The Importance of Sharing in DFIR
I read a recent blog post by Harlan Carvey called “Beyond Getting Started,” where he discussed several areas that people in the DFIR field could continue to grow, including programming and community engagement. It inspired me to think about the way that I try to share in the community and goals I set for myself to share, while understanding the struggles of sharing.
(Since I wrote this, Brett Shavers posted a blog where he discusses the importance of sharing as well, it’s worth a read. My goal in this blog is to discuss different opportunities and methods of sharing in DFIR.)
It’s important to think of the multitude of ways that we as DFIR professionals can share with each other. We need sharing from different perspectives and experience levels. Why? Because there are so many artifacts, so much data, so many operating systems, so many devices and there are changes and updates daily. It is impossible for anyone to know everything, so we continue to learn and adapt every day. By sharing the new artifact you parsed or a method to image a new device, you save the time of your fellow examiners, from whom you in turn will borrow methodology.
Barriers to Sharing
There can be a variety of barriers that a DFIR professional faces in the ability to share that range from private to public. Your employer may limit what you are allowed to share publicly. I get it. Until taking my current position, I was unable to share publicly, only within my organization/company. But even then, it is important to share within your organization. There is great benefit to helping your colleagues understand your role and the work you do.
Another barrier is limitations of resources and time. Forensics isn’t just my job, it’s my hobby (and I understand that won’t be the same for everyone.) That said, sharing your learnings doesn’t have to be time intensive. I encourage you to look at the list below, pick a method that works for you, and challenge yourself this year to share one more thing you learn or discover!
Don’t be discouraged if you feel that you haven’t “broken new ground.” Showing how you used existing tools or combined methods to meet an objective is still a valuable lesson. You get to build your own playbook, as well as share information with a community that can very likely use it.
I like to think of this as providing the opportunity for the lessons I learn from working one case to have an effect on more cases, potentially around the world. It’s also about giving back. I have garnered so much knowledge from others – from authors, to presenters, to bloggers, to coworkers; it is only fair that I share how I apply it, or share my new information with others.
Ways to Share
Share a Script
It doesn’t have to be fancy. Harlan encouraged us to learn to program in the article I referenced; I encourage you to share the information. Even if you aren’t a programmer, if you can write a SQL query and it parses a database for a new artifact, share that query.
There are a variety of places to share, from your own personal Git repository, to blogs, to maybe even a guest post on someone else’s blog. If you write a script that works with another tool, share it on the community bulletin board or a script repository, like the Magnet Artifact Exchange. Some of my favorite Git repositories from regular sharers include Mari Degrazia (https://github.com/mdegrazia?tab=repositories), Sarah Edwards (https://github.com/mac4n6), and Cheeky4n6Monkey (https://github.com/cheeky4n6monkey/4n6-scripts).
Share Information about Artifacts
Maybe scripting isn’t your thing, but you know how the data is stored and you parsed it manually – or maybe it was something you carved for in a tool. Share information about that artifact!
There is actually a project out there for exactly this! The University of New Haven hosts the Artifact Genome Project. More information about the artifact genome project can be found here.
There are plenty of opportunities to share your knowledge by creating curriculum and teaching. This could be at a college or university. Alternatively, it could be sharing information about digital forensics with a local high school, volunteering to teach a lesson.
You could even offer to teach basic forensics to non-technical stakeholders in your organization so they understand more about your role with the benefit of them understanding what you do a little more.
Provide More Context on Social Media
There was some great discussion recently about effectively using Twitter in the DFIR community. There have been some great ideas about using the “Quote Tweet” instead of a simple retweet when you find something interest. The goal of the “Quote Tweet” is to frame the original tweet with WHY you are sharing it. It isn’t always necessary, but it is worth considering adding a “So What” factor to the content you retweet as appropriate.
Consider giving the audience a blurb about why you are sharing the digital content on the platform you are sharing, from LinkedIn to Twitter to the social media of your choice.
Respond to Questions on Forums and Listservs
If you read forums or listservs and you have experience, an idea, or a reference that may help, share it!
Recently someone who followed a listserv I don’t follow reached out because they thought I might have an answer to a question on there, and it so happened I was able to help the person who had the situation on a case. Of course, I now have another group I need to begin watching.
You never know when something you have experience with can help someone else. You may not have time to follow everything, but if you have an idea, reference, or experience, reach out. You will usually have the opportunity to do it privately via a direct message, if that’s the best course of action in your situation.
Be a Mentor
You can mentor within and outside your organization. A mentee could be a coworker, a student, or someone starting in the field in another organization. Mentorship can focus on both soft and technical skills.
The amazing thing about being a mentor is you have an opportunity to not only encourage someone to become a better technical asset or professional, but you can also learn more from your mentees than you could imagine. Mentees have a habit of bringing out the best in you in the form of new challenges and inspiration. The relationship is based on sharing and can be mutually beneficial.
