The “DF” and “IR” in  DFIR does not mean it is the same job

If you didn’t catch Jessica Hyde on RallySecurity this week, you really should take a look. Not just to hear Jessica speak, but to catch the nuance that those who are not in “DF” might not really understand the intricacies of the work, even as they may be intimate specialists in the “IR”. Pretty much everyone on RallySec are extreme experts, and it is cool to see the areas each person overtly has expertise in.

Watch Forensics with Jessica Hyde | RallySec Live! EP93 from rallysecurity on www.twitch.tv

Personally, I am a D igital F orensic person who has enough I ncident R esponse training and experience to know that I am first and foremost, a digital forensics person. That means I know where my boundaries of knowledge reside. My respect goes out to the IR folks who put out the fires and bear the brunt of attacks, breaches, and leaks. That is a tough job. As for me, I rather figure out who did it, how they did it, find the evidence to prove it, and let the full weight of justice bear down on the suspects. But that’s just me.

The points

We still have to explain who we are and what we do, even to our fellow computer professionals. There has been more than one occasion where I have had to go into an IT department for a forensic gig, only to have some IT folks boast their knowledge of forensics. Typically, this hasn’t gone well, as most times the IT staff claiming to be forensic ‘experts’ were unable to admit they didn’t know anything about forensics, even though they were experts of their environment. The best IT know their limits, just as the best DF and IR do, and they don’t claim knowledge in things they don’t know. I politely get that point across when it happens. I know my job well. They know their job well. We don't know each other's job, therefore we work together to solve the problem.

Another point for those getting into the “DF/IR” field, is to know which side of the fence that you are aiming. I’ve taken a course or two that I thought were to be pure digital forensics, but actually were incident response focused. Not a waste of time, but I can see how easy someone can be looking at one goal but walking in the opposite direction. Be sure to take the training and degrees that you are intending to work toward. Details matter.

One of the biggest differences between the DF and the IR is the intended purpose of the work. Where IR is to stop the pain (stop the attack, seal the leak, etc…), the DF work is to find out the who, what, when, where, why, and how with the intention of legal proceedings . If there are no legal proceeding intention, then it really is not “forensics”, even as the actual procedures, methods, and tools may be the same. A firefighter doesn’t become a traffic investigator for saving an accident victim, nor does a traffic investigator become a firefighter for investigating a collision. Two different jobs. Two different skillsets. Two different goals (firefighters aren't typically looking for criminal evidence when performing CPR....).

Which is better? DF or IR?

The one that you like is better for you and the one that I like is better for me. I was never one to willingly run into a house fire when I worked patrol. I never had the misfortune to do so.  I probably would have done so if I had to, but certainly I’d not work the job of a firefighter because sooner or later, I’d be running into flames.  By the same token, I have had firefighters tell me that they have no idea why anyone would want to be a cop and handle domestic violence calls or bank robberies.  That’s the thing. Different strokes for different folks. The same is true for DF and IR.

Begs the question…

So why is “DF” and “IR” slammed together as “DFIR”?  The way I see it, the foundational knowledge is very close and the processes/procedures/tools are sometimes identical. There are only so many ways to image a drive, pull memory, or check running processes. Much is the same, but the goals are different, and eventually, drastically different.  You’ll be hard pressed to regularly (if ever) see IR guys in court, just as you’ll be hard pressed to see a DF pro working on an active breach. I believe someone can be both a competent DF and IR person, but this requires quite a bit of work to be highly proficient in both worlds. Possible, but certainly picking one over the other will allow your skills to excel to a higher degree to be a specialist rather than a general practitioner.  Just like any medical specialist is in the "medical field", we are all in the "DFIR" field.

Written by :Brett Shavers