Summary

There is no easy way to learn DFIR. You can stop reading from here if you want.

Longer version

Ok. Since you are still reading, you probably are the type that will drive through, over, around, or under walls to get to where you want to go. Good for you!

The perception that “everyone else” has easy access to training, education, and resources while “you” do not is just a perception. It is easy to fall into the trap that makes this seem like reality when in fact, it is far from it.

Social media reinforces that we should only show the good and the best and the positive of ourselves, in that, few people talk about their personal struggles and only showcase the best parts of their lives. The DFIR marketing experience is no difference. Vendors tout their wares, colleges push their programs, and those in attendance of these programs mostly preach how great the training, education, and networking are in these venues. For the rest of the DFIR Internet, it seems like “everyone else” gets to go while “we” do not have the same opportunities.

The fact is, perception is not reality, and that virtually everyone in this field of DF/IR/Infosec struggles to learn using every spare minute, any affordable resource, and every free resource available. In totality of the field, a very minute number of people can spend years in training and education while at the same time being able to work and have a life outside of work. It’s just not a realistic scenario for the vast majority.

The struggles

Do not believe that no one struggles in life except for you. Do not fall for any mental traps that you are the only person having the most difficult time in getting into the DF/IR/Infosec field. Avoid anyone and everyone who tell you that it is not your fault that you do not get what you want, but the fault of others that prevent you from learning or being hired because of what you are.  The “what” of you being everything that has nothing to do with “who” you are. The what are things like age, gender, race, height, weight, or any other physical description that have nothing to do with who you are.  It is the “who”, not the “what” that makes things happen. Anyone giving you excuses or perpetuating excuses like these is keeping you down, so ignore them.

Stop looking at those who have “made it” with a false belief that they had it easy. That they had everything handed to them. That they must be smarter and can learn things easier. I can promise that every single person who you think has “made it”, struggled for years and still struggle in trying to keep up with the field. They struggle to balance life and work. They struggle with medical concerns (like you), home budgets (like you), family duties (like you), and even suffering in traffic (like you too!).

No one lives inside a DFIR bubble that protects from any of life’s tragedies, miseries, and mishaps. I can also promise that many of those whom you may think had it easy, probably had a much more difficult time of getting to where they are than you could ever dream, maybe even harder than where you are now.

Tip: Everyone struggles. No one is born with a silver spoon in this field, because you have to put the labor to learn it. There is no other way.

The resources

With the Internet today, you can practically learn any field that you have interest, with virtually no money out of pocket other than an Internet-connected computer. DF/IR/Infosec is no different. On www.dfir.training alone, there are terabytes of forensic test images, thousands of software applications (more than half are free), hundreds of white papers and templates, and more resources than you could use in a career. Other related sites provide similar resources, even places where you can post any question, and have it answered by experienced practitioners in mere minutes of your post.

The training available today is more than I ever could have predicted when I first dipped my toes into this work. The courses available in the beginning pale in comparison to today. Where just more than a decade ago, the courses were basic “computer forensics” that covered a mere fraction of what we know today, courses now teach a deep dive into artifacts and systems in that you can select specifically to what you need.

Time and money

The issue of having enough time and money to learn is not new to DFIR, nor is it unique to DFIR. If you want to be an attorney at a top tier school, be prepared for the cost. If you want to be a physician, accept that there is a financial cost that is most likely more money than you have in the bank. And any field takes time. Anyone who expects this journey into DF/IR/Infosec to be 100% free or 100% paid by someone else, or that it can be learned in a few weekends (while watching Netflix on TV) will be greatly disappointed.

The reaction to high costs of education is not complaining about the difficulty or perceived unfairness, but rather figuring out your way to get what you want. Everyone has a different method to get to their destination. Everyone has different obstacles. But everyone has opportunities if you make sacrifices to take advantage of them.

Shortcuts

Let me digress a little. I am a firm believer in cheating. I define “cheating” as being innovative, creative, and imaginative. I do not use “cheating” as breaking rules, laws, agreements, or selling out a part of your reputation to get what you want.

