***** Before I begin, I want to apologize for the grammatical errors you will find in this article. English is not my native language, so I have proceeded to translate the Spanish version *****
I don't know when you'll read this article. Right now, as I start typing, it's around 5:30 in the morning. I woke up at 5:00. My usual time for work, but today I have a 'free' day. I decided to park my daily chores for one day.
A long time ago, just over six months ago, I decided, reluctantly, to stop writing and publishing my material on @fwhibbit_blog. It's not because I wanted to. It's because they needed my commitment, temporarily, in another work environment. A commitment that I had to give 100%.
I consider myself a person committed to what I do and when I see that I can not comply with it, I have no objection to say it openly, and act accordingly.
Why did I have to decide to stop writing? It wasn't easy, but I needed to focus all my energy on another environment, a different field. Spend that time on other kinds of research.
And why write now? Because I've been reading, re-reading and thinking about some articles by Brett Shavers and Harlan Carvey about the skills needed for DFIR for a few days now.
Specifically, they are these (I think they are listed in chronological order):
- Veteran Skillz, (Harlan Carvey)
- Basic Skillz, (Harlan Carvey)
- Wax on. Wax off., (Brett Shavers)
- Basic Skillz, pt II, (Harlan Carvey)
- Digital Forensics is Really Easy, (Brett Shavers)
- A Proposal of Basic Foundational DFIR Knowledge, (Brett Shavers)
Articles that, from now on, I recommend you read. Certainly, I think that both authors deal with very, very interesting topics. They are not that kind of technical articles that we are all willing to read to put into practice. They are those articles that make you think and rethink some issues.
(But what am I saying? I'm sure they don't interest you).
The question is that, after more than a thousand visualizations of that comment I made, I have only received one answer.
(I reaffirm what I said before: it is surely a subject that seems to matter nothing).
In my opinion, the issue addressed in those articles is even more serious than it seems.
Let's be honest: there are a lot of people wondering what it takes to be a DFIR.
The answer I received was from Harlan, and he invited me to tell him, in my opinion, what basic, measurable skills a DFIR has to have. What basic skills there have to be within the industry.
So, I have been encouraged to write my humble opinion on the subject.
I'm having a hard time writing. I'm not going to deny the obvious. I don't know, yet, how to form this article. I have a lot of ideas hanging around in my head.
Maybe I should start from the beginning... Saying that I don't, to my regret, belong to the DFIR industry, since I'm just curious about everything concerning Digital Forensics & Incident Response. (I'm not going to separate it into two distinct fields because both require forensic digital analysts). Both DF and IR must have the same technical and legal knowledge. Both may have to perform a triage, or a cloning of a unit, or an analysis of it. And they may have to be involved in legal or criminal proceedings, or fail to do so, after making their respective reports. Also, why separate them if we're looking for a common ground that they should have?
In spite of this, Harlan wants to seek opinions, even outside the industry, since he has not received the comments he expected.
Only once did Harlan address me. And it was to tell me that I made many likes and RTs to his publications, but that I rarely answered any of his questions, asking myself, "Why is that?". My answer... it was obvious. I'm not a DFIR professional. How can I answer someone like Harlan! My work is quite different from that of all these great professionals and authors.
I'm going to change that attitude...
I will now very briefly summarize each of the articles, highlighting the parts that have attracted my attention the most, for different reasons, (this will also help me to sort out my ideas), and then I will set out my point of view on the whole matter, (I think this is going to be a bit long):
Veteran Skillz, (Harlan Carvey):
In this article, Harlan discusses the non-technical skills that veterans have and can put into practice in any environment.
He also talks about the transition from military life to civilian life of these veterans and the impostor syndrome. In this article, he mentions the specific skills they have acquired and the lived experiences of veterans.
He refers to being part of a team, citing a conversation he had with one of those veterans:
What does this mean? "...a strong sense of not being the guy who fucks up my partners."In that same conversation he quotes that:
"...He will do whatever is necessary to ensure that he does not make someone else's work harder or unnecessarily burdensome."It also names a term that I like very much and that has a lot to do with the whole thing: feedback.
