Become a DFIR Earth Mover

My Goal for you:  Become a DFIR Earth Mover.

I don’t think that most of us in DFIR are working to be “famous”. Actually, I don’t personally know anyone who has a goal to be famous in this field. Everyone I know just wants to be good today at what they do and to be a little better at it tomorrow.

That has also been my daily goal too: Learn a little more today than I knew yesterday. Prevent mistakes that I made yesterday from happening today. Share a little something that I learned with someone else to make their world a little better than it was before.

There are many in this thing we call “DFIR” who I call DFIR Earth Movers. They are my role models, my quiet mentors, and where I hope to be in achieving my personal goals.  Most, I have never met in real life (or as some say, IRL….), and some I have never even connected online other than following on social media. But each of these DFIR Earth Movers are people that drive me forward; ie, move my DFIR Earth.

To list but a few, even at not being able to list all or inadvertently forgetting to list some of the most important, is a risky venture. But I want to give examples of those who I have no doubt question themselves, who work tirelessly, who share relentlessly, and who I know would stop everything they are doing at the drop of a hat to help others. These are DFIR Earth Movers, which is the goal that I have for each of you reading this, and I know you can do it. I work toward it every day, knowing I may never reach this goal myself, but giving up or slacking off is not an option.

Here goes, in no particular order (using Twitter profiles to make this easier for me and you):

Lorie Hermesdorf – Because Lorie represents the type of DFIR student who is jumping in with both feet publicly, for all to see and share. Meaning, there are hundreds of DFIR students who lurk online with avatar and anonymous accounts, not sharing through blogs or other public exposure but Lorie (and there are too many others to list), that do. I was once asked as a job reference what I thought of a new student, who I never met or even corresponded with. My response was that by looking at what the person was posting online during school, that I would have hired her myself based solely on what I had been seeing on the past few years. It takes guts to put your face and name in public, for all the good and bad that comes of it, regardless if you make mistakes or do everything perfectly. Hang in there Lorie. You got this.

Ryan Benson – Dude is killing it with Unfurl and his blog . A perfect example of taking some small, sub-topic in DFIR that has been practically ignored and turning it into something super cool. This is what I wish I could do every day, and is something that I am constantly on alert to find, because this is one of the coolest (and most effective means) of moving DFIR forward. Find that one small thing and own it. Then share that bad boy with everyone. Nice work Ryan.

Troy Larson – When I grow up, I will be happy if I am only half as competent as Troy and just ten percent as funny. I know Troy personally and can vouch that he is just as good a person in person as you could hope. He will share everything he knows and for someone working at a company with one of the strongest NDAs that you can find, Troy does his best to abide what he cannot share and that which he can. Kudos to Troy to walking that line rather than just keeping it all internal to the company.

Josh Hickman – Josh didn’t come quietly into the DFIR limelight. He kicked down the down, threw down the gauntlet, and smiled with “want some images, i gots you some images”.  I put links to his images on https://www.dfir.training/resources/downloads/ctf-forensic-test-images/more-images/1498-android-image-by-josh-hickman1 and in days, the hits reached into the thousands.  The time and effort to make and then share this kind of labor is awesome.

Warren Kruse – Warren is one of those folks who I never met but reading his book when I was just thinking about the field made me do a 180 to jump in at full-speed.  I tweeted something to this effect in the past, but Warren wrote a book that pointed me in the direction that put me where I am today, and I’ve not regretted a minute.  I take that back, there was this one day where I dropped an evidence hard drive and regretted it not being more careful…those were stressful and regrettable minutes before checking that I didn’t damage the drive.  

Alexis Brignoni – I don’t think Alexis has a pulse because he is a DFIR machine. But there are many DFIRrs like that. The difference is his sharing of his developments and research, and for his attitude. Amazingly cool! I could only hope to be able to hold onto his coattails.

Jessica Hyde – Jessica scares me because I am sure that she has a clone for the amount of work that she does and sharing of everything, and her energy. I am trying to find videos of her being in two places at once so that I can break the news of a Jessica Hyde clone. There is no way she is one person, but seriously, Jessica is a DFIR Earth Mover in the purest sense.

Sarah Edwards – “Mac 4n6 Nerd” is an understatement.   BlackBag Tech won the lottery with Sarah on their R&D team. Again, it’s not just the competence or knowledge, but it is the public face with a name that is handing out knowledge, help, and true caring that others benefit from the work. Moving the DFIR Earth because you can, not because you have to.

Mari Degrazia – When I watch videos of Mari’s presentations on YouTube…I am typically taking notes at the same time. Her blog is one that is on my regularly scheduled “gotta check the DFIR blogs” list.  I’m not trying to sound like a broken record (this cliché is about done since fewer people have ever seen a record…), but she could keep her knowledge and skills to herself and be just as successful in the field, but she shares to better us all.

