Notifications
Clear all

DFIR Research Group

9 Posts
7 Users
0 Likes
367 Views
(@douglasbrush)
Posts: 812
Prominent Member
Topic starter
 

So an interesting discussion came about on Twitter today about doing a DFIR research group. The idea came about from a discussion about the need for larger collaboration and peer review of findings. Many of us feel like we are islands. We get through our work, research and publish when we can, share when we have a moment and hope that some of it comes out. Findings can be sporadic and not always get enough peer review and a large portion of what we come across never sees the light of day because of work, school, family, etc.

There all the orgs, conferences, papers, books we all know and love, but what about something that is more focused with set goals, participants, funding and publication. There would be a goal say Windows 8. In 24 months there will be a final research paper on the entire OS as well quarterly updates. Teams would be organized in to sections of skill/interest such as registry, file system, browser, etc. and there would certainly be lots of cross pollination. Teams set a purpose, have goals use the scientific method and really dig in to bring out findings.

Funding. Government, grants, corporate sponsorship? There are pluses and minuses to each. Are researchers paid?

Where to collaborate. Use existing groups or sites? Start new?

These are just some ideas and I hope those involved with the conversation can populate with more of the thoughts brought about.

Can something like this work? If so, how?

 
Posted : 30/09/2011 8:33 pm
LittleMac
(@littlemac)
Posts: 17
Active Member
 

I think something like this can be very valuable to the community as a whole. The difficulty comes in - as you've already touched on - how the work of research is going to get done. There are numerous collaborations that already exist, and it seems community progress with these is slow. Why? Because everyone has a day job to pay the bills.

However, if you get funding, by definition your research is focused on results for the organization (whether public or private) that is providing the funds. It is no longer strictly community-driven. It's the same issue that CDFS is attempting to address with certifications. So I guess the question becomes what are the minimum costs required to run such a venture, and could it be accomplished through individual donation/buy-in by those who want to perform research? Could organizations like CDFS, ISCFE, etc - who are dedicated to the furtherance of DF - support it, just the way orgs can support CDFS?

What about the group forming a non-profit org for research, or is it possible to come under the umbrella, a subdivision as it were, of something like CDFS?

Frank McClain
GCFA, GCIH, CHFI
@littlemac042

 
Posted : 30/09/2011 8:46 pm
(@patories)
Posts: 7
Active Member
 

Since I am one of the initial ones that floated this idea, I believe that there is possibilities, but there is also draw backs.

The perfect solution would be Sponsors donate large amount of cash and we just research for the betterment of the Digital Forensics Field, no questions asked, as long as we delivered results. In reality we will be constrained by the organizations, government, companies that sponsor us to deliver the results that they are wanting, which will then run the risk of the organization to miss finding the next challenge.

We currently see that the DoD Cyber Crime Center and Trust might offer this option as a solution. Though the question I have regarding them is what have they given back to the community? What Publications have we seen?

In order to do this to the caliber that I would like to see, the researchers would need to be reimbursed for their time. As a fulltime employee, full time grad student, a father of 2, my time is a premium, and not something I will give for free. Right now I am tying my research methodologies that I want to cover into my course work so I can be motivated to accomplish everything. Knowing I would not get paid for the research would drop its priority down. This also drops another issue on the caliber of research personal that I would love to see embrace this, unless the funding was able to offset their current pay, most would not be able or willing to take a pay cut to just research.

There was ideas floated that there could be two different aspects of the organization, the first one that does independent research, the other offers forensic services for external organizations, software testing for new forensics applications, and other services to support the research aspect.

If we were able to do that, then we may have a chance to keep our research primarily unbiased and opened to the community.

 
Posted : 30/09/2011 9:10 pm
(@digital4rensics)
Posts: 1
New Member
 

I definitely think this topic has the potential to turn in to something great for the DFIR field. Of course, like anything, there are complications that must be addressed and details that have to be worked out. The twitter discussion raised many of these, and these forums could serve a great purpose in exploring solutions.

From my point of view, the split business model is something that should be explored/discussed. Forming as a non-profit with two major business areas could provide a solution. In the first business area, you have fee-based forensic services that could be offered. The revenue from these services is used to support the second business area, which focuses on research to further the DFIR world. The main point here is that you would only conduct as much fee-based work as necessary to support the organization. Additionally, as a non-profit, you can still accept donations from industry groups or other sources. Also, I believe you could still maintain an unbiased view even with corporate sponsorships, so long as there is agreed upon verbiage with such a clause. It would be up to the org to make sure this is enforced.

