results, why is one typically rated higher than the other? Personal preference or bias (bias can be a paid review or the reviewer personally liking one tool over another) might be the reason. If the list writer doesn't disclose bias in the list, then you have no idea of what puts one tool over another.
Coming up next!
I am creating a regular series on “Top DFIR Software” lists, based on me actually turning on the software and honestly comparing tools against each other. Some lists may be “Top 5” or “Top 3” if there isn’t that many to review for a specific topic. Which brings me to the specificity of the lists…
There will be Suite A is better than Suite B for email analysis , and Suite B is better than Suite A for Internet analysis , and so forth. By better , I mean that as defined by a set of criteria such as (1) results orientated, (2) personal preference, (3) speed, (4) cost, (5) ease of use, and other factors that are clearly defined in the list so you know exactly why I rank tools in any order. If you know the bias and rationale of how a list is made, you can better judge the list and even reorganize the list based on your needs.
Your input is welcome on tool selection and opinions on tools to test and tools that I rate and will rate (via contact form and polls that I create).
The “DF” and “IR” in DFIR does not mean it is the same job
If you didn’t catch Jessica Hyde on RallySecurity this week, you really should take a look. Not just to hear Jessica speak, but to catch the nuance that those who are not in “DF” might not really understand the intricacies of the work, even as they may be intimate specialists in the “IR”. Pretty much everyone on RallySec are extreme experts, and it is cool to see the areas each person overtly has expertise in.
Watch Forensics with Jessica Hyde | RallySec Live! EP93 from rallysecurity on www.twitch.tv
Personally, I am a D igital F orensic person who has enough I ncident R esponse training and experience to know that I am first and foremost, a digital forensics person. That means I know where my boundaries of knowledge reside. My respect goes out to the IR folks who put out the fires and bear the brunt of attacks, breaches, and leaks. That is a tough job. As for me, I rather figure out who did it, how they did it, find the evidence to prove it, and let the full weight of justice bear down on the suspects. But that’s just me. 
The points
We still have to explain who we are and what we do, even to our fellow computer professionals. There has been more than one occasion where I have had to go into an IT department for a forensic gig, only to have some IT folks boast their knowledge of forensics. Typically, this hasn’t gone well, as most times the IT staff claiming to be forensic ‘experts’ were unable to admit they didn’t know anything about forensics, even though they were experts of their environment. The best IT know their limits, just as the best DF and IR do, and they don’t claim knowledge in things they don’t know. I politely get that point across when it happens. I know my job well. They know their job well. We don't know each other's job, therefore we work together to solve the problem.
Another point for those getting into the “DF/IR” field, is to know which side of the fence that you are aiming. I’ve taken a course or two that I thought were to be pure digital forensics, but actually were incident response focused. Not a waste of time, but I can see how easy someone can be looking at one goal but walking in the opposite direction. Be sure to take the training and degrees that you are intending to work toward. Details matter.
One of the biggest differences between the DF and the IR is the intended purpose of the work. Where IR is to stop the pain (stop the attack, seal the leak, etc…), the DF work is to find out the who, what, when, where, why, and how with the intention of legal proceedings . If there are no legal proceeding intention, then it really is not “forensics”, even as the actual procedures, methods, and tools may be the same. A firefighter doesn’t become a traffic investigator for saving an accident victim, nor does a traffic investigator become a firefighter for investigating a collision. Two different jobs. Two different skillsets. Two different goals (firefighters aren't typically looking for criminal evidence when performing CPR....).
Which is better? DF or IR?
The one that you like is better for you and the one that I like is better for me. I was never one to willingly run into a house fire when I worked patrol. I never had the misfortune to do so. I probably would have done so if I had to, but certainly I’d not work the job of a firefighter because sooner or later, I’d be running into flames. By the same token, I have had firefighters tell me that they have no idea why anyone would want to be a cop and handle domestic violence calls or bank robberies. That’s the thing. Different strokes for different folks. The same is true for DF and IR.
Begs the question…
So why is “DF” and “IR” slammed together as “DFIR”? The way I see it, the foundational knowledge is very close and the processes/procedures/tools are sometimes identical. There are only so many ways to image a drive, pull memory, or check running processes. Much is the same, but the goals are different, and eventually, drastically different. You’ll be hard pressed to regularly (if ever) see IR guys in court, just as you’ll be hard pressed to see a DF pro working on an active breach. I believe someone can be both a competent DF and IR person, but this requires quite a bit of work to be highly proficient in both worlds. Possible, but certainly picking one over the other will allow your skills to excel to a higher degree to be a specialist rather than a general practitioner. Just like any medical specialist is in the "medical field", we are all in the "DFIR" field.
