DFIR Training Blog



Publish your #DFIR research!

Here is a brief list of reasons of why I think DFIRrs blog their research rather than formally publish it through a peer review process.

--Blogging is:

     ---faster (minutes to type up and post),

     ---easier (click “post”),

     ---written for the practitioner (“this is how you do it”),

     ---putting out perishable information before it spoils (“applies to the current OS today”).

--Peer review is:

     ---slower (months or years),

     ---more difficult process (lots of steps and hurdles),

     ---written academically (“for the love of all that is good and holy, get to the point!”),

     ---might be outdated by publishing date (“well, no one uses this OS anymore, but when they did…”).

Neither method results in direct a financial gain for the work done.  The time spent will not equal money received, if any money received.  No fame either…

I’m not going to get into the peer review process, as you can find plenty online. I will say that the process is long.  Very long. Lots of steps. Lots of people involved. Requires lots of effort to check the boxes required for the process. I am including publishing research in a book as the time required is practically the same. I believe that good DFIR research should be peer reviewed, and that IF the academic model had a reasonable process and time frame for publishing, this would be the way to go. But that is not the case. Also, the writing methods of a journal are certainly not what practitioners want or need. I also believe that there is nothing wrong with a blog post having the most credible, up-to-date, and relevant information that the community can use instantly after the information has been posted to a blog. Nearly all DFIR blogs are written for the practitioner with clearly defined and described bullets on “This is how you do it”.

To give one example that I can personally attest that a blog post can be just as relevant as any peer reviewed paper or book is a paper I wrote in 2008. 

Back in da day , forensic folks would write up a pdf and put it on the Internet somewhere. I was one of them.  These “papers” were basically blog posts that were put into PDF format to be easier to read and memorialize.

This paper that I published in 2008 was about virtualization and forensics .  By publishing, I mean that I emailed my blog post as a PDF to ForensicFocus and they put it on their website. It took me a week or two to write this up after having been researching and playing with virtual machines years prior.  I had sent a review copy to someone I knew for his opinion before sending it to Forensic Focus or posting to my blog.  The response I got from my prof buddy was that I should put it out in a journal as I would be wasting the work by blogging about it instead of publishing it. Being a full-time professor, he strongly pushed the journal route.  At the time, virtual forensics was not commonly practiced and I felt this to be an important topic that will eventually be part of most forensic analysis cases. So I emailed to it Forensic Focus instead and a day or two later, ForensicFocus posted it on its website.

The following week, or maybe the same week that this was posted to Forensic Focus, I read online that a book was going to be started on the same subject.  There was a post asking for contributors to the book, so I emailed my paper and even offered to help with the book content (sadly, I wasn’t taken up on the offer…).  The book was in print almost 2 years after my paper .

Between the time of my paper and when the book was published, my paper was referenced in multiple other papers (thesis’, other documents), quoted in at least one forensic book, and even quoted, referenced, and cited in the Virtualization and Forensics book. It’s been referenced over two dozen times total that I found online, but maybe even more that I didn’t find when searching online for a few minutes. These references to my paper are found in writings from several countries, both academic and practitioner. I sat in a course once where the instructor went over my paper as part of a lesson and didn't realize I was in the course (not that I cared, but it was neat).  Don't take this as bragging, which something I don't do. Rather, I want to illustrate where this PDF "paper" went in a short period of time  without being a journal or book.

Here is my point.

I could have gone the academic route, but it likely would have taken a year from submission to print. On top of that, many journals are behind paywalls, or accessible only to an educational institution. Going even further, I wanted this information out a month before I even thought about writing it. Not for fame or fortune, but to share some really cool stuff about virtual machines and forensics. Today, virtual machines are not sexy news anymore, but back in those days, this was cool stuff that few people were doing that I thought should be aware.

Even going a little further, my paper furthered additional research in virtual forensics and ended up being cited in more than a handful of books and the same paper is still being referenced as recently as this year (2018), ten years after “publishing a paper as a PDF”.