This dual model also helps the DFIR practitioners. We all know that life situations change and if someone had to leave the organization, it would be more beneficial if the investigator could still show real-world application of the research (IE The fee-based services). In most orgs, if two candidates are up for a job and 1 has 5 years of previous actionable work, and 1 has 5 years of research work, they aren't considered the same.

Additionally, the ideal situation is that as the org grows, more support comes from outside bodies, which raises more money, and the requirement for fee-based services becomes optional. In this case, investigators that still wanted "real-world" experience could begin doing pro-bono work for other non-profits, small entities, etc. Thoughts?

-Keith
@Digital4rensics

 
Posted : 30/09/2011 9:55 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

Based upon recent experience, I think you're very unlikely to get support on this, and when you ask and are turned down, the answer will be about value in the current economy. I certainly wish you luck though since I saw the value in it.

 
Posted : 30/09/2011 11:25 pm
LittleMac
(@littlemac)
Posts: 17
Active Member
 

@ Patories - in regards to the MS/PhD research requirements, while that is beneficial, I don't think it will reach the level to have a broad reach. There simply aren't, and probably won't, be enough people who have the time & resources to go after those levels of education. Back to the core reason there's a lack of public research in the first place - we all have to put bacon on the table.

I also think, based on past experience with the "ivory tower" syndrome, that the results of focusing research at a collegiate level is not necessarily a positive thing. While I don't think it's entirely true across the board, there is still a broad range of isolationism and intellectual superiority that pervades academia, and that doesn't match up well with open collaboration and public revelation/sharing of research.

From what I see in the industry, others recognize (as Tony states) that there is value, but the call to arms has not garnered much response. There are numerous sites that are geared toward this purpose - forensicswiki, opensourceforensics, winforensicanalysis, etc, and participation tends to be from a few individuals. Back to the day jobs thing, I think. I realize this speaks to the point about needing funding, but in order to get funding, there must be a payoff, and if there is a payoff for the financial supporter, then the research becomes suspect because *someone* is paying for results. Thus, can those results be trusted?

What is the answer? I don't know. It would take a lot of dedicated folks who are willing to give of their time and efforts w/o compensation, and high-level endorsement from folks w/lots of connections in the industry. Kind of like getting into DFIR in the first place - you have to prove your worth; once you do, then you can get a job (ie, orgs might be willing to provide some backing w/o a requirement of results, or "guiding" the research).

Frank McClain
GCFA, GCIH, CHFI
@littlemac042

 
Posted : 01/10/2011 12:24 am
(@mike-wilkinson)
Posts: 20
Eminent Member
 

This sounds like a great idea, but faces a few challenges.

If you are going to start competing for government grants you will need proven researchers on your team to be successful, you will also want to employ professional grant writers and ideally develop some contacts in government to push your agenda. This does not come cheaply.
If you are generating income by doing forensic work will there be enough margin to support full time researchers? Do you think you will be able to justify giving away all the IP that you generate?

Have you had a look at the Digital Forensics Research Workshop www.dfrws.org? Come along to the next conference and I think you will find that it is far from isolationist.

With regards to the academics in their ivory towers the forensicwiki was started by Dr Simon Garfinkel of the Naval Postgraduate School.

One thing I have observed about this sort of project is that it needs a highly energetic individual to motivate and drive the team. The commitment required by this individual is significant and will really require them to give up most of their life to get this off the ground. Would you be prepared to do that for little or no return when the same effort could be spent setting up your own forensic business making lots of money?

Another option would be to get into academia and help educate the future leaders in the field. Having a teacher who has real world experience can help to ensure that what is being taught is relevant and correct. This would also give you the opportunity to direct student research efforts into areas of importance.

 
Posted : 12/10/2011 2:08 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

A loss leader.

I am interested.

 
Posted : 12/10/2011 4:00 am
LittleMac
(@littlemac)
Posts: 17
Active Member
 

Excellent point about DFRWS, Mike. I know I had not thought of them, although I certainly should have.

 
Posted : 12/10/2011 7:06 am
Share: