DFIR Training Blog



Making DFIR research a win-win

One of the coolest things about the DFIR field is the research! For those with time to research some minute detail of forensics, there is no cooler job in the world! Unfortunately, many of us don’t have near the time to research as much as we could, even though there are so many topics and sub-topics and sub-sub-topics that could use a good drilling down to figure out.

We have a plethora of students and researchers who have the time (and sometimes, it is part of their job or homework) to conduct the research that this field needs. The one thing that I have found when you have the time to research is deciding what to research. For some reason, when I am up to my elbows in data, I come up with a dozen topics that I want to research as soon as I get the time. Then….I get the time…and can’t seem to come up with the ideas that I had before. Maybe that is just me.

But here is where the Internet comes in.

Aboutdfir.com has a page of research ideas and completed research, which is a good start to compile research. DFIR Review ( https://dfir.pubpub.org/ ) is another great source of research, which I am going to post about in depth in the near future.

I am talking about the crowdsourcing that we can all do with a short tweet or post online that someone can (1) ask for ideas on what to research and (2) ideas to ask someone else to research your ideas. Yes, if you don’t have the time, you can ask if someone else has the time, or maybe someone has already researched what you need. Win-win.

Research can be crowdsourced (many hands to make light work), or you can find someone to conduct research

“Free” mobile app research?

Here is one example from Lori Hermesdorf . Lori is looking for 2-3 mobile apps for Android or iOS to research. If you were looking for someone research mobile apps….this is your chance to get it done, in a master’s research product, that will be peer reviewed, and made freely available.  Tweet or DM the mobile apps that you’d like to see research done and Voilà!  Peer reviewed research at your fingertips!

Your Research. Is it known only to you?

One thing about doing a lot of research is that someone else could be doing the exact same research, at the same time! In my opinion, anyone doing research should get their research out in the public as soon as possible. You may prevent effort on something that has already been done, and potentially, you may have others wanting to combine efforts. Again, win-win.

Social media tips when asking for help

 If you tweet a research request once, expect no one to see it. That is the way Twitter works. Tweets gets buried in minutes, unless it gets shared (retweeted/liked). Even then, it gets buried quick. You have to tweet more than a few times to get some exposure.

Pretty much any social media platform will not give a single request the exposure you may think it does, so spend a little time to spread out your requests over different platforms, multiple times, at different days and times. How much is too much? I have no idea…it all depends if it works when it works, which is no answer other than trial and error.

As Aboutdfir.com maintains a page of research, this is also a good place to put your wants and desires for research plus posting links to your own research. DFIR Review is a great avenue for completed research, but again, I’ll post about DFIR Review more in detail in the near future.

First step

Now what? Well, if you see someone ask “What should I research for my school or work?”, you should give suggestions!  If you give a suggestion, ask the research to contact you when the work is done so that you don’t miss out.

I have to admit, I love doing research by request if I have the time, and I sincerely appreciate others who share their work. Not much is neater in DFIR than sharing what you learned, which leads to others expanding upon your work, which leads to more discoveries, which all links right back to your spark of a research project. That’s pretty cool.

Written by :Brett Shavers

{rscomments option="com_rsblog" id="128"}