He says that veterans have gone through experiences in which they have developed basic skills that many of us don't really think about, but that have a significant impact on their value. Experiences that add up.
Refers to a conversation you had with another person who told you that:
"The military couldn't think like civilian people.".Finally, he ends up offering his point of view on the matter, in which he says:
"Don't put someone on a pedestal because of some minimized sense of self-esteem, or some self-inflicted sense of fear in them."or,
"Those skills you have acquired, based simply on what you have experienced will make you an incredibly valuable asset to someone."Finally, in his last paragraph, he talks about attitude and concentration. Even the development of patience.
In that same paragraph, in his last line, he dictates:
"...Help the next veteran try to do the same thing you did."
Basic Skillz, (Harlan Carvey):
In this short article, Harlan is interested in what constitutes the basic skills in the DFIR field, reducing it a little further, asking himself:
"What are basic skills in the field of digital forensic science?"
He teaches us a Marine motto, which says "Every Marine is a rifleman," and explains that this motto essentially states that every Marine must know how to catch and operate effectively with an assault rifle.
And he starts to ask us, again, a series of interesting questions:
"Is something like that an effective model for the DF? If so, what are "core competencies"? What is the point at which someone with those basic skills makes the transition to a specialty area, such as Windows forensics, or Mac or mobile forensics?
Wax on. Wax off., (Brett Shavers):
In this article, written by Brett, we are told about some 'discussions' and fundamentals of DFIR, under the theme of 'Basic Skills'. We are referred to the same question Harlan asked earlier:
"....What are "basic skills" in digital forensics?"
And, directly, he offers us his vision on this aspect, in which he states that the basic skills are
"...Those that are common across the broad spectrum of the DFIR field".It introduces us to some basic aspects, such as the creation of forensic images of a unit, or the acquisition of memory, or knowing the components of a basic computer, or the network protocols, or the different Operating Systems with their relative file systems, or the recovery of deleted files, ...
It also says that these are the things you should know through training or experience.
It indicates that many of the basic skills are actually very basic for some.
"...Basic concepts, however simple they may seem, have a much greater impact on future skills than they may seem at the time."He states who, in his view, is doing well, referring to some organisations, (private), separating the fields of DF and IR. One focused more on the legal aspect and the other more on the technical aspect. And in that same point he mentions some forensic training providers, who offer courses with basic fundamentals.
Just as he states who, in his opinion, is doing well, he also states who, in his opinion, is doing badly. And he tells us that:
"...Providers offer training without worrying about the basics."
He shows a very clear opinion, where he says that:
"...There is no basic skill level requirement."
Since we can do as many courses as we want, without having the slightest knowledge of evidentiary or ethical procedures.
As a solution to this problem, he states that:
"...It is up to the practitioner to obtain an elementary basis."
Since there is no DFIR standard.
Brett ends the article by asking the same questions as Harlan:
"What are the "basic DFIR skills" and what are the common themes that need to be known throughout the DFIR field?""Y si existe la creencia de que DFIR no necesita lo básico para trabajar en este campo, ¿por qué no?"
Basic Skillz, pt II, (Harlan Carvey):
In this article, Harlan begins with a direct reference to Brett's post, saying that:
"It should be easy enough to determine what the basic skills would be, starting with the compilation of the common skills needed in each specialty, (the "basic things"). Things like obtaining evidence, creating images, hash, etc."
Harlan says that's a good start. You have to find out what is common in all specialties and create a basic set of skills that are independent of each specialty. It also indicates, in that same paragraph, that the skills will have to:
"...To be tested and verified."
And related to this, he refers to the so-called "soft skills".
Harlan then goes on to reason what would be a correct procedure, going through:
- The collection of evidence in an appropriate manner. But, "What is correctly considered? To do this, he suggests leaning toward "How evidence can be collected and that the collection process should be thoroughly documented.
- The hard drive image. But, "What if the problem is not the hard drive, but the memory, or a card?"
- The verification of the tool, in terms of image creation, and the verification of the acquired forensic image itself. But, "What if we can only acquire one identical image?" At this point he stresses the importance of documentation and understanding.