Technology makes it easy to break laws and rules. Cracked (pirated) software/books are one of the most common things that I see among students, with the excuses that since they can’t afford the software or books, they download them from torrent sites.

Do not do this.

Or if you do, keep in mind that you will have crossed the bridge of the land of doing good to the land of doing bad. I won’t get into the moral aspects of digital property rights but will say that you cannot beat the law with excuses of “it is not stealing when you only downloading a copy”. Try and tell that to a judge if you are questioned about being a software pirate and let’s see how far the argument goes. Your client or boss will certainly not be happy…

Best field ever

As far as support, DF/IR/Infosec folks are the best. We like to learn, teach, and share. Yes, there are always a few bad apples in any group, but overall, the folks here are great. Avoid the bad apples. Don’t even communicate with them.

The reason I believe the people in DF/IR/Infosec are great is because the work we do is for the public good. The work is about justice, fairness, and truth. Usually, only good people gravitate to the good work like this. It’s in our nature.

In the words of Troy Larson, "Be good."  I cannot think of any better words that are more important than Troy's.

Shameless plug

Here are some things you can take advantage of from www.dfir.training.

•  * Find test images and challenges: https://www.dfir.training/resources/downloads/ctf-forensic-test-images
•  * Find tools to work on the challenges: https://www.dfir.training/dfirtools/advanced-search
•  * Find training to learn more: https://www.dfir.training/calendar
•  * Join an association to network and learn: https://www.dfir.training/directory/associations
•  * Find a DFIR blog with your target interest: https://www.dfir.training/dfir-blogs
•  * Find a college with a DFIR program: https://www.dfir.training/directory/educational
•  * Find a DFIR book: https://www.dfir.training/resources/book/library/1560/books
•  * Find a template, report, or search warrant to see how others write: https://www.dfir.training/resources/downloads/forms-and-templates
•  * Find any of thousands of white papers: https://www.dfir.training/resources/references/white-papers

And more. But you get the point. If you have the time, you have the resources.

The shortcut way

Granted, if you have unlimited financial resources and plenty of time, the options are “easier” in that you can sit in classes while being told the answers to DFIR problems using the most expensive software applications available today. This is the exception, not the rule for the DFIR world. In my opinion, the most expensive courses are best for when you can soak in every minute of the course because you already have a good foundation. Otherwise, your time and money will not be best spent if you don’t learn what you could have learned by being patient first. You will end up re-learning later what you should have learned in that course, which is a double waste of time and money.

How I do it

Your mileage will vary, but I plan on spending hours learning the bare basics of something that I don’t know.  I can spend an entire weekend and not accomplish anything because it was hours of trying, failing, falling into rabbit holes, wrong conclusions, wrong software, errors, oversights, Internet research, and restarting virtual machine snapshots again and again to try it all again and again. Sometimes I get it right quickly but most times I spend a lot of time to get it wrong a lot of the time.

I expect that some people learn faster than me and others learn slower. But that doesn’t really make a difference, nor do I judge myself against someone else. We are different.

A big point to make

I get asked questions often about topics that I have no idea because I haven’t done everything in DF/IR/Infosec. I know some things well just as I don’t know some things at all. Do not expect to learn everything because there is no such thing as knowing everything. By the same token, do not expect others to know everything either, regardless of who they are. Anyone who claims to know everything knows nothing about knowing everything. Also, don’t look at someone sideways when they don’t know the answer to your question when you think they should know it all.

One of the many things that I learned in Marine Corps boot camp was answering questions that I didn’t know the answer to. To jog the memory of the Marines reading this, we learned through positive reinforcement that to not know an answer to a question does not mean you cannot find the answer.

“I don’t know” is totally different from “I don’t know the answer right now, but I can figure out it and get back to you.”

