DFIR Training Blog



I can do what now with forensic software? Seriously? Wow..

For those in the DF/IR world who started in this business way back when (or maybe you were part of the crowd who actually  started this business), you'll know exactly what I mean when I say...

"That which was impossible yesterday, is possible today."

What I mean is that the tools of yesterday were great at the time, but today, not so much, or actually not at all. I remember the first time that I carved out images (pictures) from an image (as in disk image) using a DOS software. I was amazed. Then I was running around the entire City Hall finding any floppy disk laying around to practice magic . Word documents! Spreadsheets! I WAS ON TOP OF THE WORLD! Oh yeah, the stuff I found those 'formatted' floppies was really neat too.....

There were a lot of impossibilities back then, or at least things that just weren't done. Volatile memory? Nope. Cell phones? Nope (tbh, the early phones wouldn't have anything on them anyway...). Encryption? Forget about it. How about the Windows registry? Nope. Not much work done in there either.

Today is different. Way different.

We have more forensic software and hardware than any one person could ever hope to use or see in a career. Not only that, but there are outstanding  practitioners writing outstanding software. Any of these tools would have saved me so much time years ago, but that is how it works.

Commercial tools are no different. Exams that would took weeks just to process data now only takes days or hours , and that is with 10x the size of datasets! So, yesterday's impossibilities are possible today. I would love to go back in time to re-do some of my exam using today's tools, because I would find more relevant evidence, faster.

Don't get me started on hardware. One of the reviews/comparisons I will be doing will be on a new hardware device. Oh my. I can't wait.

Tomorrow is different.

Here is the flip side. What is possible today may not be possible tomorrow. I mean that there are things that we do today, that we may not be able to do in the future. What are these 'things'? I don't know, but I know that as technology changes, some things in DF/IR become easier, and some things become harder if not all out impossible/impractical. Whether it be due to devices, operating systems, encryption, or whatever is unsure. One thing that is for sure is that as we entered this world of  practitioners building tools , we are on the cusps of keeping up with the tasks we need to do. From determining guilt, tracking criminals, and defensive ops, we have gotten better and continue to do so.

The main point

When something doesn't work. When you realize that the 'old way' does not work anymore. When you want to complain about what is broken. The solution is not to complain . The solution is to state the obvious as a positive and move forward. We should have imaged RAM from the beginning, but we didn't know how or realize the importance. Now we do. We moved on. So the next thing you find that needs improvement...simply state:

"Hey, we've been doing it the best way that we knew how, but I think it is time to figure out how to do it better. I have some ideas to test."

And then we share. That's the main point.


Written by :Brett Shavers

{rscomments option="com_rsblog" id="63"}