Mentorship is a great way to share if your employment prohibits your ability to create public-facing works.
There are many facets that you can use to get your content out there in paper. They range from tweets to blog posts to white papers and scholarly articles to books. All are pertinent to the field and appropriate. If you like to write, or have the gift of the verbal gab, find the format or medium that works for you. I should note that, the time commitment for these varies greatly.
Tweets can get information out rather quickly for a new finding. Recently, there were some pertinent findings regarding shellbags that were shared by David Cowen on his and Matt Seyer’s podcast, Forensic Lunch. As these findings were discussed on Twitter, Dan Pullega, @4n6k, shared even more reasons that shellbags could be created.
Blogs take more time to write, but they allow for a long form where you can provide details and screenshots. If you create a blog post, try to make it Google friendly so others can find the resource when they need it. Not everyone may be parsing a Windows 10 phone SMS database today, but it’s good to ensure that when someone else types those words into a search engine, they’ll find your post.
I would love to see more citable articles in journals such as the Digital Investigation journal, because it provides peer-reviewed resources, lends credibility to examiners when testifying, establishes expertise, and more.
Write Part II – Peer Review
Peer review is itself a way to share. While the peer-review process for journals is formal, there are informal methods of providing this type of balance to published information. For example, if you successfully use a method described in a blog, consider a comment providing details about the validation. If a method doesn’t work in another circumstance, share that information in a comment. Bloggers generally appreciate well-thought-out, constructively critical comments like this.
A method’s ability to work can be affected by updates to everything from firmware to schema changes of SQLite databases can cause results to change, so make sure to note these kinds of variables to help contextualize your results for other readers.
Write Part III – Books
Books are an even longer form of contribution. I haven’t personally taken on this endeavor, but greatly appreciate the works of those who have contributed to my personal library which is referenced regularly. A sincere thank you to all of those who have produced digital forensics books for the community. Your contributions are appreciated.
Write Part IV – Contributed Articles
One final way to help is to provide updates to some of the curators of forensics digital content. This includes some of my favorite go to websites for staying current: aboutdfir.com, thisweekin4n6.com, and www.dfir.training. All three sites are extremely receptive to contributed articles, links, etc.
If you aren’t a writer, but are comfortable speaking, consider a podcast. There are some terrific forensics ones out there from Forensic Lunch, which I mentioned before, to the Digital Forensic Survival Podcast. If you only have enough content for a single episode or a segment that you want to share, reach out to those who do regular podcasts and offer to be a guest. They just may take you up on it.
There are plenty of conferences in our field, and they only exist if people share content and findings. Conferences vary greatly from OSDFCon to DFRWS to HTCIA to Techno Security and Digital Forensics Conference to the SANS DFIR Summit.
Each conference has a slightly different personality and feel. Writing a response to a CFP (Call for Papers or Call for Presentations) can be intimidating, but it is worth it to share your findings with a wide audience. It’s also a great opportunity to meet other people in the field and have discussions about a variety of topics.
Another great way to share is by creating forensic challenges. I had the opportunity to participate in the unofficial DefCon DFIR Capture the Flag (CTF) this summer, created by David Cowen and Matthew Seyer, and I learned a great deal in the process.
By creating the challenge, they shared a resource that other examiners could use to grow and challenge themselves. Participation actually led me to connect with other participants after the event, where we were able to discuss the methods we used on some of the questions. This was a secondary sharing as a result of the CTF.
Team for Research
Did I mention that forensics is also my hobby? Working in teams for research provides an opportunity for skill sharing to accomplish a goal. Recently I used my hardware forensic skills to work with Brian Moran and leverage his network forensic skills on our Alexa forensics research. We were both able to share skill sets to offer a more complete analysis.
Another way to help the community is by sharing test data. If you have created sample data, be it from a full image to a database for a specific app, it would be beneficial to share it with the community.
If you have created data sets to test a particular operating system, device, application, or artifact, you can help the community by sharing those data sets. If your data sets also include documentation as to the steps taken to create artifacts, even better. This will assist others with validation of parsing and results.
Summary: Sharing Makes Us Better
I hope this post has provided some intriguing ways for you to share with the community. There are many opportunities to share your experiences, opinions, and methods. Sharing makes you better as an examiner because you must organize your thoughts and ideas. Additionally, it documents what you have learned so that others can utilize the lessons you’ve learned in their work.
Why not set a goal to add one of these sharing methodologies to your repertoire and help the entire community? The most important thing is for us each to challenge ourselves to be better.
Fundamentally, I am convinced that by sharing, you help the rest of the DFIR community, and can influence more than just your case.
Questions or comments? More ways to share? Reach out at Jessica.firstname.lastname@example.org.