- Knowing what kind of analysis is required. But to do this, we must know what data, what evidence to look for and acquire.
- Document everything.
- Write a report and present it in two parts: to an interested party with a technical profile and to an interested party with a non-technical profile.
All of this would meet the basic skills for a DFIR professional. From there, the different specialties and the different levels would have to be separated.
Harlan also presents his thoughts on the identification and development of basic skills in professionals, which include:
- Basic concepts, including, for example, documentation, feedback, or attending an event.
- Understanding file systems and structures, which consists of understanding how data is managed in storage systems, in all their options. But this can involve a high degree of specialisation, a division into levels of knowledge. But this knowledge needs to be demonstrated.
- Analysis techniques. At this point we are told that it is a very important subject, since it is a good step towards the different areas of specialization, and that it is a good point for reiterating fundamental concepts, setting goals, developing a plan, documenting everything and carrying out a review.
"...Lessons learned."At this point in 'Analysis Techniques', Harlan mentions that:
"...We all learn in different ways. Some of us learn through auditory means, others visually and others by practicing."We are told that, we begin by learning a new skill, developing a fundamental understanding and practicing that skill on the basis of repetition. That's how our understanding develops and that's how we become interested in evolving.
In his last paragraph, Harlan talks about the:
"...Particularity of the language. Things are called by specific names, and this allows us to communicate clearly with other analysts, as well as with non-technical people."
Digital Forensics is Really Easy, (Brett Shavers)
In this article, Brett points out that:
"...The DFIR technique is quite easy."And he calls a spade a spade. That is, a computer is a computer; collecting data is collecting data; and an artifact is an artifact. He suggests that:
"...As long as the fundamental principles and concepts are followed, the work can be carried out without impossible obstacles."But he' also warns that in DFIR:
"...It's really easy to screw up."Then, he shows a couple of personal examples, where he mentions those mistakes that can be made because they lack the basic fundamentals. Because
"...A fundamental basis is precisely that. Base. Essential."Explains that in the DFIR field, you don't just work with data. The legal aspect should not be forgotten.
He mentions the capacity of the analyst and the need to delegate to other specialists.
He ends by asking a question and giving his vision:
"...What is a fundamental basis?"
"...what you have to know legally."
"...What you need to know technically."He ends by saying that anything else is specific and not part of the common.
A Proposal of Basic Foundational DFIR Knowledge, (Brett Shavers)
In this article, Brett first defines the basic term:
"...Basic = foundation, fundamental, starting point."A general knowledge of the main elements.
He refers to the different levels of qualification, each of which would need its own fundamental basis.
He mentions that:
"...The basics in one case could very well be advanced in another."He refers to the fundamentals of DFIR as something:
- "...Common to all specific DFIR jobs."
- "...No evolution in principles, but evolution in technique."
- "...What you need to know legally."
He talks about the lack of knowledge that causes unintentional mistakes.
- "What you need to know technically."
He presents his vision of the problem that, according to him, there are no courses that can be considered basic and that fit the model he describes.
He believes that people do not want to spend their money and time learning the basics, the basic concepts, that they want to play directly with the tools, with the technical part. And he manifests that this is the wrong way.
He formulates what could be a solution, in his opinion. He affirms that it is, only, our responsibility to acquire the basic fundamentals. Nobody else's.
He also explains that:
"...The Community must support some level of basic fundamental knowledge."
"...Universities must provide students with those foundations."He asks a question that he answers himself:
"...How hard is it to get a good base?"Anyone and everyone should take the time to learn the basics, through courses, books, ...
IMHO, (very long version)
I have been able to see, in all these articles, how the two authors have exposed very great truths, making excellent use of reasoning, with their points of view.
Before I begin to pour out my humble opinion, I emphasize once again
I am not a DFIR professional.I don't practice in that world. I'm just curious. So I'm just going to talk about what I know, what I've seen. And I admit that I have only seen the tip of the iceberg.
And that fact suits me very well, because I don't owe myself to anyone but myself. I don't need to sell anything. So I'll be able to say a lot of nonsense and bullshit, without fear of reprisals.
