Drowning in an ocean of DFIR resources

Jul 31, 2022

It was much easier to learn digital forensics decades ago. This is not because systems were less complex or that datasets were smaller. It was easier because there just wasn’t that much to learn. On top of that, there were few resources to draw upon. No college degree programs, only a few general books on the topic, hardly any Internet resources, and a few people willing to share what they know.

There still were many artifacts that existed in the operating systems that we examined during those earlier years but we had no idea where they were located, what they were, or what they meant when we saw them.

The biggest difference today is the sheer volume of resources to learn and grow in this field. It seems as if every college and university have some sort of cyber degree program or continuing education certificate, some of which are awesome and others not so much. We have a software application for every type of known artifact and a class for every application and classes for every known artifact.

Where we started with general books, we now have books written specifically for unique subsets of forensics. The Internet is flooded with YouTube videos on virtually every aspect known in the forensic field. Social media constantly and practically every few seconds post here on some aspect of forensic work. Where there were no conferences related to forensics in the past, we now have one occurring every month or several times a month worldwide. Forensic examiners write more blog posts today then they wrote reports back in the day.

Software vendors offer more courses than any one examiner could take in their career. Podcasts, zoom sessions, lunch and learns, discord, social media, blogs, forums, online videos, demos, and reviews of tools and resources are overwhelming.

For a new person to dive into this digital forensics world without preparation is like jumping into the ocean and not knowing how to swim. You will most likely drown. And if you don’t drown, you may learn to doggy paddle and not much else.

The key point

Before jumping into the ocean, learn how to swim first. Translated, before you get started in this field or before you get started transitioning from one forensic topic to another, prepare yourself and make a plan.

The first question to ask yourself is, “what do I want to learn?”. The next question is “how do I want to learn?”. Let’s use two examples, one for a person interested in getting into DFIR and another for person already in DFIR.

The newbie

DFIR is not just one job. It is an umbrella of too many jobs to count. Even DFIR jobs with the same title can have two completely different job descriptions, requirements, and training. Before venturing into this field, determine what your end goal is. This is not unlike finding any career that matches your aptitude, attitude, and desires. Much like deciding to be a doctor requires you to pick which kind of doctor to be, DFIR requires you to pick what type of DFIR job you prefer.

Once you have picked your goal, whether that be digital forensics or incident response, you must create the path to get there. Your path will be different than everyone else. Your opportunities are different, your obstacles are different, and you are different. There is not a roadmap to DFIR like there is to be a dentist, a doctor, or a lawyer.

So where do you start considering the ocean of resources

Perhaps the easiest resource that you need is to find what employers are requiring of applicants to have in education, training, and experience. However, most job postings are not as accurate as they should be because even employers may not even know what they want in an applicant. But it is a start.

Before you think this won’t happen to you, I can give to personal examples where I paid thousands of dollars out of pocket and vacation time to attend DFIR courses that did not apply to what I needed. The course material was good but irrelevant to me. That was time and money wasted. Fortunately, it did not break my finances at that time to end my chances or cost me years in learning DFIR.

I have spoken to several college students over the years and there have been more than a few occasions that some of the students enrolled into the wrong programs. Some spend years in college only to find out that the programs they thought they were paying for, were opposite of what they needed.

It is easy for me to say that you must find out what is needed before starting, and harder for me to say what is needed for the job that you want. But it is what is. If I would do this all over again, I would first learn what all of the jobs in DFIR do, the requirements for each of them, and narrow down the exact job that I want to do. Again, this is no different than the medical field where someone must decide whether they want to be a general practitioner or a foot doctor or an eye doctor or a heart surgeon.

Beware of randomly swimming in overwhelming Internet resources without a plan because it may become a money pit and time drain.

For those already in DFIR (and this applies to newbies as well)

Choose your resources wisely. Here’s something that I do before taking any vendor course. If I don’t own the software already, I grab a demo. I read the manual, I read reviews of the application, I watch videos of how to use it, and I practice with it. And only then will I pay for a course in it. If there is a non-vendor training of that application, I may pay for that before taking the vendor course if the price is a fraction of the vendor course. The reason is that the vendor course is usually expensive, and the flow of information can feel like drinking from a fire hose. That means missing critical components of the software, falling behind in the presentation, and not fully grasping everything is being taught. But by preparing before spending thousands on a vendor course, and at least learning the basics of the tool and being familiar with the interface and commands, I am better abled to understand the vendor training. I will learn more, ie; make the most out of my money and time.

An example would be diving into memory analysis. Again, I tend to typically look at the course syllabus of the college program in memory analysis, the outline of a vendor course, and blog posts that talk about memory analysis. All of these tell me what I should know at a high level. Then, using publicly available data sets and both open source and demo software, follow along what is already available in example cases and challenges. This at least gives a high-level view of what memory analysis looks like with some tools and case examples. I will learn the vocabulary while doing this, which greatly helps during a training course.

With that, I generally have an idea of what I need to know and some of the tools that I can do it with and be able to find the training to give me the foundation of memory analysis. Preparation turns the ocean of overwhelming resources into a kiddie pool. Time and money are both wisely invested.

Good for the goose might not be good for the gander

There are only a few truisms in DFIR that are immovable, such as do no harm. Most of all the other things are very flexible. Few governments have little if any regulation to work in this field, there are no common educational standards among universities and colleges, and every vendor creates and teaches what they think is best.

Even software applications are extremely flexible in accomplishing a DFIR job. Take two software vendors as one example. Both may be marketed to do the exact same functions, at a very similar price point, and put out very similar results. Which do you choose? That is where the flexibility lives, as you can choose the one that you like to do the job that you need. Maybe you are swayed by the marketing, the interface, the workflow, or just the way the company’s logo looks. As long as the tool does what it markets, the choice is yours.

The point is if I choose software application A and you choose software application B, we probably both picked what we each needed. Don’t fret over a tool that someone else uses that you don’t like to use if you have a tool that does the same thing. The same goes for training and education as your path is different than mine and mine is different from someone else.

Resources of resources of resources

In the ocean of DFIR resources, you have resources of those resources and websites such as DFIR.training, about DFIR.com, forensicfocus.com, and others. It’s almost like the movie “Inception” where one layer leads to another deeper layer leading to another deeper layer. But truly, these resources of resources are probably the best way to find what you need instead of blindly googling for information. Curation is key, so take advantage of it.

Make your own training course

If you are diligent and really want to show employers, potential employers, and a court that you are competent, skilled, dedicated, and focused on continual development of your skills, make your own training course.

I’m not saying that you to market and sell a training program. I’m suggesting that you can create an internal program for yourself on a topic that you researched, practiced, and documented in a manner that you could teach it if you wanted. It is one level to be able to accomplish a task. It is an entirely different level that you know it well enough to teach it.

This is a lot of work

Creating your own internal DFIR course that no one may ever see, except for maybe your boss, a future boss, the client, or the court, is a time-consuming process. But the benefits truly outweigh the time spent. Watch the full video for more details but consider that if you make a personal training course for yourself, and let’s say we choose the memory forensics example, at the same time that you are learning memory forensics, you are learning how to teach it, you are validating software applications, you are making mistakes, and you are documenting all of this research. These are things that we do anyway or at least the things we should be doing anyway. But with this personal training course documentation, you derive all of those benefits.

As far as how much detail and how much time to spend on such a project is up to you, your time, and the topic.

In a case that was being prepped for trial, I knew of a particular topic that if I was questioned by the opposing counsel, the answers were highly technical and not easy for a layperson to comprehend. So  I hoped I would not be asked about that particular topic, not that I was worried about my work quality, but I prepared anyway by creating a mini course of that specific artifact.

That mini-course included a syllabus, a few PowerPoint slides, and clearly delineated examples of that artifact based on testing and research using the same tools that I used in the analysis. It also included references to research of others, including extracts from forensic books.

In trial, and in less than 10 minutes, I conveyed a highly complicated topic with easy-to-understand illustrative visuals and explanations, as if the court were of my classroom and I, the instructor. Had I not needed that mini-course, I still would’ve kept it as my personal research in the topic and would have referred to it in testimony that I did it.

The difference in research of a forensic topic and that of creating a mini course of a forensic topic, is simply how it is put on paper. On one hand, you have an essay with charts and graphs. On the other hand, you have an instructional plan of research that you can teach to anyone who does not know that topic regardless of their background.