At the CTIN conference a few weeks ago, I spoke to someone who has been doing this work for a long time.  His story, in brief, was that he spent an amazing amount of time to figure out how to pull data out of a database that he had not dealt with before. Nor could he find anyone who dealt with the same thing either. But he did it.  It took a lot of time and a lot of labor, but he did it. From what he described, this is not something you can find in a class or a book. You have to figure it out yourself. And he did as he always does, because he knows that it takes time and effort to learn and figure things out yourself.

By the way, his work made a difference in the case, because he found a way to pull out the data in a readable format, and it was a lot of data.

I wrote a little about the theme of figuring it out yourself here: Just show me the answer

One more big point

Another reference to the CTIN conference was a presentation by Mark Spencer of Arsenal Consulting. Mark spoke about a case where he found the most relevant forensically important data in a case that 14 other experts missed. Actually, it was 14 other companies that missed what he found, which most likely means that it was more than 14 individuals that looked at the same data and everyone missed it. The case involved the wrongful incarceration of more than 700 people, including journalists.

Mark could have been the 15^th company that missed the evidence, but he really dove into it, in the minute details of file analysis that I had never thought of before hearing his talk. You can believe that I look at the aspects of his work much differently in my work today.

In case you missed the point, it is that no matter who you are, you can do a great job when others do not. You do not need to work for a Fortune 50 company doing infosec to have part of a global case that affects hundreds of people, or even millions of people. You just have to put forth the effort to learn.

Walking miles in two feet of snow to get to school

I have talked about how difficult it was years ago to get into the field because the resources were scarce. No college programs at all. None. Not a single one. The books were few and extremely generic. Conferences didn’t exist either. Vendor courses were very expensive and plainly generic. Software choices were so bad that we used hex editors.

I do not say this to mean it is easier today than it was yesterday, but that there is always some struggle or obstacle to get where you want to go. The struggles and obstacles change over time, but nonetheless, they will always exist. Where I had no college choice years back, now there are many choices, but it comes with a financial and time cost.

Want to be famous? How about wanting to do good?

Here is the neat thing about this field: find something to research that hasn’t been done before. Dive into it. Break it apart. Smash it into bits. Test your theories. Come to conclusions. Publish it. It is not unreasonable, nor impossible to discover something really cool in this field.  Most fields work this way; DFIR is not different. You do not need a PhD to do this job. You do not need a certification to be competent. If you can do the job, that is all clients and victims want. 

Bonus points

You read to this point? That shows to me that you won’t take a shortcut, that you will do it right, that you will make it, and that you will be able to solve problems. Some of you will be solving problems that will affect hundreds or hundreds of millions of people. That right there is cool.

Short post and quick opinion.

I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little deeper. Actually, I didn’t have to dig far at all to find truly negative things, things that I don’t typically see.  (*edit: this wasn't written about a current infosecdrama, but certainly can be applied to it)

DFIR Call-out culture

On the call-out culture in DFIR/infosec, aka “name and shame”, I liken it to a Game of Thrones style Walk of Shame. When the Internet is weaponized against someone, for any reason, justified or not, it’s not just a walk of shame, it is a walk of shame on a cocktail of meth and steroids, and carved in stone.

I don’t have any requests of anyone who chooses to participate in the call-out culture, simply because people will do what they are going to do regardless of any positive advice you want to give. For those, it will always be damn the consequences, to hell with long term negative effects, and so what to those hit as collateral damage.  I’m using the ‘call-out culture’  term as it applies to simply calling out anyone online to bash, shame, embarrass, ridicule, or troll because you are angry at something.

Stay above the fray

There is a reason that I don’t see these things online. I don’t look for them. I ignore them and certainly don’t follow them. I intently look for the positive. There are good people in the world, in every profession, just as there are not-so-good people in the world and in every profession. We each choose who to listen to, who to associate with, who to mentor, who to be mentored by, and who are our role models. We make our own beds by the choices we make. Make the wrong choices and you will see a lot of negativity that is amplified more than its reality.

To be honest, I have started this post several times over the past year, but I chose to not write it because of a fear of somehow being targeted in the culture that we developed in targeting ourselves. But I hope that the post helps someone, so I write it today.