Where to start...? Let's go back to the original question:
What are the basic skills in DFIR?Well... It's a subject that I really find very interesting, and very important. I don't think there's a simple answer. I don't think there's a short answer. I don't think there's an answer that pleases everyone either. I'm going to try to order and shape my ideas...
And for that, and since I can only talk about what I've seen, what I know, I'm going to talk a little about myself.
The first thing I'm going to do is not talk about DFIR as an industry. I'm going to talk about DFIR as a Community. The industry is only one part, (the commercial), of that Community.
When you talk about veterans and the basic non-technical skills they have acquired, only one word comes to mind: EXPERIENCE. What is experience? A practice that provides knowledge or ability to do something, a knowledge acquired by the circumstances or situations lived. the experience could be a good common point that have to comply DFIR professionals. Because experience always adds to the knowledge acquired. But it is not accessible to everyone because, what happens to those who lack it, to those who want to start? What can those who want to start do? Substitute PRACTICE for experience. What is practice? Well, it is nothing more than the action of exercising something that has been learned. Practice has a very positive effect on training. It is through this medium that this lack of experience is formed. But practice, without feedback, is useless.
The impostor syndrome has been mentioned. I know what impostor syndrome is. I have suffered it. I still have it for days. I am unable to recognize my 'work' at DFIR, (despite other people's comments). There are many days that I think I'm not up to it, that I'm a fraud. I am overcome by fear. In the worst days, I think that everything I have done in DFIR has been thanks to a group of people who have supported me and facilitated my journey. (Thank you, DT) Why? I am not GCFA, CFCE, CCFE, ChFI, ... I have not studied at any software house. I am not in possession of any superior study. (I don't want to mention any specific institution, public or private).
Feedback has been named. What is feedback? In an active participation by the DFIR Community, where there are comments and corrections. I consider it vital that there is feedback from the Community. And on many occasions, it is the Community itself that can generate the impostor syndrome mentioned above. Either by action, or by omission. I remember as if it were yesterday a publication I made in @fwhibbit_blog, where I talked about my experience during my first year outside my cave, and where a DFIR professional made the following comment: "More 'autodidacts' formed in the 'university of life'". It could be taken as one more comment, as something unimportant, if it weren't for the fact that it was followed by laughter. That, dear reader, hurts. It does a lot of damage and can frustrate someone else's ideas. Feedback is necessary and healthy to form a Community.
Reference has been made to being part of a team, that is, TEAM WORK. A team is a group of people who interact with each other, discuss and think in a coordinated way, where each one fulfills a part to reach a common goal. I think that having that aptitude is basic and elementary.
"The military can't think like civilian people." It's an interesting comment that always comes from the mouth of someone who doesn't know military life. It's not the first time I've heard it. I know what military life is. I've been living it for more than 18 years. Don't I have my own ideas? Don't I know how to think for myself? If there is something that military life has taught me, and still does, it is precisely to think, to form myself as a person, to be aware of my limitations to break them, to have DISCIPLINE. What is discipline? Well, it is simply the training that a person receives, the teaching, especially in morality. Discipline helps develop skills more effectively. A disciplined person is able to integrate in any environment, in any team. So I think discipline is another common point to keep in mind.
Discipline helps forge an ATTITUDE. What is attitude? It's the behavior we have toward the different tasks we do. It is the state of mind we show towards the tasks we have to do. It is our mental disposition. It is part of our character and denotes our motivation. Attitude can be molded, it can be trained and it can evolve. So, having a good attitude should be a common point for any DFIR person.
A good attitude, in turn, helps us to have a greater CONCENTRATION. What is concentration? Well, it is nothing more than the mental capacity that a person has to maintain attention on something. Concentration can be learned, it can be enhanced. The ability to concentrate must be a common point, since it is vital in any activity.
Not less important, discipline, through attitude, also teaches PATIENCE. What is patience? It is the faculty that we have to know how to wait, not to run. The ability we have to do thorough work. So I also believe that patience should be a common point for all people.
