Learn something. Teach something. Share something.

Here is something I do. I make it a point to write down something that I learned each month. No, I don’t sit and think about what I learned, then write a poem about it. When I learn something that impacts what I do in DFIR, I write it down as I soon as I “learned” it.  By learning, I mean either I figured it out through research, or watched it in a video, or a class, or a blog. This happens several times a month…but I want to have at least one thing that I learned per month.

At the end of a year, I can look at the major things I learned and put an importance on newly learned thing by simply writing a few words about it. From this, I personally share with or teach others.  I call these the “neat things”.

I know that you also learn something new every month (day?) too. We pretty much all do. But the suggestion I have for you is to jot a note down for the big ones that make you stop and think. There are a lot of fairly innocuous things we learn all the time, but sometimes, we learn something really neat that impacts what we do more than anything else.

Impact?

By “impact”, I refer to those neat things that may save me time, or give me a new skill, or plainly teaches me something so cool that I can’t wait to tell someone. Your “neat things” will be different from mine, and that is the way it is supposed to work.  I admit that sometimes I come across something that is neat to me, and when I tell someone else, they already knew about it ☹.  Still, new to me is a personal improvement that I can make.

I keep this in mind all the time I am at a digital device, and surely, you do too. You type, click, type, click, and during the typing and clicking, you learn something about an artifact or how a tool works or some way to do something a little more efficiently. We do this and improve individually, but what we don’t do is stop and realize just how much we are learning. Note-taking helps me reflect that (#1) I am constantly learning, and (#2) I should be sharing what I learned in case someone else doesn’t know. It is also personal proof that I am not stagnant in keeping my skills up to date.

Here is something to be aware if you meet me somewhere. If something comes up that I know about (and excited about), and you have not heard about it, I’m going to fill you in on it. If it is a software that I found to be awesome and you haven’t tried it yet, guess what we will be talking about for the next 10 minutes….

A lot of what I have learned is also probably the way you learned too: Through mistakes and errors.

But that’s okay too. Any of my mistakes are burned into my cranial cavity enough to remind me for a long time. Plus, I tend to talk about how I royally screwed something up only to come out of it a better person. Basically, I tell people, “Guess what? I touched a hot stove and it was hot.” That is not as embarrassing as saying that I keep touching a hot stove and haven’t learned from it. Bottom line is that making mistakes and recognizing the mistakes is good for growth and improvement. Hiding mistakes (or worse, denying ever making mistakes!) stunts growth.

The DFIR Training website

I'll also admit that I am learning and re-learning so many neat things with the DFIR Training website. It takes time to manage, but my personal benefit is entering 1,400 different software applications, reading dozens and dozens of white papers, and now going through one forensic artifact at a time. My motivation is both selfish (I want to learn!) and altruistic (I want you to learn too!). Here is where I am finding the biggest learning experience with DFIR Training; the forensic artifact database. Although it is new and has a lot more to go before being the go-to artifact database, it is incredible as to what you can learn by going over an artifact by curating white papers, tools, references, and videos about each artifact. So cool to do and I hope to be cool to you too.

I suspect the forensic artifact database to easily reach over 1,000 artifacts in time. Given over 1,000 DFIR tools and  soon enough to be over 1,000 forensic artifacts , all cross referenced by tool-to-artifact, artifact-to-tool, and citable references, this is a very cool undertaking that I can learn by putting together and anyone can learn by simply searching or browsing for what is needed.

Spreading the news about the neat things

So over at the DFIR Training Patreon page , I’m going to keep talking about neat things. I have software on my desk that I will comparing and reviewing, book reviews to write and make videos about, and talk about all the little things that I have come across over the years that might make someone else’s day easier.

On my podcast , I am giving some war-stories as examples to the topics I want to share. Probably every “war-story” is an incident where I fell on my face, or boogered up something, or plainly just messed up something. I am not trying to sound like I am uncoordinated or unskilled or born to be a goof, but that I have learned some things the hard way for whatever reason, and that I can share how not to do that. If one story that I tell can save someone from hours of work or public embarrassment or better yet, solve a good case, then it is worth it.

Here’s one war-story from my former law enforcement work that shows why I want to share the things I know. As a use-of-force instructor, I was giving training on a specific threat* and a specific reaction to handle that threat over a period of years (I thought it an important topic enough to repeat it often).  One day, an officer in my agency was thrown into an officer-involved shooting, survived, and sought me out afterward. He gave me a hug and said that the only thing going through his mind were the words that I kept repeating in training. Of course, I was happy to be a part of the outcome of the shooting, but in all fairness, he was there and handled it, not me. The same goes to forensic work. I can give my opinions and suggestions to help, but it is the receiver who chooses to put it the words to work. I am just glad to be part of it. 

More importantly, you should too.

 

*sorry, not going to talk about the specifics of the threat or how to handle it..

Written by :Brett Shavers