#DFIR: Nobody asked you!

Hi, minions:

I didn't have anything in mind to write for a while, because I'm embarking on a job that I don't quite know how to approach, yet. But one person has dedicated to me a "Fuck off", (with the relevant block), and that has been the trigger for this article.
If someone disrespects another person, he will lose all reason, even if he is. He loses all argument. Education must always be at the forefront.

I recently read an opinion article that the user z3roTrust wrote on July 18, 2018. The article in question is entitled "Why it’s Probably Best to Leave Digital Forensics and Incident Response (DFIR) to the Professionals".

I must admit that I had to read the title a couple of times before going into it, fearing what I was going to find inside it.

After reading it I had the audacity, (I don't know what the hell I was thinking), to replicate the author to his Twitter publication, with a personal opinion.

I'm not going to recreate the conversation held on Twitter with the author of the article, but I invite you to read it, draw your own conclusions and, if you wish, participate in it, either through comments on this article, or through direct responses on Twitter.

Regarding that conversation, I consider that at no time have I said any nonsense, (and sometimes I say many). But if I am wrong, I would like you to correct me, because I love to learn; I am eager to learn, whoever that knowledge comes from.

I want to make clear something that I have also said to the author, whom I see annoyed by my replies, I do not yet know why. My English is bad and sometimes I get lost in context. At no time have my comments been put forward with malicious intent. I think they were not malicious, but if they were unfortunate, I am sorry. I have simply told the author that I do not agree with some points in his article, (not all), specifying one of those points and asking a clear question, without making any criticism or assessment of its content, at that time.

I would also like to clarify, in case you don't know it yet, that I am not a DFIR professional. So I speak and ask from my complete ignorance, from my point of view, from my own common sense, (although sometimes it is the least of the senses). All because I am curious to know and understand things.

It goes without saying, therefore, that I am no 'great guru' of the DFIR. I am nobody in the industry.

I'm just curious. I don't know everything, nor do I aspire to know everything, (I would rather say that I don't know almost anything). I have no idea how the Community works, or the industry, whatever you want to call it.

Just as I told the author of the article in question, I invite you to read what I think, in a quite clear way, about the DFIR Community and its training, among other things, in the first article I wrote in this Blog, "DFIR: A matter of attitude and aptitude". 

It is very true that nobody has asked me but, if something has been published, I believe that anyone can react to that publication. There is a reason why it is public.
If you don't like it, (if you don't assimilate well), receive feedback, stay in your cave and don't publish anything. Save it for yourself and don't share it because that way you don't become a Community.
We complain a lot about not receiving the necessary feedback within the Community. Personally, I am willing to receive it, to be given it, whether positive or negative. I love being criticized, wherever they come from, (although I don't get any comments). But it's reactions like this that prevent it from existing in the amount it deserves on many occasions. This fact seems to me to be a real pity.
No one possesses the absolute truth about all things.
It is true that there are different approaches when it comes to disagreeing. But expressing disagreement on some points of a text does not mean disagreeing with someone else's work, especially when another question is asked. I believe that I have the strength to be considered and to choose well the words that I will use before speaking.
People can be great because of their knowledge. But they can be even bigger because of their humility.
I do not disagree with each of the points made by the author. In fact, I agree with almost everyone. But it is true that I disagree with some of them.

I have no way of knowing whether working at DFIR is discouraging and/or rewarding. But I can say that I find it an exciting career. A career in which the breadth of knowledge to be possessed requires constant training, but not only for professionals, as the author states. There are many people who, although they are not professionals, carry out very interesting research work.

It is true that no one can know everything. And whoever makes this statement lies. Anyone who does this, by hobby or profession, must specialise in one field, because DFIR, like other subjects, is a multidisciplinary subject.

The author states that the DFIR Professional Community is highly valued for its knowledge and skills. I must disagree on this point. I would say that it is some people within that DFIR Professional Community who are highly valued, because they have chosen DFIR as a way of life and not as a business option. There are people who have only decided to choose that branch for money, (for example).
In all families there are 'black sheep'.
The author makes a statement, which is the one that has caught my attention the most. He states that no attempt at computer forensic investigation should be made, except by qualified and trained professionals

Both that point in your article, and the comments you have made to me on Twitter, seem critical to me because we go back to the article in which I express my opinion about it and where I ask myself a lot of questions: Who qualifies and qualifies to practice DFIR? Are there people without training who can perform a forensic investigation better than a professional? Who certifies and authorizes to do DFIR?....

