Don't waste your time!
DFIR is a way more exciting field that medicine or law or any field! The tools and processes change all the time. Even the types of evidence change all the time with new versions of software and storage devices improving storage capabilities. The Internet of Things exponentially grew the potential of goodies to find to the realm that we’ll probably never learn them all! This is awesome!!!!
Prevent wasted time
By wasted time , I mean time that might be needlessly spent in trying to figure something out on your own without using available resources. Read my “When Being Self-Taught Goes Wrong” for a decent example of how a 1-minute task turned into 60 hours.
In DFIR, you can literally spend weeks trying to figure one thing out and still never figure it out. Worse still, you think that you figured it out but actually came to the wrong conclusion. This would be like taking two steps back, then another two steps back, and then thinking that you went forward.
Tip: If there is something that you want to figure out, first find out if someone else did it already.
If you find that someone already did what you wanted to do because you thought no one did it, this is ok. In fact, this is good because you can take that work and improve upon it. Here’s an example. Pretend that you want to parse Telegram by writing your own code. You can jump right in without checking if its been done, or you can take a quick look online.
So, here is a Tweet that sums up a few great points on Telegram parsing code.
The hardest of #DFIR agrees from me to . @dfirfpi 's conclusion.— Brigs ? (@AlexisBrignoni) September 9, 2021
He has shared some excellent Telegram parsing code that I am currently studying.
Full blogpost: https://t.co/O9rMr16Ifi
Teleparser code repo: https://t.co/yaNpVlbDzu
Both are worth your time. pic.twitter.com/95fu3MI2O6
#1 – Someone else already did it. Cool! You can use it and probably saved yourself weeks of time.
#2 – You can improve upon it (Alexis above said that he is studying the code, and I can’t wait until he improves it!)
#3 – You exponentially increase the world of ideas when you do this. When someone shares their idea, such as in the above tweet, and someone else creates new ideas from it, now everyone has two ideas. This is the best use of time, in grabbing what has been done and either fixing it or improving upon it.
With many aspects of forensics, we come across something that is new to us all the time, regardless of how many exams you have done or how much training and experience you have. My first go-to with something new is always, “Has this been seen before? If so, what is known about it? Do any tools address this already?”
Going back to the prior tweet, in the blog post referenced in the tweet, author @dfirfpi details his work and even references a white paper on the subject. So here you have one person sharing his documented work, referencing a resource, with another person studying his work to probably add to it. DFIR AWESOMENESS!
This is what I mean by “self-learning”. Use resources to learn, build upon what has been built before. And if nothing exists, and all others have failed, or no one is even aware of the problem, then your self-learning is ‘inventing’. But even with inventing, take what has been done and modify it for your invention. You will save time.