DFIR Training Blog



Publishing or Perishing in the DFIR world

Following up on a forensic artifact project database idea , the end result is that the idea is dead before it started.

The twitter poll (one of the most unscientific, but easiest polls to do) didn’t show a lot of promise. Also, there were a LOT of DMs and email discussions.  Thanks to everyone giving me their thoughts. 

Here are the main points that I received, summarized in three statements:

-Publishing research must be in academia (journals)

-Publishing research must be in books (publishers)

-We don’t need project management in research

On top of these points, the fear of lack of contributors holds me back.  According to the Twitter poll, less than half (of only 88 who voted), would contribute.  That is not quite a big enough number in percentage or actual number given how many people actually do research and compared to the discussions I had with some very passionate folks.

Some suggestions given were;

-Those who have published and those who have done research should connect with each other to publish the research.

-Those who do research should go through the academia route to publish in journals.

I don’t see this happening to any great degree, other than a perhaps a handful of instances.


We are left to relying on DFIR/Infosec bloggers for the most current research, which will have to make due for citable sources that do not exist in publications. Ironically, this was the original tweet concept that started the conversation to begin with.

As to immutable citation sources, we still have books and journals, and everything else will be dynamically changing and evolving, which is a double-edged sword. Good in the sense that we have nearly instant access to the newest developments via blogging.  Bad in that blogs are not peer-reviewed, nor immutable.  Blog content changes, which can make for a confusing citation.  Blogs also disappear without notice, which again, affects citations.

I do foresee a time where a practitioner will be able to more quickly publish a peer-reviewed and community accepted work outside of pure academia, but unfortunately, it is not today. The peer-review process, as it stands in academia, is a long process and requires probably more time to finally be published than it did for the actual research. This should be opposite, but it is what it is.  Most importantly, however, is that the DFIR/Infosec blogs are awesome for the most up-to-date, practical, and useful research that exists on the planet. Do not discount any research that was personally conducted by a practitioner. It may be right. It may be wrong.  Regardless, each is a nugget of gold to expand upon and personally validate in your own research.  For that, if you are a DFIR/Infosec blogger, you have my respect.

Thanks to all who contributed their opinions!



Written by :Brett Shavers

{rscomments option="com_rsblog" id="27"}