So far I've told you a lot of nonsense and unimportant nonsense and I haven't answered the question:
"What are the basic skills in DFIR?"All right, then. Perhaps I have already thrown some idea about where my thoughts are going in this matter...
"Every Marine is a rifleman". That's an interesting motto, of course. Every Marine must know how to catch and operate effectively with an assault rifle. We take that motto to the DFIR field... Every professional must know how to work with the appropriate tools in each case.
I have a gun assigned to my job. As a soldier, I must know how it works, perfectly. I must know all its parts. I must be a good marksman. I must. But that's what the theory or the rule dictates. Do I know/am I really? No, because I only use it twice a year. It's not my usual work tool.
So, regarding the question "Is that model effective for DFIR?". In my opinion, no. No, if you don't have the option of demonstrating those skills. Not if there is no effective training.
Regarding this subject, I have already mentioned that I do not have an official and regulated training on DFIR. So, do I have more than one person, with higher education, in training to practice in DFIR? What are the bases for each of us? And if I tell you that this person doesn't know about tools because he doesn't care, (automagia), that he doesn't care about learning a little more every day, that he doesn't look for information because he prefers the answers, that he doesn't help in the Community. And if I tell you that I worry every day in learning, in searching, in knowing tools, cases and situations, in trying things in my laboratories, in participating with the Community, in sharing what little I know, through articles, conferences, ... Is that person then more qualified than I am to practice in DFIR? In my opinion,
The habit makes the monkCommon skills, common skills... It is clear that they are those common across the broad spectrum of the DFIR field. But the DFIR field is very large: Software, Hardware, Windows, Linux, MAC, Android, Triage, Imaging, RAM, Malware, Mobiles, Networks, IoT, Cloud, NTFS, EXT, Carving, Audio, Video, Image, email, ...
What basic skills do all these specialities have in common? Can all these specialities really be learned through training and/or experience? ALL?
It is clear that basic concepts, however simple they may seem, have a very important impact on the skills we want to acquire. Yes, we can learn all the basic concepts you can think of. But I think you can only learn the theoretical part of each of them. I want to know what basic skills a person has to have to do DFIR, not how to acquire the fundamental knowledge, which I already know through study. What do all these specialties have in common?
Am I still talking? Are you still reading? But this isn't an interesting topic! I'm just talking nonsense! Yourself. Let's continue...
We can't talk about basic skills without knowing what that term means: Ability. Ability is a capacity, sometimes innate, that we have or acquire, and it refers to the skill, to the facility, that we have when developing some activity.
So far I have listed, and I hope with good reasoning, some of the basic skills that I consider basic for anyone who wants to do DFIR.
Let's go back a bit... To the point where I mention training and studies. I think people don't want to spend time and money on basic training. Really. I think that they don't invest their time and money in this type of training because they ask themselves: Will it help me to dedicate myself to it? And I'm sure you're well aware of the usual answer. It won't do it. And in the first instance it will be because the recruiter does not want someone with an 'X' degree, only basic and fundamental knowledge. The recruiter will want someone with an 'X' degree, expert and professional. A terrible mistake.
There are many certifications. There is training, both public and private, for all levels. The question is, is there a single, universal training within the DFIR field? Who evaluates these skills, these people's capabilities? Would this evaluation be objective or subjective? As far as I know, there is no single standard. Industry, which I have already said is only a part of the Community, is driven by interests. So, what the hell is interested in? Selling? Or teaching what is really useful for the correct development of the profession? What is the minimum requirement to be able to put one's head into this world? Those are the questions we really have to ask ourselves.
On the other hand, is the teaching being offered, or the learning being sought, more focused on the technical aspect or more focused on the legal aspect? Are you interested in studying something with a real balance between the two fields? Thanks to this philosophy, we can study what we want without having knowledge about basic procedures, or ETHICS itself. Ethics. I love that term. What is ethics? It is the most elementary basis that must exist. It is a set of moral norms that must govern, in this case, conduct in the DFIR profession.
Is there a standard in DFIR? As far as I know, NO. Therefore, it is the interested person himself who should be concerned in acquiring an elementary basis in that field.