I don't want to go back into those thoughts which, on the other hand, have been shown to be useless.

I would say to you that I expect your opinion, both positive and negative, but it probably won't do any good.

That's all.


4 comentarios:

  1. First off, I tend to agree with the sentiment of the original poster's article...after all, I have seen too many incidents and investigations go south, even when performed by a "trained security professional".

    I do, however, have the same question as you..."trained" by whom? Who makes the determination as to who is and isn't a "professional"? I've raised this question a number of times, in particular recently, and it seems to be just too big a question to tackle.

    Looking that the Twitter exchange, I have to say that the issue escalated quickly with the original author's response to your question. I saw no malice nor ill intent in your question, and cannot possibly fathom a reason why someone would respond the way they did. However, I will say that this is simply an artifact of being on the Internet and expressing your opinion. No matter how hard you try, *someone* is going to be offended. It simply doesn't matter, and it's a fact you have to accept. Someone, somewhere is going to take what comments you make as malicious and as an attack, no matter how hard you try to make it not so.

    The response to your question immediately goes to an extreme absolute. Yes, I have seen this a great deal..."..oh, so you're saying that someone should ALWAYS..." do this or that?

    Again, I do agree with the original author's sentiment. I was once contacted by an attorney who's case hung on a time stamp associated with a single browser cookie, something the part-time IT person in her office had said was clear and irrefutable proof of someone sitting at the keyboard. However, the IT person knew little of browser artifacts and nothing of Registry artifacts.

    To your point, the question becomes, what is the certifying board for DFIR "professionals"? What constitutes a "professional" in this...excuse me for being circular...profession? I started down this road over 20 yrs ago, and while I currently hold no certifications, I have contributed materials to the community that are used in training and certification processes. However, based on my resume, it would be highly unlikely that I would be deemed a "professional" by many standards.

    So...don't worry about it. People are going to react badly to things you share on the Internet, it's simply a fact of life. If it helps, I (for one) immediately saw that the OP reacted badly, due to no provocation on your part.

    1. Thanks a lot for the feedback, Harlan.
      At no point have I stated that I disagree with the whole article. I agree with some points, and I disagree with others.
      For example, Can a system administrator intervene to capture some evidence and prevent it from being lost? In my opinion, if that person has the knowledge to do that and knows how to proceed with good practices, he should proceed, for example, to capture the memory. Waiting for the assistance of a professional is not an option (bearing in mind that not all companies have an incident response team), IMHO. We all know that time is a critical factor in an incident.
      And it's also true that no one is exempt from making mistakes, whether a professional or not, although in all likelihood a professional will make less.
      I have never said that anyone in an IT department should always act. If I'm not able to do something, or I don't see it clearly enough, I don't do it and I go to the right person. In the same way, and following the case you give as an example, if I don't understand artefacts, I will never say that it is 'an irrefutable proof', because I will be throwing myself into the mud and that fact will have consequences.
      "Based on my resume, I would be very unlikely to be considered a "professional" by many standards. Honestly, I think it would be ridiculous for someone to make that statement about you, when you have done so much at DFIR. And so it is with other people, with less visibility.
      It is true that I highlighted the point that has impacted me the most, which is related to professionals.
      At no time have I wanted to go back into the debate of 'Who can be a professional?' Or 'What does it take to be a professional?' I explained my ideas beforehand, as you well know, I think in a quite clear way, and I have received hardly any answer... So I've settled that.
      In fact, this article is not intended to address that issue either. I know that in this virtual world there will always be someone who is 'offended' by something. But I think you always have to save your ways. Such behaviour gives a lamentable image of any person. Even more so when a professional is asked to answer a question.
      Why did the author have this reaction with me? I don't know and I would love to know. Would he have the same reaction if the question was asked by someone else, like a professional of recognized prestige? Honestly, I don't think he would have acted in the same way.
      I am desiring to receive feedback, positive or negative. I listen and think about what others tell me.
      With this type of attitude, why give an opinion? To expose yourself to insult or disrespect?
      I think that if someone is not able to listen to the opinions of others they should not be exposed to the public. (I always speak from my point of view).
      Thank you again for your comments.

