The world of Digital Forensics and Incident Response (DFIR) is so expansive that it’s impossible for one person to know it all, let alone a fraction of it. To combat this, one must first be aware of and second utilize the resource that’s best catered to the issue at hand. There are multiple resources out there that digital forensic examiners and incident responders should be aware of. Not all resources are created equal nor are any of them perfect. In this blog post, I will explore the various categories of resources where information can be shared and obtained as well as analyze the pros and cons of each platform.
The ultimate goal of this blog post is to help identify resources in this field that will resonate with your personal workflow and help you learn and grow as a professional. It is important for each of us to build our own support/mentorship network that can help guide our career and skills in an upward trajectory.
Everyone knows the role social media plays in the context of our personal lives and society. However, social media can be a powerful tool in our professional lives as well. Social media is where some of the biggest names in the industry share their research, daily thoughts, and news relating to DFIR. It can pay dividends to be aware of the latest happenings in the field in order to help solve problems encountered in your cases/engagements.
Most notably, Twitter has become the unofficial online residence for many DFIR examiners, especially those that are widely known in the community. If you don’t have a Twitter account and you work in this field, you are definitely missing out on relevant discussions and the latest news developments. I would strongly suggest creating an account and following the #DFIR hashtag, at the very least. Additionally, Twitter allows you to build lists that can serve as a topic-based news feed within Twitter.
LinkedIn is relatively new to me in that I only rose using it seriously within the past year and a half or so. I personally love that I’m able to professionally showcase my work history, accomplishments, projects, etc while networking with other like-minded people and viewing their accomplishments. LinkedIn, from a #DFIR perspective, isn’t as active as Twitter, but some people prefer to express their thoughts in more than 280 characters.
Links to DFIR-related LinkedIn groups can be found on the AboutDFIR Social Media page.
For DFIR, YouTube is getting better with every day thanks to channels like 13Cubed, Forensic Lunch, and SANS. For SANS, there are two main channels to be aware of: The SANS Institute and SANS DFIR. SANS DFIR will contain mostly recorded presentations from previous DFIR Summits whereas The SANS Institute will contain recorded talks, Mic Talks, and plenty of other generalized DFIR-related videos. SANS DFIR also recently added the 3MinMax Series with Kevin Ripa which is a great educational series of videos.
The Forensic Lunch is a longstanding institution in the DFIR industry created by David Cowen. Subscribe to notifications for when a new Forensic Lunch is being streamed live and participate in the online chat with other well-known forensic examiners!
13Cubed creates amazing DFIR-related videos every month and has a Patreon, as well. 13Cubed was invaluable to me when studying for the GCFE after taking SANS FOR500. I highly recommend perusing his channel if you’ve taken SANS FOR500 or FOR508 for a refresher on many of the concepts touched upon in those courses.
|Social Media Pros||Social Media Cons|
|You likely already have an account(s) on a social media network||Privacy concerns (varies by social media outlet)|
|High adoption rate by industry’s biggest names (Twitter, LinkedIn)||Discussions are easily buried in replies/comments and hard to retrieve via search|
|Covers lots of niche topics (Reddit)||Depending on how you construct your profile, relevant DFIR discussion can be outnumbered by irrelevant posts|
I have always been a huge fan of forums. I’ve been using them for nearly 20+ years to communicate with people online who have shared interests. Forums haven’t changed much during that time except perhaps looking prettier with UI improvements. They’re still easy to use with tried and true, easy to follow topics separated into threads. Forums also boast unmatched threading capabilities, are searchable, and typically serve the niche communities better than other mediums.
Forensic Focus has the largest registered userbase (~37.000) of all of the DFIR-related forums. Forensic Focus boasts many subforums to cover various subdisciplines within DFIR. Forensic Focus is always active and is worth perusing for solutions to your digital forensics-related problems.
Metaspike also has a DFIR-related community forum, however, it’s not as active as Forensic Focus but still may contain solutions to problems plaguing your investigation.
Reddit is one of my favorite social media platforms to partake in my personal interests with others all over the world. Reddit is technically both a Social Media platform and a Forum, which is one of my favorite aspects of it. However, I think it leans more on the Forum side than Social Media hence why it’s included in this section. Reddit’s subforums are called “subreddits”. Reddit also has quite a few active DFIR-related subreddits that I would highly recommend following: r/computerforensics, r/cybersecurity, r/digitalforensics, r/malware, and r/security.
More subreddits worth checking out can be located on the AboutDFIR Social Media page.
There is a myriad of niche Google Groups that are active and serve as phenomenal resources. They are basically forums but on Google’s platform. Most of these groups cater to mobile forensics or data recovery so there’s not much out there for computer forensics-related discussion, to my knowledge. Regardless, they’re worth checking out if you’re practicing mobile forensics.