There are many ways to acquire the desired knowledge. We can learn by means of courses, by means of the autodidact formation, by means of reading of books, viewing of videos. But knowledge is only something theoretical that will pass through our memory if it is not put into practice, if it is not experienced. We can learn through the various conferences that take place throughout the year, around the world, actively participating in them, because that is where you see the true passion that exists in the Community. Networking is a source of knowledge, which also adds practice, experience. And that is not forgotten. We must learn by trial and error. In this way we will be able to establish our own 'lessons learned', where we will have learned what we have done well and what should not be done again.
But of course, how do we mark the minimum knowledge that must exist, both technical and legal? For example, would it be useful to know the basic components of a computer? Or on the contrary, is it necessary to know each and every one of the circuits and chips of which each motherboard of each one of the manufacturers is composed? Is it enough to know a suite? Or on the contrary, is it necessary to know that there are a multitude of small tools and utilities for each of the cases we can find? As far as the legal part is concerned, should we know a minimum of the legal part? Or on the contrary, should we know all the legislation found in the region in which we are? And if it turns out that you have the minimum knowledge required, a good technical base and a good legal base, but we are in a case in which you have to acquire evidence from a server located in another region, should I then know the legislation of that region? Where is the limit, the line that delimits the minimum?
In my case, for example, I have paid for two courses dedicated to Computer Forensics, which I think have helped me to get deeper into this world. I have paid for a basic course in Computer Forensic Analysis, (CPAIF), and I have paid for a university course in Computer Forensic and Technology Law, (DTIF), which teaches both Computer Forensics and Technology Law with a 50/50. But they are worth money. Do its really teach what we want to learn? Or what we need to learn? Everything depends on our choice, what we look for, what we expect from those courses and what we expect to have after those courses. There are also available, more and more, several MOOC oriented to Forensic Computing. And yes, they are basic, and they are usually free. The last one I did was one on Computer Forensics and Cyberlaw. Also keep in mind that studying and reviewing the basics is not bad. The other way around. It comes in handy because it's precisely something basic, elementary, that you should always keep in mind.
Studying the basics is elementary. It will allow us to speak the appropriate language. That is, to call things by its name, to understand the elements with which we work and to explain them both towards a technical profile and towards a non-technical profile.
I'm sure you're thinking I'm releasing a lot of meaningless 'shit' in this article. Okay. It's up to you to keep reading, if you're interested in the subject, of course.
Should it be easy to determine the basic skills, the common skills of each specialty? It is not an easy task. Not all DFIR specialties acquire evidence, or create images of units, or is done hashsing, or carving, ... Or, perhaps it will be easier than we think, if we rethink the question. I have reviewed a set of skills, known as SOFT SKILLS. What are soft skills? They are a set of skills we all have. Social skills, communication skills, proactive attitudes, responsibility, teamwork, honesty, commitment. These are skills that make the difference between who can be a professional and who cannot. This set of soft skills are a necessary complement, something elemental, to acquire the HARD SKILLS. What are hard skills? They are the same technical skills, specific for each situation, for each specialty. Unlike soft skills, which they say are not measurable (I think they are), hard skills are quantifiable. But of course, if we talk about technical skills, which are required for each specialty, we can no longer talk about basic skills common to the entire DFIR field. We will be talking about specific skills, which are not basic, common in DFIR, in all their splendor.
It is not easy to find out what is common in all DFIR areas. It is not easy to create a basic set of basic technical skills. Skills that, on the other hand, need to be tested and verified. Who is the person or institution responsible for this? They must be tested, but before what or before whom. Let us remember that there is no universal norm, no standard, referring to it.
Forensic technique is easy to learn if you have a good attitude and aptitude. It is learned through practice, trial and repetition. But you can't do an analysis if you don't have a base, something elementary: Knowledge of the Fundamental Principles of Computer Forensics, because then we can screw it up. Principles, both legal and technical.
For example, I recently had to perform a triage on a System that presented anomalies in its operation. Have I had the express authorization, signed, of the user of the System? Is this 'small' detail something basic? Is it simply a question of administration? Can this question of administration be referred to criminal proceedings? I know how to analyse the data I work with. Is that basic? However, the '.evtx' files that were extracted were damaged. I managed to repair your header. Is that something specific or advanced? Mistakes can be made. No one is exempt from it. But those errors can be minimized by being aware of the Fundamental Principles, and that's when they might not have a serious impact on our analysis.
IMHO, (short version)
The question: What skills do I consider basic within the DFIR Community?
I think the importance given to this issue needs to be something more transcendental.. Not everything is measurable, in an objective way. Not yet. Because the first thing that the DFIR Community has to do, to know what common skills all its areas have, is to finish being formed as such, through a code of ethics, where an ethic is established. And once that ethics is established for a DFIR, some minimum, basic level of knowledge could be created.
From there, we can begin to understand each other.
What I think any person should have in order to devote themselves to DFIR are good soft skills, followed by good hard, specific skills, which must be demonstrated impartially. I expose some skills and knowledge, (Not necessarily in this order. And possibly leave something in the inkwell):
- Must show a good attitude, positive and motivated
- Must be in possession of a good aptitude, that is, must be competent and able to understand what has happened, or what has not happened
- You must be able to write for both technical and non-technical profiles
- You must be able to speak, to be able to express yourself in front of other people, in the right way, with the right language for each case
- You must know the structure of the expert report
- It must participate actively in the Community, through feedback, through conferences, ...
- Must be curious
- You must be enthusiastic
- You have to question everything
- You must know
- What to look for
- Where to look
- How to find
- Must know the Basic Principles of Computer Forensics
- The principle of transfer exchange
- The Principle of Economy or Ockham's Razor
- Heisenberg's principle of indetermination
- Must know the phases of computer forensics
- Compilation, with the principles of
- Authenticity and Conservation
- Volatility, collected in RFC 3227
- Documentation, where you present your conclusions
- No assumptions
- Without making value judgments
- Without judging
- You must be familiar with RFC 2828, Internet Security Glossary, to be able to call each item by its name
- You must know RFC 3227, Guidelines for Evidence Collection and Archiving, to know how to proceed, with basic levels of competence. This guide includes
- Volatility order
- Things to avoid
- Privacy Considerations
- Legal considerations
- You need to know that the test must be
- You must know the chain of custody
- You must know the principles of
- You must act with integrity
- Impartiality and independence
- You need to know that you have to document everything, every process you do, and both what you can blame and what you can exonerate.
- You must be able to understand how each of the different elements, artefacts, evidences, ... with which you are going to work.
- He must know how to identify a test.
- You must be able to determine what type of analysis you have to perform, what evidence you have to extract.
- You must know how to extract evidence and how to treat it.
- You must know what tools and techniques of analysis exist for each of the cases that can be found.
- You must know that it is only due to the truth, under civil and criminal liability.
- You must know that you have to act competently. That is to say, to know his capacities and his limits to know when to delegate the case in another person.
- You must know that you have to act independently. In other words, you should not have any prejudices in the case.
- You must know that you have to act with authority. They must know how to impose, explain and make their conclusions understood.
I jumped in the pool. I believe that all this skill set and knowledge add up to what are called good practices, which everyone at DFIR should know and comply with.
So yes. I think it's a question of attitude and aptitude in the first place.
I faithfully believe that the right question to ask is not, What are the common basic skills that a DFIR has to have? I think the appropriate question would have to be, What does a person need to do DFIR in any specialty?
This is my opinion. The opinion of a mere curious in this matter. The opinion of someone who has only seen a minimal surface. Opinion that I give because I have been asked. Opinion that I give because I like to help to make Community. Opinion that I give with respect to the little that I have seen and that I know. So, I think I can help others.
Although, perhaps, by the fact of being only a curious person who is not within the industry, he can have an external vision, a more impartial vision.
I think that the DFIR Community is very large and I really think that it should have cooperated more in this matter, in my view, very important.
You can agree with her. You can disagree with her. Or you can pour out your own opinions. It's your turn... I hope, at least, to give you something to think about.