DFIR Training Blog



Basic DF/IR Standards

There's been quite the bit of comms on Twitter, Linkedin, and blogs about 'what constitutes basics in DFIR'. There are a lot of things to break down in this question, and I hope to see more conversations about it.

Harlan Carvey posted an important question ( http://windowsir.blogspot.com/2018/11/basic-skillz.html ) asking for opinions on what should be the basic skills in DF, which moved people to quite a bit of comments and blog posts.

Following up on Harlan's post, I wrote this one ( https://www.dfir.training/dfir-training-categories-k2/item/164-wax-on-wax-off ) to talk about basic  skills  in DF/IR, as in, the skills needed to achieve in at a basic, but competent, level.

But I think breaking apart "basic" is the first step in this conversation. By breaking apart, I mean that we have  basic skills and  basic knowledge  to discuss.

  • Basic skills are those competencies specific to a job or task.

  • Basic knowledge is that information or awareness (not competence!) of a topic or topics.

Determining basic skills is easy to define, since you can choose a job and then determine which skills are necessary to do that job (as in, bare minimum, basic skills).

Determining awareness/basic knowledge is a little more difficult, as I opin that the basic knowledge should be much broader, across all jobs in both DF and IR. Just as important, I believe that a basic knowledge/awareness should not imply or require competence in any of the DF/IR jobs. It is merely awareness. I blogged a couple times about this in more detail.

In this post ( https://brettshavers.com/entry/digital-forensics-is-really-easy ), I wrote that basics should be very basic, and include only that knowledge that should be held by those in DF or IR (both should have the same knowledge in legal and technical).

In this post ( https://www.dfir.training/dfir-training-categories-k2/item/165-a-proposal-of-basic-foundational-dfir-knowledge ) I wrote a little more detail about I believe a basic foundation across both DF and IR should be.

The point

When speaking about "the basics", we may want to consider more specifically, which "basics" to which we refer. Do we mean the skills required for a basic competence, or do we mean the basics as a "starting point" of the field to which everyone in the field (both DF and IR), should know as a foundation?

Written by :Brett Shavers

{rscomments option="com_rsblog" id="51"}