In my opinion, this paper has met any peer review standard that exists, simply because of the places it has been referenced, quoted, and cited without any correction of fact.

Making this paper publicly available in two weeks had a wider and more positive impact to the DFIR community than it would have if I had chosen to publish academically as suggested by my professor friend. To be honest, that was my intention. Get the word out today, not tomorrow.

Today’s issues

There are thousands of DFIR and InfoSec bloggers today. I have over 800 of them listed at dfir.training. That is truly a lot of information. To suggest that any percentage of them publish academically will flood the process and slow the release of information to the community.  I put books in a separate category, because books are a little different in regards to perishable information. Writing a tech book requires not focusing on the perishable information and writing something that will withstand years of being relevant through concepts and principles that apply today and can apply tomorrow. That means much of a book’s information is known somewhat, but hasn’t been put together as a package. Not so much with blogs. Blog information is sometimes perishable because technology changes faster than what it takes to print a book.

Also, anyone working in this field is short of time. We are busy with work. We are busy with keeping up enough to do a good job with work. We are busy with family.  We are just plain busy and to add more to our lives is asking a lot if there isn't a mutual benefit.

When we write up something important (or something cool..), we want to share it. Blogging is the fastest method* and I would argue, the most effective method to disseminate DFIR methods, processes, and discoveries.  Peer reviewed journals do not further the field if the information in the journal is not shared immediately after being validated, because by the time a journal or book is published, the information may be stale, outdated, or has become commonly known. Not in all cases, but certainly in many.

A suggestion

Create a NEW process  that combines the best parts of both peer review and instant blogging.

Cut out chunks of time needed in the peer review process. Allow the work to  also be published by any and all means that gets the information out. This includes blogs, forums, chat rooms, and courses. Nothing wrong with the information later being used for a journaled piece or expanded into a book but get the information out now.

Who peer reviews in this new process?

I would recommend that academia and high-tech associations be involved in the peer reviews. The system is already in place. Use it by modifying it for speed. What possibilities will be created if someone who wrote up a substantial finding could submit it to the local high-tech group or local university for a peer review and stamp of approval?  We could have blogged information, peer reviewed by credible organizations, out faster than any journal or book.

Deciding upon a process, a standardized paper format, and types of papers to be considered is not that difficult. Give this process to any participating DFIR association and educational institution. Peer reviewed by one should equal the weight peer reviewed by another, as long as the same process was used.

And what of the stuff that is so cool, I mean really BIG, that it should be in a journal or book? Then the organizations can suggest or assist in that process while still getting out a practitioner-level, peer-reviewed paper in a timely basis and put out the formal journaled paper later.

YOUR benefit

Did you find something important to the community? Why not stamp your name on it with a peer-reviewed paper? If the process is fast and pain-free, there isn’t any reason to not do it, unless you just don’t want to.  Even if it barely covers a page or two, why not make it formalized to make sure it gets traction and more importantly, is made part of a permanent record, with your name on it.

Here comes some more harsh reality

This will take more than a few folks to implement. Everyone will have to donate time and effort to just get it off the ground. Everyone will have to believe it too. If you ever considered publishing your work, but choose not to because of the process, this is for you. If you ever did something cool but it didn’t meet the requirements of a journal, this is for you. If you are a board member of a high-tech association or in DFIR academics, this is right up your alley. You can make a substantial impact to the DFIR community with something like this.

I know that either we will make the system better with publishing our work outside of a journal but not to the extent of a book, or we will accept what we have .  We will continue to have blogs that disappear after a few years (along with the information that was on it), and stilted journals that should have been blogged instead of going through a year long peer review journal process.

As for me, I’ll keep blogging, PDF’ing, and writing books. But I hope that a new process can be created to change with the times to help all of us keep up with DFIR. 

 *Peer reviewed correction by Phill Moore 



Written by :Brett Shavers

{rscomments option="com_rsblog" id="28"}