Don't be led down the DFIR Garden PathJun 03, 2021
A few years ago, I wrote a blog post on regulation in the Digital Forensics/Incident Response field titled “The last thing we want in DF/IR is the first thing we need in DF/IR (aka: regulations….) . Sooner or later (probably sooner!), my predictions from that post will come true. Some will be ready and others will need a new career.
DFIR is like a teenager. It doesn’t like rules or restrictions. It only wants to use the software that it wants to use and only do the work like it wants to do. It only wants to take the training that it wants to take and skip the rest. The result is a haphazard field of only a few things being standard. Training is not one of these. The use of tools is not one either. Nor is education. Nor is regulation.
Using tools as an example, “we” tend to use the tools that find the data faster and easier than other tools. Faster meaning right now and easier meaning pushing a button. We are already near that point, if not there now. Our tools are AWESOME and EASY to use! Perhaps the bad point is that for the most part and for the vast majority of the tools, the tools are doing exactly what they are expected to do, and therefore, we trust them implicitly.
Then comes human nature…the teenager in all of us…
We get lazy. We become complacent. We begin to rely too much on the tools doing the work. We push run, grab a cup of coffee, then print an automated report. We are in the “iForensics” stage of DFIR. Who needs to know hex? Hex is the algebra of forensics. Does anyone even look at it anymore? Right?
Do you look at hex?
Let me interrupt this emergency broadcast with one point: if you are doing the real work of forensics, in that you throw on a snorkel and dive into the data to find evidence to solve a case, then you already know what I am talking about. You only take training to learn and not for the sake of a certificate or coin. You only get a degree in order to get a job that allows you to be hired to do the work of swimming in oceans of data in search of forensic artifacts. With this attitude, you will forever be fine in DFIR, regardless of what happens with development of any tools or processes.
I sarcastically type “iForensics” as a descriptor of our field that is leading us down the garden path of trusting automation and tools to tell the story of our cases. I regularly see automated reports in peer review engagements. To me, this shows no 'work' of the examiner, over-reliance on a tool, and virtually no interpretation of the data. It is like a painter just threw a bucket of paint onto a canvas.
Don’t be led down the garden path. It won’t end well.
You are the examiner, not the tool.
There is a reason why some attorneys can charge $1000 an hour. They (should*) be worth it. They (should*) have the ability to visualize a case from beginning to end, formulate multiple strategies, and deliver the goods every time and in less time than their competitors. The same applies to any DFIR practitioner. The fees of some examiners rival or exceed those of high-priced attorneys that hire them! The line between examiners who can charge so much and those who cannot is that of competence and speed.
The difference is not the tools used or the courses taken. It is using all that is available to solve a problem. Solving the problem means uncovering the story of what happened, being able to tell that story as if you were Leonardo da Vinci painting the Mona Lisa, and giving your opinion. It is you doing the work. The tools make it possible to see the data, but you need to be able to paint that data on a canvas to effectively tell the story.
Randomly throwing tools at a problem creates more problems. You have a toolbox full of tools. Before blinding reaching in, reflect on which tool will do what you need because your work is not pushing buttons (anyone can do that). Your work is to solve a problem. The tool just helps you do that.
A hiring manager asking questions of “How would you solve this problem?” is probably looking for a problem solver, whereas asking “Which tools do you use?” might subconsciously be looking for a button pusher.
That one damn thing
I harp on one thing all the time, and that is finding that “one thing” that makes your work more effective. If you can find a new ‘one thing’ with everything you do, you will become one of the most effective examiners around. We do this all the time. If you are like me, you have fought with something not working the way you expected it to work. You try again and again to get it to work (a tool, or a process or something). Then, you figured out the problem. That is one thing that you learned to do better next time. It took hours, but it will save you days and weeks over a career.
Your tools are the paintbrushes. The data are the paint. The canvas is your interpretation and presentation. You should be thinking about the picture, choosing the brush best suited for the paint. You put inferences together. You tie artifacts together. You put everything together in a painted picture, or a story being told. Find that one thing in everything that you read and do. Those "one things" might save a minute or an hour, but over time, that amount of time adds up to competence and effectiveness with less time needed.
Find that one thing, and find a bunch of them! They add up to expertise, effectiveness, efficiency, and competence. These are the things that you can't buy and you can't fake.
(Scene from City Slickers, where Jack Palance talks about "one thing" and it applies to real DFIR life).