Inciting fear, anger, and hate

Here is one example of what I am talking about: It is difficult to get the job that you really want. For some reason in the universe, no matter what job that you truly want, it is difficult to get. Sometimes it is impossible. Same with the school that you want to accept you.  I have no reason why this is, or maybe it is just me. Whatever story that you have on not getting what you truly wanted, I can one-up you on every count. Whatever story that you can give on not getting what you wanted because of something about you, I can one-up you on that too. We all suffer from some form of something that we had nothing to do with or have any control over that is used against us for some reason or another. All of us.

The thing is, when we tell each other that the world is against us because of something, like what you are (versus who you are), or some other reason, we do a disservice by discouraging hard work. By knocking someone down online, we discredit ourselves and the community. When we say, “The system is against you”, that roughly translates into “No matter what you do, you won’t win.”  Some of us, certainly a small percentage, dance in the muck of trolling others, embarrassing peers, creating untruths, and worse still, doxxing each other.

This negativity won’t go away, but you can choose to not listen, not be a part of those conversations, and push the positive, not push the narratives. And simply keep moving forward. Simply, by the way, does not mean easily.

I'm not trying to conflate the mentions that may unintentionally come across as negative with the intentionally negative comments found online. There is a difference in innocently saying something that may be misinterpreted and blatently calling someone/something out.

I see this sort of culture online, where some users are constantly spreading fear or generating anger, riding on any hot topic of the day. I just don't know what to say about those who are angry about something that affects no one but themselves. When they try to build an audience to support their cause of anger, by "calling out" some person or some group of people for some reason or another, the Internet magnifies someone's personal perception which in some cases, can be totally offbase. All I can suggest is to ignore those who do this because those who do this can't be reasoned with. Associate with eagles so that the turkeys don't hold you down.

Confrontation

Going directly to the source of an issue that you have with someone takes guts. You won’t get any ‘Internet social cred’ for not calling them out publicly, but you will get respect from the person or company that you confront. I have been in military and law enforcement units that the only way to solve a problem was to go straight to the person and talk; if you don’t talk to the source of your problem, shut up about it. Today, we see people hit every social media platform to take someone down on an issue that might not even be an issue, with long lasting (i.e., permanent) effects. Whether a justified injustice or perceived slight, the result is the same when the Launch-the-Internet-nukes button is pushed.

The contact information of nearly any person or company is blatantly open online. A simple email or DM might answer a question that you have, or clear up a misunderstanding that you or the other person may have. Maybe it won’t.  But I can tell you, when you slam a company or person online, it doesn’t matter if you were right (or self-righteous), or totally wrong. The damage is done to both your target and you as soon as it hits the interwebs.

Enough of this already

I will repeat something that I have said many times before. I remember every single person that helped me in every aspect of my life. Some have no idea that they were even a positive influence in my life, but I remember them as such. I remember them by name and by the very thing they helped me in achieving, overcoming, or most importantly, helping me survive.

One of these people, with whom I served with in the military, had a huge impact in me being positive in any situation. I’ll name him, because it is in the positive, as you will never see me call-out anyone in the negative.

So many years ago, when I was a young E-4, Sam Birky was my unit’s Chaplain, and was one of the most positive of anyone who I have ever met before or since then. Every minute speaking and every mile running with him affected me then through to today. You would think that looking at his demeanor and attitude that everything must have come naturally to him and nothing ever bad happened. If you thought that way about him, you would be totally wrong, yet he came across as one of the luckiest, happiest, and most positive people you can ever meet. If you are fortunate to have him tell you about his life, from serving in Vietnam, to its aftermath on him and family, and more that he has endured, you will see how someone can be better even when everything is at its worse. Those stories that he told me are mine, but for anyone who I ever helped, know that most likely that it was Sam Birky that helped you as I was just the middleman of Sam's goodwill and good advice.

As for those who held me back, pushed me down, sabotaged me, kicked me while I was down, stole from me, or spoke nothing but untruths….I remember you just as clearly, but not for any good thing. That’s all I will say about that.