All DFIR-related Google Groups can be found on the AboutDFIR Social Media page.
|Forums Pros||Forums Cons|
|Ideal threading for end-user to track conversations||Not real-time|
|Trusted, tried and true due to forums being utilized since the early days of mass consumer internet adoption||Typically not optimized for mobile|
|Covers niche topics|
There aren’t as many options for DFIR-related chat clients as there are some of the other categories. The big fish in this category is the Digital Forensics Discord Server, for which I’m the Administrator. There used to be some IRC channels but they weren’t as active as the Discord server has become. Fun fact, the Digital Forensics Discord Server was actually spawned from an IRC Channel (#mobileforensics). I’ve also seen attempts at channels on Telegram or Slack but they’ve not taken off. There are other InfoSec-related Discord servers out there that vary in quality, posting content, posting style, and overall server culture. I can only vouch for the quality and culture of the Digital Forensics Discord Server, so for any of the others, I would strongly recommend sitting on the sidelines for a bit to see if the server’s culture is to your liking.
All links to the aforementioned chat servers can be found on the AboutDFIR Social Media page. If you’re looking for help on joining the Digital Forensics Discord Server, check out the beginner’s guide I created here!
|Chat Client Pros||Chat Client Cons|
|Real-time||Subpar threading (at least with Discord)|
|Great for quick responses||Default notification settings can be annoying|
|Searchable (at least with Discord)|
|Mobile/Desktop/Web browser app provides nearly identical user experience (at least with Discord)|
|Free (at least with Discord)|
Everyone nowadays has an email address (or five). This helps because email ListServs can arguably reach the most number of people due to this barrier of entry being effectively nonexistent. There is also nearly zero learning curve to engaging in ListServs outside of ensuring you use the Reply All feature to be seen by everyone on the list or to make sure you’re replying to the person off list by validating who is listed in the To: field in your email before you hit send.
One of the most popular and active ListServs is provided by IACIS. They offer highly-regarded training as well as access to a world-class email ListServ. Despite not being free, the IACIS ListServ is worth considering subscribing to. If you’re looking for a free alternative to IACIS, I would strongly recommend the SANS DFIR ListServ.
Links to IACIS and other associations can be found on the AboutDFIR Associations page.
|Email ListServs Pros||Email ListServs Cons|
|Everyone already has an email address||Content prior to joining ListServ isn’t searchable which often leads to questions being repeated over time|
|Typically casts the largest net of subject matter experts||Often not free|
|Because anyone can join, anyone can answer questions that are asked. This leads to a variance in the quality of responses|
I created this category because I feel these are things an examiner can do the work for once upfront, and then reap the benefits from there on out.
Everyone should already be subscribed to This Week in 4n6 for their weekly update on all things DFIR. You can show up to work every Monday morning with your cup of coffee and read a curated list of everything that’s been going on in the field. No work on your end outside of signing up for it in the first place. There is a reason why This Week in 4n6 is one of the 5 feeds pushed to the Digital Forensics Discord Server. And of course, if you appreciate all the work done on the backend by Phill Moore and Lodrina Cherne, then consider throwing them some financial appreciation for their time and efforts on Patreon!
RSS exists for a reason (to make life easier) and I’m a strong believer in letting the news come to you. That’s why I created the AboutDFIR RSS Starter Pack for anyone looking to simplify the way they digest information and news in this field. Feedly follows you on your mobile device or your computer thanks to the account you create. It’s easy to set up and easier to use once it’s all set up.
Podcasts are a great way to make your commute or household chores or mowing the lawn more useful and informative. Anything you can do where you don’t need to be responsive to someone or something else, consider throwing your earbuds in and listening to a podcast. Low effort, high reward!
Check out AboutDFIR’s Podcasts page for all DFIR-related podcasts.
|Passive Resources Pros||Passive Resources Cons|
|High return on investment of time||None|
|Often delivered by email or app|
Outside of industry blogs such as the ones listed onAboutDFIR’s Blogs page and the Men and Women of #DFIR blogs, there are two main websites that aggregate all the fragmented information floating about on the internet: AboutDFIR and DFIR.Training. Obviously, you’re aware of AboutDFIR since this blog post is hosted on it. DFIR.Training is run by Brett Shavers and serves as another DFIR resource repository.
I’m not going to list pros/cons for this category. For websites as a resource format, there’s really not a lot of negatives to be had. It’s just a matter of finding the website that’s best for you. We certainly hope AboutDFIR is of great use to you and your team. If it’s not, we hope that you will let us know what we can do to make it better!
This field is very deep and wide with various disciplines, subdisciplines, and beyond. The rabbit holes are deep and they are aplenty. It’s impossible to keep up on it all. But the above was intended to show you what is out there so you can best understand which route to take to find the solution for any problem you come across. There’s only 24 hours in a day and we all have real-life obligations and basic human needs to where we can’t reasonably be expected to be plugged in 24/7. No one expects you to know everything, but do yourself a favor and improve yourself every day with the least effort and highest payoff. Hopefully, you’ve found one of the resources highlighted above fitting for your daily arsenal. Remember, you’re not in this alone. Establish your network and make use of the publicly available resources. Best of luck and you got this!
If you have any suggestions for how to improve this blog post, please let me know! If anyone needs some guidance or direction in their career, please feel free to reach out and I’ll make sure you’re provided with what you need from either myself or someone else more suited for the task.
Lastly, thank you to everyone who helped review this blog post before it went live. Your feedback was invaluable and helped make this blog post a better resource that’ll serve the community for a long time. I hope to modify this blog post as time goes on to keep it relevant rather than stuck in time.