Ways to Share in DFIR
Hi, everyone. This is Jessica Hyde and I wanted to take an opportunity to share different ways to share in the DFIR community. Back in 2017, I wrote a blog on the Importance of Sharing DFIR, and while all of that advice holds true – I wanted to offer this refresh as there are even MORE opportunities to share in the community nowadays.
As a forensic examiner grows in skill, it is a natural gravitation to share. In a previous post on Giving Back in DFIR I debuted the DFIR Hierarchy of Needs, which shows the natural progression of forensic examiners as they move from doing Independent Casework to Sharing with the community. As many folks reach this level, they may be looking for ways to share what they are learning or as they grow in this level, they may be looking for more ways to share with the community. The goal of this post is to explore the different ways to contribute to the community.
We will be exploring the ways sharing can be beneficial to your career and other advice as part of a series “New Year, DFIRent You” over the next few months. In this new series we will explore a variety of topics to help examiners grow throughout different parts of their career. This post will focus on different methods for sharing knowledge, learnings, and research. If you like to write, script, or have the gift of the verbal gab, find the format or medium that works for you.
Methods to Share
Share a Script!
It doesn’t have to be fancy. Quick code you may have written to parse one thing in your case may be helpful to someone else. Even if you aren’t a programmer, if you can write a SQL query and it parses a database for a new artifact, share that query.
There are a variety of places to share, from your own personal Git repository, to blogs, to maybe even a guest post on someone else’s blog. There are also opportunities to contribute to existing projects with frameworks. One example is Alexis Brignoni’s ILEAPP and ALEAPP, which are frameworks for parsing iOS and Android devices. Folks often write small parsers to work inside of the framework Alexis built which has turned the project into a community project. Some of my favorite Git repositories from regular sharers include Yogesh Khatri, Mari DeGrazia, and Ryan Benson.
Another way to share a script is to share a Custom Artifact on the Magnet Forensics Artifact Exchange. These artifacts can be written using SQLite, an XML template, or with Python. You can even use the Magnet Custom Artifact Generator to create one from a SQLite database without coding experience. Once you have written a custom artifact it can be shared with the community via the Artifact Exchange.
Share Information About Artifacts
Maybe scripting isn’t your thing, but you know how the data is stored and you parsed it manually – or maybe it was something you carved for in a tool. Share information about that artifact! You could share this content directly with the developers of a project or tool to see if they can incorporate it your learnings.
There are two projects that are about sharing artifact knowledge. The University of New Haven hosts the Artifact Genome Project. There are over 1100 artifacts described there at this time. Additionally, DFIR.Training hosts a page that defines a variety of artifacts.
Respond to Questions on Forums and Listservs
If you read forums or listservs and you have experience, an idea, or a reference that may help, share it! There are a variety of forums, listservs, and even Discord servers.
Recently someone who followed a listserv I don’t follow reached out because they thought I might have an answer to a question on there, and it so happened I was able to help the person who had the situation on a case. Of course, I now have another group I need to begin watching.
You never know when something you have experience with can help someone else. You may not have time to follow everything, but if you have an idea, reference, or experience, reach out. You usually can do it privately via a direct message, if that is the best course of action in your situation.
I have become a large fan of the Digital Forensic Discord Server. There is a community of over 6,000 forensic examiners discussing a variety of topics in different channels. This means you can join a conversation on a specific relevant topic.
Provide More Context on Social Media
There was some great discussion a while back about effectively using Twitter in the DFIR community. Harlan Carvey regularly addresses the issue of providing more context to tweets and LinkedIn posts that are liked or reshared. One way to provide additional context is to Quote Tweet instead of a simple Retweet when you find something interest. The goal of the Quote Tweet is to frame the original tweet with WHY you are sharing it. It isn’t always necessary, but it is worth considering adding a “So What” factor to the content you retweet as appropriate. Consider giving the audience a blurb about why you are sharing the digital content on the platform you are sharing, from LinkedIn to Twitter to the social media of your choice.
Be a Mentor
You can mentor within and outside your organization. A mentee could be a coworker, a student, or someone starting in the field in another organization. Mentorship can focus on both soft and technical skills.