Heather Mahalik – I’ll start with “broken record” as in, Heather is practically on the same train of not having to share anything to be successful, but she does anyway, and her delivery of DFIR knowledge is as accurate as it is sincere.  She also has a blog , and if you haven’t noticed a trend yet, most everyone who I personally feel are the DFIR Earth Movers, have blogs, or write for blogs of others, or just write and put knowledge out there.

Eric Zimmerman – Need I say anything?  Dude is my X-Ways forensics brother, as in, we are writing the second edition of the X-Ways Forensics Practitioner’s Guide and I could not have asked for a better co-author. Eric’s clone is also running around the planet, because he does the work of many in the same amount of time that we all have. A cool guy who also shares all his cool stuff.

Higinio “w0rmer” Ochoa – I bet you didn’t expect to see this on my list. Hig is unique to everyone else on this list because he was a criminal hacker, did his time, and works in this field as a positive force. I’ve had a few online conversations with Hig and hold him as an example that you can always be a positive force if you choose to be, without having your past hold you down.  Keep up the good work, Hig!

Lesley Carhart – Here’s another example of taking something small and ignored (smart door locks for apartments) and raising the seriousness of such a “little” thing to everyone’s attention. Lesley is quite the well-rounded person in the field, and must have a million air miles banked with all the presentations that she volunteers to give every year. If Lesley took a vacation for a month, it would still be one month not enough for what I see her sharing and teaching and being a generally great person.

David Cowen – David carved a special place in the field with his Forensic Lunch, but it was his Forensic Lunch Kitchen that showed his willingness to not only put his face and name in public view, but to also share his thought processes while doing forensics live, in tests that he was researching…live. Very creative, but also very informative for anyone wondering how others think when researching and testing. Nice job, David (please keep the Test Kitchens coming!).

Phill Moore – Phill is humble, but his curation of weekly DFIR info is beyond what I have ever seen elsewhere. Like clockwork, he sends out an incredibly great list of DFIR content of the week. And like clockwork, I wait for the tweet when he posts it. To contribute something like this on a weekly basis for so many years, without fail, and to share with the community deserves some cred. So, here some cred to you Phil!

Devon Ackerman – Along with Phill, Devon is in the segment of the DFIR Earth Movers who curate and organize DFIR information for everyone. What you may not realize about providing a repository of data that is curated, is that your name is still on it! Curate incorrect data? That’s your name on it!  This is a tough and risky venture to find the most relevant information, put it together, and put your name on it as a resource. I am willing to bet that both Devon and Phill know how much time and effort the other does with all this DFIR curation effort!

BlackRoomSec – Tara deserves a special place on the list to represent many factors of us in this field. She holds nothing back, so what you see is what you get, but in a very good way. I sincerely appreciate those who are honest (and good) because you know their words are true to heart.  If you take a look at her Twitter timeline, you’ll see that she persevered to get here and stayed true to self.

Nicole Beckwith – Nicole is on my list to represent another segment of the DFIR community; that of law enforcement who investigated the worst of crimes and moved into the private sector DFIR in the open. I can relate with Nicole on a deep level, in that we’ve practically did some of the same things in law enforcement. So to come from a career where your job makes you a target of criminals, defense attorneys, and media and then go public with your name on your public words, means that you are strong enough to withstand what may come your way.  Nicole is one of those that make me say to myself every day, “No time to slack off. Time to get to work.”

Harlan Carvey - I intentionally listed Harvey last (everyone else was random), because I know that Harvey doesn't want credit for the work he shares. But he has been impacting the field greatly and for some time now. I've known Harlan for some years, occasionally bumping into each other, and to meet Harlan is to get to know him.  As much as some may think his tweets are a bit stern, he is the biggest teddy bear in person, and I say that in a way to mean he has a big heart and a sincere concern for people. I will now wait for his email about me spilling the beans on him being a really nice guy for a Marine :)

The point of all of this?

There are many many more that I can list, but that would turn into a book instead of a blog post. The point is those who are making differences in the DFIR field didn't necessarily set out to do that. Most everyone cracked the books, took the classes, hit the data, and then talked about it publicly and shared their work. I know without exception that there are DFIRrs working behind closed doors and cannot share their work because of national security or non-disclosure agreements. They are every bit of competent as anyone else, but they are prevented from being a public figure. Others who are not public figures simply do not share their work. They may also be the most competent folks in the field, but it is just not for them to put their name and face on their ideas publicly. Nothing is wrong with that by the way.

But for those who put their name in public, with their opinion and assumptions of how they think artifacts interact with the user, you people are DFIR Earth Movers. Cred to you all.

Written by :Brett Shavers