Welcome to Dave's DFIR Kitchen.
I've not yet had the pleasure to meet David Cowen , but certainly look forward to that day to give him a hug. He has consistently created great DFIR content over the years and his latest video productions of a Forensic Lunch Test Kitchen is another win for everyone.
If you have not seen the Forensic Lunch Test Kitchen, I highly recommend it, not just for the topic, but also for the subtle clues you can learn from observing critical thinking in action. I am a big fan of figuring things out on your own, a huge supporter of learning how others do it (so that I can improve that what I do), and seeing how someone else processes infomation to make decisions which is most always different than how I would have done it. Not that one way is better than another, but that the more you know, the better off you will be.
It is important to consider that knowing " the " answer or " the " way to do something is only 10% of your skill. The other 90% is knowing how to figure out problems, or how to solve a problem using a different way of critical thinking. The best investigators, the best analysts, and the best problem solvers have one major trait in common. They think. They process. They evaluate decisions. They decide. The difference is in how they think, how they process, and how they evaluate their decisions. Everyone does it a little differently, some innately, some methodically, and to gain insight into someone else's methods can only improve yours.
And now a quick word from our sponsors.
Just some thoughts on “vendor” marketing.
In just about every DFIR email list, social media thread, or forum, there is the sporadic appearance of a vendor who mentions their software in response to a problem someone has, and within seconds of the vendor response, the vendor gets bashed for simply saying, "Hey, maybe my software can help."
I totally get it. I don’t know anyone who wants sales people knocking on their front door, trying to sell something that they didn’t ask for in the first place. Doesn’t matter if it is encyclopedia sales or vacuum cleaner sales, unsolicited sales can be annoying.
The conferences
Anyone who has been to even one major tech conference quickly learns that if you let a vendor scan your badge in return of getting a free pen or toy, you will probably have emails sent to you for years by that vendor. The cost of that “free” stuff is agreeing to be contacted by the vendor. So, you kinda ask for it when you do this.
The mailers
Yes, I get a few mailers. Actual printed materials. Some are done very well and quite informative in addition to selling something. I'll take free useful information anytime.
Back to the online vendor marketing….
First off, I like free stuff. I love FOSS . But I also buy things that I need and I don’t expect these things to be free. Yes, “ Name-Your-Forensic-Tool ” might be expensive, but it is expensive for a reason. It takes time and resources to develop and also incurs marketing expenses to get the word out to those who may need the tool. Basic business. If your business is selling your software, and if you don't sell it, it never gets developed further and your business closes its doors. Everyone loses .
Here is where I see a divergence in how some vendors are treated by some of us (I say “us” because we are all in this together). Some of the comments I've seen and not agreed with include;
-If the tool is so good, it shouldn’t have to be marketed. Sales should be organic.
-I don’t want to be sold anything.
-Vendors should not be able to comment on their tools in forums/email lists/etc…
-I am so tired of seeing marketing on social media (Linkedin, Facebook, etc…)
Here's the thing: if I never see a marketing attempt by a vendor, I may never see the tool…ever. I plainly will never know that it exists, even if I could use it to solve a problem..
For the email lists and forums, I have no problem in that a response to a problem could be answered with someone who sells a solution to that problem. Actually, a vendor with the solution should answer! That is the point of someone asking...they are asking for a solution. And if a competitor responds to another competitor, all the better. Now you can see competing products for your solution. You may even discover a solution that you never knew existed before.
If you take a look at the tools listing on dfir.training , you will over 1,000 individual software tools in DFIR. I am quite sure that you have never seen 75% of the listings before, maybe even more. There are probably another 1,000 tools that are not listed, which would account for those I have never seen before because no one talks about them (therefore…not listed…). I have no doubt that there has been some outstanding tools developed, both FOSS and commericial, that never see the light of day because there is no marketing. I can also imagine some software writers who simply gave up because they didn't market their tool to potential buyers. You can have the best tool in the world, but if no one knows about it, makes no difference in how well it works.
If someone has a problem to solve and publicly asks for a solution to that problem, then those who have potential solutions should feel safe in public recommendations, whether as a user or developer of a solution.
I believe the key point that many seem to have is that because a tool-maker makes money off the tool that they developed, they shouldn’t be allowed marketing their tool or allowed to chime in with a discussion about their tool.
As for me, I tune out the vendors that I don’t need, keep an eye out for tools that I might need, and keep up on the developers with tools that I regularly need. For the tool developers, if you don't see your tool listed on dfir.training, that means I don't know about it and really want to add it, so let me know about it.