The amazing thing about being a mentor is you have an opportunity to not only encourage someone to become a better technical asset or professional, but you can also learn more from your mentees than you could imagine. Mentees have a habit of bringing out the best in you in the form of new challenges and inspiration. The relationship is based on sharing and can be mutually beneficial. Mentorship is a great way to share if your employment prohibits your ability to create public-facing works.
There are a multitude of both formal and informal ways to participate in mentorship. Programs like Play Like a Girl have formal mentorship programs where women in Science, Technology, Engineering, and Math (STEM) fields are paired with girls to learn about STEM careers.
Some other ways I have personally seen mentoring work in unique ways includes the Notre Dame Women in Forensics Camp, which had College students, who also work at the St. Joseph’s County Cybercrime Lab teach and mentor high school aged girls about digital forensics while also bringing in career women in the digital forensics community to work with the college students and high school students all under the tutelage of the director, Mitch Kajzer, providing four levels of near-peer mentorship.
Another mentorship opportunity I have participated in recently is helping with Moot Court. Several universities utilize a Moot Court to prepare digital forensics students to testify. In helping with Moot Court, I have been able to work with students one on one to prepare and then take part in the questioning and provide feedback. What a great way to help prepare young students. If you are interested in helping in this way, I am happy to connect you with professors who incorporate Moot Court in their curriculum.
There are plenty of opportunities to share your knowledge by creating curriculum and teaching. This could be at a college or university. Alternatively, it could be sharing information about digital forensics with a local high school, volunteering to teach a lesson.
You could even offer to teach basic forensics to non-technical stakeholders in your organization, so they understand more about your role with the benefit of them understanding what you do a little more.
There are many facets that you can use to get your content out there in paper. They range from tweets to blog posts to white papers and scholarly articles to books. All are pertinent to the field and appropriate. I should note that, the time commitment for these varies greatly.
Write – Social Media Posts
Tweets can get information out rather quickly for a new finding. Oftentimes, Twitter is where folks talk about their newest updates to tools, their newest findings, and share about research they are doing. This is a great place to share a new finding quickly. It also is a useful way to quickly share context about how you utilized research or found a resource that was of value so that others can become aware of it. I suggest following #DFIR or check out my list of folks in forensics.
Other folks share information on LinkedIn. LinkedIn allows for a slightly longer format than Twitter. However, the audience is slightly different. I suggest sharing information in both places when appropriate. I tend to use less abbreviations on LinkedIn as the word count is larger. While LinkedIn does allow for blog length posts, I suggest writing this outside of LinkedIn which makes them more accessible.
Write – Blogs
Blogs take more time to write, but they allow for a long form where you can provide details and screenshots. If you create a blog post, try to make it Google friendly so others can find the resource when they need it. Not everyone may be parsing a Windows 10 phone SMS database today, but it’s good to ensure that when someone else types those words into a search engine, they’ll find your post. Phill Moore has a great post about starting a blog. If you do start a blog, be sure to message Phill to ensure your new blog is added to his weekly roundup, This Week in 4n6.
Write – Peer-Reviewed Journals
I would love to see more citable articles in academic journals such as Forensic Science International: Digital Investigation, Journal of Forensic Sciences, and DFRWS. SANS also hosts long-form papers. Journal articles provide peer-reviewed resources, lends credibility to research when examiners when testifying, establishes expertise, and more. If you have the opportunity to work on an academic peer-reviewed paper, I encourage the experience. The review process is quite humbling and helps build better work. Journal submissions often have multiple authors, so it is an excellent opportunity to collaborate, conduct research, and share with the community.
Write – Conduct Peer-Review
Peer review is itself a way to share. You can conduct peer-review for a journal or for blogs and other content. While the peer-review process for journals is formal, there are methods to provide peer-review to blogged content as well. One method is via DFIR Review, a project to provide peer-review for blog posts. The team at DFIR Review is actively seeking additional reviewers. If you are interested, email DFIR Review at email@example.com.
Another way to provide peer-review less formally is to write a follow up to an existing blog or add a comment to the original. if you successfully use a method described in a blog, consider a comment providing details about the validation. If a method doesn’t work in another circumstance, share that information in a comment. Bloggers generally appreciate well-thought-out, constructively critical comments like this.