My opinion to you is, be the person that is remembered like a Sam Birky. You will sleep better. The community will be better. In the end, you will be remembered, and not ignored. And the world around you will be a better place to be. That is all that matters today. Yesterday is gone, but we can work today to make ourselves better tomorrow, even if just a little bit (or byte) at a time.

*edit 4/26/19*

Some have asked, and this is the Sam Birky to which I refer (hint: he's the Col).

Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in, literally puking.

The inspiration for this post

I listened to a well-done presentation not too long ago, and afterward, I went to the restroom. When I walked in, I heard someone puking their guts out. It turned out to be the presenter. When he came out of the stall, looking all embarrassed, he said that it must have been something that he ate.

I told him that food probably had nothing to do with it, but more with the stress, pressure, anxiety, fear, and energy required to give the great presentation that he did. I realized after I said that, he was more nervous...

Then I told him that he’ll probably tango with the toilet again at another presentation. It’s just the way it is when you open yourself to a crowd of people. The fear of being judged, evaluated, critiqued, criticized, or being wrong is a lot for the stomach’s brain to handle. Of course, I immediately realized that I was making it worse after the words left my lips..

I said that sometimes I drive the porcelain bus when I give presentations (I have once, and I expect to do it again surely at some point). My advice was to let it flow when it comes, either before or after the presentation, and consider it a badge of honor that you truly put out your best effort for your audience and put yourself out there. You physically and mentally gave it your all because you exposed your entire self to a crowd of strangers. As a bit of comfort, I did say that I’ve not seen anyone hurl during a presentation, but I’m sure that can happen too. I didn’t tell him that at the time tho.

But can it happen to you? And should you ever risk speaking in public if so?

In my opinion, presentation-induced upchucking can happen to anyone from the most experienced presenters and the greenest of presenters. In DFIR, anyone, and I mean anyone, can find themselves on a stage for the first time in a young career or at any point of their career simply because they know something that others don’t. Maybe a small thing. Maybe a big thing. But your time in DFIR is irrelevant insofar as being able to speak to those in DFIR.

Also, it doesn’t matter the size of the audience or your competence level of your job that will determine if you will toss your cookies.

Ok. Let me give it to you on my ralph story.

My day-of-barf came at a presentation to a group of citizens on basic cyber security. The talk was a favor to a friend who organized the attendees. I gave it my all, as every time I do, but nothing extremely out of the ordinary. As soon as it was over, I felt a little queasy, and lost my lunch in the restroom. That was it. I did it once. When I stepped out the restroom, there was a small group of people staring at me and one asked if I was ok. Yep....they must have heard me...If you ever hear anything different, that was the story, and not a big deal. I would not be surprised to have it happen again, mostly because I care about giving an audience the information that they came to hear, in a manner that everyone benefits.  And I hope that my zipper is not done at the time…

I tell you this because no matter how many times you present, you may never know the one time that you end up revisting your breakfast afterward which has nothing to do with the number of presentations you have given. I have given presentations for more than 30 years to groups of less than 5 to rooms of more than 500 and I still ordered a buick in the restroom.

But this doesn’t mean to stop presenting when you have the opportunity. On the contrary, I hope it encourages more presentations from those who are so nervous that they would never think of standing on a stage to present a topic that so many people are waiting to hear.

If you are doing your best, and you care that you are connecting and giving a part of yourself to the audience, you are probably at risk of retching afterward. Consider it solid (albeit chunked) proof that you gave everything you had and that your audience received maximum output from your effort.

My intention with this post is that if you find yourself blowing chunks after a presentation, whether you were nervous or not, do not take that to mean you should not present anymore or that anything went wrong with your presentation (it probably as good as it gets). If I happen upon you as you make modern art in the toilet, I will know that I saw a presentation given at your best and you beared all to your audience.  Kudos to you.

By the way, I believe there to be three types of presenters:

• Those who have thrown up.
• Those who will throw up.
• Those who have thrown up but haven’t told anyone.

So......have you ever thrown up with one of your presentations? Don’t worry about it 😉