DFIR Training Blog



Did you improve your #DFIR skills at all?

How do you know if you improved your skill and knowledge base over the past years, or even over the past week? Did you even improve anything from yesterday? And if you did, how do you know?  Are you better working the DFIR today than yesterday? There is something you can do to check.

Pit yourself against your most fearsome opponent: Yourself !

We are our own worst enemy in many facets of life. We are the most critical of ourselves compared to anyone, even compared against the most overprotective parents or the strictest music teacher you’ve ever had or seen. We are tough on ourselves. Let’s take that toughness and use it for a benefit!

To see how much you have grown and developed in DFIR skills, block out a day to check yourself against a younger version of yourself. If you have a case or analysis from years earlier (the older the case, the better!), re-do the analysis. Completely re-do it from scratch, but do not read anything that you wrote before getting started. Go in cold, crank up your machine, and hit the data with everything you have.

Don’t choose an analysis that took weeks to finish. Pick something that you had that was fairly quick and small.  Throw all your current day tools at it and write a report on your findings. Yes, you may remember the outcome of the analysis and the general artifacts that you found before, but this is the exercise.

When finished writing the new report, read the first versions of your analysis reports. You should know exactly how much you have (1) improved, (2) not improved, or (3) stayed about the same skill level. If you are at #2 or #3, you are not doing it right. You should always be at #1: Improved .

In fact, if a time machine brought back the 10-year-younger you, and you were to go against yourself as an opposing expert, you should be able to crush the 10-year-younger version of you, hands done, no questions asked.  It should be a bloodbath without you breaking a sweat, to the point that it should be such an unfair fight that you feel a slight bit guilty going up against someone who is so less skilled than you.

Does this mean you did a bad job 10 years ago?

Certainly not! Tools were 10 years less effective. Our community has 10 years of research conducted since then! We’ve read more books, taken more courses, conducted more analysis in that time that we better be so much better than that younger version of ourselves. <I hesitate to say, but we probably look better too.>

You should be able to see specific areas of improvement and areas of change.

  • Your writing is better. More concise. More accurate. Better articulated. Easier to read.
  • Your analysis is much faster, yet more accurate.
  • Your artifact recovery is completer and more extensive.
  • Your tool selection is wider and more comprehensive.
  • Your more clearly understand the artifacts.
  • Your confidence is higher.

The mere knowledge that you are better today will help make you better tomorrow. You can see that every small, consistent movement forward of learning over those years paid off.  The only time this should not be the case is after you stop working the DFIR. Once you stop working the DFIR, and stop researching, and stop learning, that is when you stop growing in the DFIR. Before that day comes, make sure you were at your best every day, that no version of you before that day was more skilled, and you will have accomplished a successful career to be proud.

The goal is simply be a little better today than you were yesterday, and a little better tomorrow than you are today. That means being a better person too. Bit by bit.

Written by :Brett Shavers

{rscomments option="com_rsblog" id="112"}