A method’s ability to work can be affected by updates to everything from firmware to schema changes of SQLite databases can cause results to change, so make sure to note these kinds of variables to help contextualize your results for other readers.
Write – Books
Books are an even longer form of contribution. I haven’t personally completed authorship of a book, but greatly appreciate the works of those who have contributed to my personal library which is referenced regularly. A sincere thank you to all of those who have produced digital forensics books for the community. Your contributions are appreciated.
Write – Contributed Articles
One final way to help is to provide updates to some of the curators of forensics digital content. This includes some of my favorite go to websites for staying current; aboutdfir.com, thisweekin4n6.com, and dfir.training. All three sites are extremely receptive to contributions of articles, links, etc.
Podcasts and Shows
If you aren’t a writer, but are comfortable speaking, consider a podcast or show. There are some terrific forensics ones out there including the Forensic Lunch, 13 cubed, the Digital Forensic Survival Podcast, and my podcast Cache Up. If you only have enough content for a single episode or a segment that you want to share, reach out to those who do regular podcasts and offer to be a guest. They just may take you up on it.
There are plenty of conferences in our field, and they only exist if people share content and findings. Conferences vary greatly from OSDFCon to DFRWS to HTCIA to Techno Security and Digital Forensics Conference to the SANS DFIR Summit and the Magnet User/Virtual Summits.
Each conference has a slightly different personality and feel. Writing a response to a CFP (Call for Papers or Call for Presentations) can be intimidating, but it is worth it to share your findings with a wide audience. It’s also a great opportunity to meet other people in the field and have discussions about a variety of topics. Many conferences have recently moved to virtual or hybrid formats making them more accessible to different geographies.
Another great way to share is by participating in forensic challenges. I have had the opportunity to both participate and create forensic challenges. There have been amazing challenges such as the unofficial DefCon DFIR Capture the Flag (CTF)s, created by David Cowen and Matthew Seyer, DFRWS Forensic Rodeos, SANS Netwars, and the Magnet User/Virtual CTFs as well as the Weekly Magnet CTF to name a few. Participating in challenges can lead to connection to other participants after and during the event to discuss methods used to solve questions.
Another way to participate in a CTF is to create blog posts about how you solved challenges or create and share scripts / custom artifacts from the solving methodology you used. I have learned so much from seeing the many ways different examiners solve the same challenge. There are often multiple ways to come to the solution and you can learn so much from others.
Another way to share is by creating the forensic challenge itself. I have had a great deal of fun and learning working with others, like the Champlain College Digital Forensic Association, to build challenges together. This provided both opportunities for collaboration and mentorship to create awesome challenges covering a variety of forensic topics.
Team for Research
Did I mention that forensics is also my hobby? Working in teams for research provides an opportunity for skill sharing to accomplish a goal. I have been fortunate to team with amazing folks. For example, when I used my hardware forensic skills to work with Brian Moran and leverage his network forensic skills on our Alexa forensics research. I have also worked with Aaron Sparling on Memory Forensic analysis and Dr Eoghan Casey and Dr Alex Nelson on the Standardization of File Recovery Classification. In these instances, we were able to share skill sets to offer a more complete analysis. Find opportunities to work others and broaden and deepen your research. These are some of my favorite projects.
Another way to help the community is by sharing test data. If you have created sample data, be it from a full image to a database for a specific app, it would be beneficial to share it with the community. There are amazing folks who have recently created and shared data including Joshua Hickman’s creation of iOS and Android data sets, the Owl Scenario from students at Marshall University, and the Lone Wolf Scenario from Thomas Moore at George Mason University. All these sets, and many more are available on Digital Corpora.
If you have created data sets to test a particular operating system, device, application, or artifact, you can help the community by sharing those data sets. If your data sets also include documentation as to the steps taken to create artifacts, even better. This will assist others with validation of parsing and results.
There are so many opportunities to share your experiences, learnings, and methodology. Sharing will help the examiner who documents what they learn in an organized way while simultaneously helping others in the community who can utilize your learnings in their own work. I encourage each of you to add one more of these methods to your sharing repertoire and help the forensic world beyond your one case. If you have any questions or comments, feel free to reach out to me at firstname.lastname@example.org.