Slow is smooth.  Smooth is fast.

Working in DFIR is akin to competing in a sports event.   There are winners and losers, but no one dies.  Cases may be lost and PII stolen, but no one is physically killed by a malware attack.  Yes, I know pacemakers can be hacked, but malware isn’t killing the DFIR practitioners when they lose to an attacker.

However, we certainly seem to describe the DFIR field as if we are actually fighting physical battles.  We play “ NetWars ”, conduct “ Tactical Analytics ”, run “ Red Team Ops ”, and take software “ Bootcamp ” courses.  I’m waiting to see the urban assault leaders course for DFIR…

Which brings me to two things:

1-Basic DFIR techniques

2-Advanced DFIR techniques

Advanced is simply perfecting the basics .  In tactical training (as in, the real-life military or police tactical training), the basics are hammered in with slow, methodical, and rehearsed practice.  Slow as in slow motion. Slow as in every step, every trigger squeeze, and every breath is a calculated thought process.   A point comes where the “slow” movements and thought processes become “smooth”.   At that point, smooth becomes fast.  You need this concept in DFIR to grow and improve, regardless if you are new to the field or you are a Grandmaster DFIRer.  Advanced only means 'mastering the basics'.  Don't let fancy training titles make you think any differently.

Tip : Use the DFIR artifact database to keep the basics firm in your cranial cavity.  It is easy and commonplace to forget something that is basic if you don’t see or review it enough.  Reviewing something you mastered years ago not only solidifies what you knew anyway, but I promise you will either learn something you didn’t know or remember something you forgot.  Slow is smooth.  Smooth is fast.

I started the DFIR artifact database  to easily refresh what I know (or should know).  Looking at what has been done before online, I found that other forensic artifact websites either weren’t updated for a year or more, or were not organized in a manner that I found easy to use.  Hopefully, I have made this database easy for anyone to use; but if not, I’m open to suggestions. 

Side note:

Marines are known to be deadly accurate with their rifle.  Want to know their secret?  Before each qualification, they spend a week “snapping in”.  They practice every day all day for a week, in various shooting positions, aiming at a barrel, squeezing the trigger over and over again, and never firing a single round.  They spend an entire week reviewing and mastering the basics before taking the first shot on the range.  They do this every time, regardless of how well they shot the last time.  Regardless of how many years they have been shooting.  They do this in order to become experts in shooting.   Slow is smooth.  Smooth is fast.

You can expect several DFIR artifacts added to the database weekly.  It will take time for me to get the database flush with artifacts, but if you were to review one artifact a day as I add them, by year’s end you should have 40+ hours of reviewing artifacts that will 100% help improve your skills in the work you are doing.  Imagine reviewing an artifact and having just one thing trigger a memory that relates to a case (or incident) you have and you solve it because of what you reviewed.  Time spent refreshing knowledge is time well spent.

Written by :Brett Shavers