DFIR Training Blog



A Proposal of Basic Foundational DFIR Knowledge

Following up on the DFIR Basic Skillz conversation ( http://windowsir.blogspot.com/2018/11/basic-skillz-pt-ii.html )  and post ( https://www.dfir.training/dfir-training-categories-k2/item/164-wax-on-wax-off ), I want to drill down deeper to the basics. First, let me define basics as I refer to the term in this post.

Basics = foundation, fundamental, starting point

( SWGDE defines this topic as "awareness..designed to provide the student with a general knowledge of the major elements..." ) 

To make this short and sweet, I believe that any attempt to create a basic core competence  for a specific job in DFIR is way beyond problematic; it may be impractical. Far too many specific jobs have varying degrees of skill levels required in a basic sense, and different skills needed in some jobs but not another.  To be accurate, every single job title would need to have its own basic foundation determined individually. Think about the varying degrees of responsibility and job titles in DF/IR and then think about how you could create core competency or basics for each job. Coupled with mechanical evolution (hardware, software, tools), this is a very difficult task.

Drilling down a little more, is that the basic skills in a specific job, such as a forensic analyst will change faster than we can keep up deciding what the basic skills should be. Don’t get me started on what would than constitute the intermediate and advanced skills! An entire team of folks could spend an entire career just writing up core competencies on different DFIR job titles. When you take into consideration operating systems, types of devices, objectives of each incident or case, and the specifics of each incident or case, the basics in one instance could very well be advanced in another. 

I refer to the DFIR basics as the foundation of the overall DFIR field. I take into account those skills (more aptly described as 'awareness') which are:

  • * Common to all , or the majority, of the DFIR career paths and specific jobs, and are
  • * Unlikely to evolve in principles, but expected to evolve in mechanics

In another post ( https://brettshavers.com/entry/digital-forensics-is-really-easy ), I touch on this on what a basic foundation could look like:

  • * What you need to know  legally  (only those things that everyone in DF and IR should both know)
  • * What you need to know  technically  (only those things that everyone in DF and IR should both know)

If you work in DF/IR long enough, you will see more than a few examples of where someone should have known better, and by not knowing better, either a case was mishandled or an incident made much worse. I have seen people fired on the spot, victims lose cases which could have been won, and professional embarrassment over the most basic of skills. In nearly every instance, it was a lack of knowledge, not intentional errors, that caused the problems. 

As to how deep the waters should run to have a basic foundation, I truly see no need to go beyond a broad introduction of both the legal and technical aspects that run across both DF and IR. It is not competence building, or even much more than ensuring that those in both DF and IR understand the legal and technical functions of both sides of the field. It is to raise awareness and have a basic foundation across the board in DF and IR, broken down into two components:


 ---Criminal and civil procedures (legal processes, report writing, etc..)

 ---Evidence (identification, seizure, preservation)


---A+ and Net + (OSs, hardware, networking, etc..)

---Digital Forensics (high level and specific to forensic analysis)

---Incident Response (high level and specific to incident response)

The problem

No one really teaches this. Yes, there are some courses that are considered basic, but nothing that I have seen that fits this model. I believe the reason is that few people would want to spend the time or money in a program where they come out with the same lack of mechanical skills as when they went in. Basically, people want to know how to do the work right away. Principles and concepts? Nah. We want to grab the tools and get to work! This is a bad way to do it. Actually, it is the wrong way.

The short term fix

You  make sure that you have the basic fundamentals, regardless of any formal training. It is your responsibility. It is not the responsibility or your employer, or your college, or your parents, or the government (yet). One time in court will be more than enough to either make you seek another career or rush to find training to teach what you should have known.  Start now (if not covered already) whether you never handled a hard drive in your life or have investigated nation-state hacking cases on a regular basis.

The long term fix

The community at large should support some level of basic fundamental knowledge. Hiring managers should require it or provide it after employment, or as a condition of employment. Universities and colleges should absolutely provide it as they are issuing degrees (in effect, certifying students!) in DF/IR.

How difficult to get yourself basically fundamentally covered?

I believe it is so easy, that anyone and everyone should take the time to cover the basics. A few weekends, books, online courses, college courses, or anything else that can cover what can be considered the basic fundamentals. Regardless if you are tip of the spear in the field, or just graduated from school, this is easy to complete, and solidifies your knowledge base. And depending on your experience, you most likely have one of the two components down already.


That’s all that is needed, IMHO

Just imagine how it would be if everyone working in DF or IR had a common understanding of computer systems, operating systems, networking, and legal procedures. You don’t need to be cop to know enough legal to save the day if the need arises. And you don’t need to be a computer programmer to know enough to save the day if the need arises. You just need a common foundation of the basics to make sure you don’t screw up. Because DF/IR is really really easy to screw up.

Written by :Brett Shavers

{rscomments option="com_rsblog" id="50"}