I am certainly not a founder in the field of forensics, and didn’t really get into it until the ball was already rolling forward. However, I will say that I am a proud member of the Floppy disc imaging with Safeback club and its sister club Looking in disks using Norton Disk Editor .
Besides the technology advances, which are to be expected, the most incredible change that I have seen is that of resources available today that never existed until the recent years. If you can imagine searching online for ‘forensic software’ in 1999 compared to today, you can see the vast difference in what we have available today for resources.
At times, it feels like I will never be able to keep up. First, there is the sheer amount of resources that come online all the time. New blogs , forums , websites. Then there is the new software and hardware that is developed. And training . Goodness! Anything you want to learn, you can learn at your computer! You can literally (yes, I said ‘that’ word) start an online course in minutes to learn a skill that once only could be learned on the job or in a college.
Then add in the dozens of communication methods like Discord and there is practically no limit to the amount of information at your fingertips.
You can take an online course in topic “x” and in a day, become practically competent in the subject matter you, on day one of your exposure, started to learn. We have instant and direct access to subject matter experts that spoon feed any topic that you have interest or need to know, at your fingertips.
On top of that, we have direct access to the entire community to ask questions and share answers. There is no obstacle so difficult that cannot be solved through personal research and requests for help. For those working in InfoSec and DFIR prior to this flood of information, we see it as being an incredible resource that is not to be wasted or taken lightly.
Using Twitter as one example, I find it incredible as to learning something new that I didn’t know before and certainly need. The suggestions for software alone are worth the time to check social media timelines.
--If you ever need to deal with files larger than 4GB, then I recommend using "010 Editor". It also is great even for loading and parsing many files not just a single 4GB file! #DFIR
— [email protected] (@binaryz0ne) October 27, 2018
Rewriting RECmd today. Added the ability to dump keys/values to json. Adding plugin support (like in Registry Explorer) next so you can get STRUCTURED data out of the Registry for things like UserAssist, etc. #DFIR
— Eric Zimmerman (@EricRZimmerman) October 20, 2018
Here is an example that i formatted to be readable. pic.twitter.com/83rkD1yB8g
And then the notices for new blog posts!
Of course, reference and resources website (dfir.training being one of these) only add to the toolbox of knowledge to draw upon.
We completely re-built our forum to ensure it works great on your phone. Now you can ask & answer #DFIR questions on the go.
— Computer Forensics World (@WorldForensic) October 26, 2018
Special thanks to @Brett_Shavers and @DFIRTraining
Check us out today. https://t.co/jaQrX6M2WZ pic.twitter.com/IoliHOzUsd
If that isn’t enough, many of the resource websites curate the information for you!
Week 42 - 2018 #DFIR https://t.co/3hXkoOSK7U
— Phill Moore (@phillmoore) October 20, 2018
And the blogs! Oh my, the blogs!
I wrote a thing. Also, I'm gonna make it a goal to do this bi-monthly. https://t.co/eFY9AmJ1bw
— from da_667 import spoopy (@da_667) October 19, 2018
If you have never written a blog post, let me give a little information. It takes time to write a blog post, and depending upon how nervous you are, how much of a perfectionist you may be, and how edgy your research is, the time it takes is not a few minutes. It can be hours or days to put something together that takes only five minutes to read. But that five minutes can put you hours or weeks ahead of where you were before that blog post was published. Cred to the DFIR/InfoSec bloggers.
No, I didn’t forget the podcasts
So i have an awesome talk with Brett Shavers @Brett_Shavers ( @DFIRTraining ) Thursday 18th October 11pm UTC on @TheManyHatsClub #podcast you'll want join this as it will be something special. https://t.co/MBhEr1iC8n
— ?ĈȳβεЯيӛƈƧƫƯ? (@cybersecstu) October 18, 2018
Want more? How about the podcasts? Where can you listen to someone talk about something that you need to know. How else can you get another perspective by simply typing in an URL in a browser and turning on the sound?
How about watching someone who knows what they are doing, sharing their analysis and research LIVE ONLINE? This never existed before, but we have it now because of peeps like David Cowen showing us intimate details of how he thinks, for our benefit.
As far as dfir.training goes, I intend to keep it up with everything that I feel will benefit the overall DFIR community. From students to the (older) members of the ‘floppy disc imaging with Safeback” club. Whatever is missing on dfir.training is only missing because I don’t know about it or I believe there is already an awesome resource to fall back on (but I will certainly link to those resources!).
Kudos to the DFIR contributors and creators out there, from the hardcore software developers to those who thoughtfully share their research and (positive!) opinions! You folks have earned serious street cred !