Here is the challenge that I continually give myself: Create a project that benefits the DFIR community and won’t require much effort (on the part of the community) but will contribute to the community by generating positive conversations and sharing .

TL/DR (too long, didn’t read)

The project: Give away DFIR books . Lots of them.

If you want to be in the drawing, sign up here: http://social.dfir.training/groups/viewgroup/3-dfir-book-giveaways .

The details

This challenge goes way beyond just giving away books. There is no secret motive behind the books or the challenge. Simply, I am going to review all of the books in detail. I will be putting the reviews on Amazon, https://www.dfir.training , www.patreon.com/dfirtraining , and anywhere else I can that will make a difference to someone looking for information on the books. I’ll be making video reviews of the books too and demonstrating some of the exercises and topics. Then

I had a neat opportunity to speak on The Many Hats Club podcast this week. Thanks to @ cybersecstu for the invite!

One point that I brought up in the podcast, which I know is going to rub someone the wrong way is that ‘you are not really doing forensics if it is not a legal case’.

What I mean by this is that if someone works in DFIR ( as in anywhere in the field of DFIR ), and the work they are doing has absolutely nothing to do with a legal matter, or potential legal matter, and will never see a legal complaint regardless of what is found in the data, then it isn’t really forensic work. Before the darts come at me, hang on a second and hear me out…

Definitions matter

“ Forensics ” generally is meant to apply to “ legal ”.  

On top

If you didn’t catch Jessica Hyde on RallySecurity this week, you really should take a look. Not just to hear Jessica speak, but to catch the nuance that those who are not in “DF” might not really understand the intricacies of the work, even as they may be intimate specialists in the “IR”. Pretty much everyone on RallySec are extreme experts, and it is cool to see the areas each person overtly has expertise in.

Watch Forensics with Jessica Hyde | RallySec Live! EP93 from rallysecurity on www.twitch.tv

Personally, I am a D igital F orensic person who has enough I ncident R esponse training and experience to know that I am first and foremost, a digital forensics person. That means I know where my boundaries of knowledge reside. My respect goes out

I've not yet had the pleasure to meet David Cowen , but certainly look forward to that day to give him a hug. He has consistently created great DFIR content over the years and his latest video productions of a Forensic Lunch Test Kitchen is another win for everyone. 

If you have not seen the Forensic Lunch Test Kitchen, I highly recommend it, not just for the topic, but also for the subtle clues you can learn from observing critical thinking in action. I am a big fan of figuring things out on your own, a huge supporter of learning how others do it (so that I can improve that what I do), and seeing how someone else processes infomation to make decisions which is most always different than how I would have done it. Not that one way is

Just some thoughts on “vendor” marketing.

In just about every DFIR email list, social media thread, or forum, there is the sporadic appearance of a vendor who mentions their software in response to a problem someone has, and within seconds of the vendor response, the vendor gets bashed for simply saying, "Hey, maybe my software can help."

I totally get it. I don’t know anyone who wants sales people knocking on their front door, trying to sell something that they didn’t ask for in the first place.  Doesn’t matter if it is encyclopedia sales or vacuum cleaner sales, unsolicited sales can be annoying.

The conferences

Anyone who has been to even one major tech conference quickly learns that if you let a vendor scan your badge in return of getting a free pen or toy, you will probably have emails sent to you for years by that vendor.  The cost

What a time to be in the field of DFIR! If you have being doing this work since the days of the floppy, you surely must be as excited as me. If you just entering the field, you will see even more advancements in the future than your predecessors have.

But let’s get on with one of the most important topics that is making our skill levels advance more than anything else has ever done before: Instant documentation and sharing.

Many in the field have written (and keep writing!) and about the importance of sharing and documentation. Without getting into ethical questions in the field about sharing special discoveries, I want to talk about sharing generically, but specifically in the physical manner of sharing.

{source}
<blockquote class="twitter-tweet" data-conversation="none" data-lang="en"><p lang="en" dir="ltr">One of the biggest issues in our industry is the dearth of documentation.</p>&mdash; H. Carvey (@keydet89) <a href="https://twitter.com/keydet89/status/1013757497570615297?ref_src=twsrc%5Etfw">July 2,

A weekend Twitter thread about having a lack of citable, peer-reviewed, DFIR research prompted me to volunteer to host a project management website (a sub-domain of dfir.training). I think the need is real for reasons mentioned on the Twitter thread, but whether or not it can work is all together a different matter. 

From what I have seen, peer reviewed DFIR research generally lives within journals and books , or within the walls of academia . Either the research is not freely available and/or not easily found within the walls and halls of educational institutions.  Research is blogged about, presented at conferences, and uploaded to the Internet via any number of websites, with much of this work not being peer reviewed .  There is too much great effort that is never formally published in which the researcher deserves to (1) receive formal recognition and (2) be formally peer-reviewed by the community

Like many others working in DFIR, I occasionally get asked questions on how to get a job in DFIR.  By DFIR, I mean the overall field of digital forensics/incident response/electronic discovery. Sometimes, the questions are loosely asked as if it is easy to get in by someone who thinks they are 'good with computers'.  Other times, I am asked by those with computer science graduate degrees and tons of computer experience.  The range is quite wide. I am certain that anyone and everyone looking to make a break into DFIR has already Google'd it, found a lot of blog posts, and still are having a difficult time getting in the door.  That is just the way it is.  Employers feel like they can't find anyone and everyone feels like they can't find an employer to hire them.

I have blogged about this before, and I'm writing again because this is