  2. Wow, this is entirely unprofessional and unproductive. Shall I then comb through articles you've written and find points I disagree with and post them to a blog for others to comment on? I am sorry I offended you but perhaps it is the language difference? What on Earth could have made as an author so defensive? Let's see, you wrote "I disagree with several points of the article... But, perhaps, what has most caught my attention: "...No attempted computer forensics should be performed except by qualified and trained professionals..." By whom do we have to be qualified and trained?

    That is one way to rub an author the wrong way right off the bat, "I disagree with several points of the article..." Well no one asked you! You're entitled to your own opinion, to which I am not required to respond. It is an opinion piece based on my experiences throughout my long career in IT/InfoSec/DFIR (24+ years and counting). That's not to say that I can't be wrong on things from time to time, but I don't feel that I was wrong on this piece. In fact, numerous people have complimented me on it.

    1. Hi, Barwisian. Thanks for commenting.

      Is this unprofessional? Maybe you're right. Maybe it's unprofessional. (As unprofessional as some of your answers). But it turns out that I'm not professional. I'm just a mere curious, an apprentice and a rookie, eager to learn a little every day...

      Is this unproductive? Maybe you're right too. I have much better things to do than to write a reply article to someone who disrespects a person. But I think it's the only option you've given me because you blocked me for asking you a simple question. And I'm telling you the truth, I wanted to write an article explaining my point of view on those points in which I disagree with your article.

      Do you want to review all my articles to express in another article the points with which you disagree? Go ahead. Do it. It's not going to be the first time, nor the last time, that someone corrects me in public, that I correct in public, and it's not going to be the first time that I correct something and I say it openly. And I know that I have many errors in my articles. In fact, I invite you to do it. I'm eager to learn from everyone.

      You say that you feel that you have offended me and that perhaps it is the difference in language. That's what I told you before you blocked me. I told you that my English is bad and that sometimes I get lost in context. But you seem to have ignored that comment.

      Did you take my comment as an attack? I'm really sorry, because I said I didn't mean to. I think you are the only person who has seen my question, (because it was a question), as an attack.

      "...So defensive?..." Maybe you misinterpreted my comments. Maybe you were defensive before because of some other situation. The only thing I told you was that I didn't agree with some points (some don't mean all of them), that you stated, I specified the point that most impacted me and I asked you a question. All this because that point seems to me to be a very important issue. Question I repeat: Who can be a DFIR professional? What do you need to be a DFIR professional? By whom should a DFIR professional be trained?

      That's why I wrote another article, of which I put the link and I think you haven't read.

      You are right about something else. Nobody asked me. All right. But it turns out that you have published an article, (published=public), so anyone can react to it. But yes, always with respect. Respect that you haven't had with me.
      "...That is one way to rub an author the wrong way right off the bat..." Do you really think my comments were malicious? I think at least one other person asked you the same question.

      Now I ask you: Why have you had that reaction with me? Why have you blocked me? Why aren't you blocking all those who are asking you a series of questions because they disagree with some of your points? I think my comments are just as polite. Maybe it's my nonsense, but maybe it has something to do with the fact that I'm not a great experienced professional like you.
      Nobody asked me! Absolutely true. I just wanted to do a little feedback, (very necessary), because there are things I don't understand and I want to understand them. But, of course, you don't have to answer.

      I'm glad you've been in the DFIR industry for more than 24 years. I wish I could stick my head in it. But at no time have I told you that you are wrong, (I think). I'm also glad that there are people who congratulate you on your work. That's very good and it gives morale and confidence. But that doesn't mean that everyone congratulates you on it, because there may be people like me who need some clarification.

      Do you really think that I have disrespected you, attacking your work? The difference between you and me, (obviating that you are a professional with a lot of experience and I have not), is that I have not disrespected you, but you have disrespected me, yes, since the first reply. Although of course...

      I'm just an idiot guy.