Blogging
I caught an interesting thread on Twitter last week..."interesting" in the sense that it revisited one of the questions I see (or hear) quite a bit in DFIR circles; that is, how does one get started in the DFIR community? The salient points of this thread covered blogging (writing, in general) and interacting within the community. Blogging is a great way for anyone, regardless of how long you've been "doing" DFIR, to engage and interact with the community at large.Writing
Writing isn't easy. I get it. I'm as much a nerd as anyone reading this blog, and I feel the same way most of you do about writing. However, given my storied background, I have quite a bit of experience writing. Even though I was an engineering major in college, I had to take writing classes. One of my English professors asked if I was an English major, saying that I wrote like one...while handing back an assignment with a C (or D) on it. I had to write in the military....fitreps, jagmans, etc. I had jobs in the military that required other kinds of writing, for different audiences.
Suffice to say, I have some experience. But that doesn't make me an expert, or even good at it. What I've found is that the needs of the assignment, audience, etc., vary and change.
So how do you get better at writing? Well, the first step is to read. Seriously. I read a lot, and a lot of different things. I read the Bible, I read science fiction, and I read a lot of first person accounts from folks in special ops (great reading while traveling). Some of the stuff I've read recently has included:
The Finishing School (Dick Couch) - I've read almost all of the books Mr. Couch as published
Computer Forensics: InfoSec Pro Guide (David Cowen)
Do Androids Dream of Electric Sheep (Philip K. Dick)
I've also read Lone Survivor, American Sniper, and almost every book written by William Gibson.
Another way to get better at writing is to write. Yep, you read that right. Write. Practice writing. A great way to do that is to open MSWord or Notepad, write something and hand it to someone. If they say, "....looks good..." and hand it back, give it to someone else. Get critiqued. Have someone you trust read what you write. If you're writing about something you did, have the person reading it follow what you wrote and see if they can arrive at the same end point. A couple of years ago, I was working with some folks who were trying write a visual timeline analysis tool, and to get started, the first thing the developer did was sit down with my book and walk through the chapter on timelines. He downloaded the image and tools, and walked through the entire process. He did this all on his own accord and initiative, and produced EXACTLY what I had developed. That was pretty validating for my writing, that someone with no experience in the industry could sit down and just read, and the process was clear enough that he was able to produce exactly what was expected.
Try creating a blog. Write something. Share it. Take comments...ignore the anonymous comments, and don't worry if someone is overly critical. You can ignore them, too.
My point is, get critiqued. You don't sharpen a knife by letting it sit, or rubbing it against cotton. The way to get better as a writer, and as an analyst, is to expose yourself to review. The cool thing about a blog is that you can organize your thoughts, and you can actually have thoughts that consist of more than 140 characters. And you don't have to publish the first thing you write. At any given time, I usually have half a dozen or more draft blog posts...before starting this post, I deleted two drafts, as they were no longer relevant or of interest.
Writing allows you to organize your thoughts. When I was writing fitness reports for my Marines, I started them days (in some cases, weeks) prior to the due date. I started by writing down everything I had regarding that Marine, and then I moved it around on paper. What was important? What was truly relevant? What needed to be emphasized more, or less? What did I need to take out completely? I'd then let it sit for a couple of days, and then come back to it with a fresh set of eyes. Fitreps are important, as they can determine if a Marine is promoted or able to re-enlist. Or they can end a career. Also, they're critiqued. As a 22 yr old 2ndLt, I had Majors and Colonels reviewing what I wrote, and that was just within my unit. Getting feedback, and learning to provide constructive feedback, and go a long way toward making you a better writer.
I included a great deal of my experiences writing reports in chapter 9 of Windows Forensic Analysis Toolkit 4/e, and included an example scenario (associated with an image), case notes and report in the book materials. So, if you're interested, download the materials and take a look.
One of the tweets from the thread:
it's a large sea of DFIR blogs and could be very intimidating to newbies in the field. What can they offer that is not there
Let's break this down a bit. Yes, there are a lot of DFIR blogs out there, but as Corey tweeted, The majority of the DFIR blogs in my feed are either not active or do a few posts a year. The same is true in my feed (and I suspect others will see something similar)...there are a number of blogs I subscribe to that haven't been updated in months or even a year or more (Grayson hasn't updated his blog in over two years). There are several blogs that I've removed, either because they're completely inactive, or about ever 6 months or so, there's a "I know I haven't blogged in a while..." post, but nothing more.
There's no set formula for blog writing. There are some blogs out there that have a couple of posts a month, and don't really say anything. Then there are blogs like Mari's...she doesn't blog very much, but when she does, it's usually pure gold. Corey's blog is a great example of how there's always something that you can write about.
...but I'm a n00b...
The second part of the above tweet is something I've seen many times over the years...folks new to the community say that they don't share thoughts or opinions (or anything else) because they're too new to offer anything of value.
That's an excuse.
A couple of years ago, one of the best experiences in my DFIR career was working with Don Weber. I had finished up my time in the military as a Captain, and Don had been a Sgt. On an engagement that we worked together, he was asking me why we were doing certain things, or why we were doing things a certain way. Don wasn't completely new to the DFIR business, but he was new to the team, and he had fresh perspective to offer. Also, his questions got me to thinking...am I doing this because there's a good reason to do so, or am I doing it because that's the way I've always done it?
One of the things that the "...I'm a n00b and have nothing to offer..." leads to is a lack of validation within the community. What do I mean by that? Well, there's not one of us in the field who's seen everything that there is to see. Some folks are new to the field and don't have the experience to know where to look, or to recognize what they're seeing. Others have been in the field so long that they no longer see what's going on "in the weeds"; instead, all they have access to is an overview of the incident, and maybe a few interesting tidbits. Consider the Poweliks malware; I haven't had an investigation involving this malware, but I know folks who have. My exposure to it has been primarily through AV write-ups, and if someone hadn't shared it with me, I never would've known that it uses other Registry keys for persistence, including CLSID keys, as well as Windows services. My point is that someone new the community can read about a particular malware variant, and then after an exam, say, "...I found these four IOCs that you described, and this fifth one that wasn't in any of the write-ups I read...", and that is a HUGE contribution to the community.
Even simply sharing that you've seen the same thing can be validating. "Yes, I saw that, as well..." lets others know that the IOC they found is being seen by others, and is valid. When I read the Art of Memory Forensics, and read about the indicator for the use of a credential theft tool, I could have left it at that. Instead, I created a RegRipper plugin and looked for that indicator on cases I worked, and found a great deal of validation for the indicator...and I shared that with one of the book authors. "Yes, I'm seeing that, as well..." is validating, and "...and I'm also seeing this other indicator..." serves to move the community forward.
If you're not seeing blog posts about stuff that you are interested in, reach out and ask someone. Sitting behind your laptop and wondering, "...why doesn't anyone post about their analysis process?" doesn't inherently lend itself to people posting about their analysis process. Corey's post about his process, I've done it, Mari's done it...if this is something you like to see, reach out to someone and ask them, "hey, could you post your thoughts/process regarding X?"
Not seeing content that you're interested in in the blogs you follow? Start your own blog. Reach out to the authors of the blogs you follow, and either comment on their blogs or email them directly, and share your thoughts. Be willing to refine or elaborate on your thoughts, offering clarity. If you are interested in how someone would perform a specific analysis task, be willing to offer up and share data. It doesn't matter how new you are to the industry, or if you've been in the industry for 15 years...there's always something new that can be shared, whether it's data, or even just a perspective.
Blogging is a great way to organize your thoughts, provide context, and to practice writing. Who knows, you may also end up learning something in the long run. I know I have.