Sharing is at the heart of any community, and no less so in digital forensics and incident response. Sharing helps to avoid reinventing the wheel — or unnecessarily overcomplicating it. That’s especially true as the complexity of digital evidence advances across platforms and artifacts.
Yet, sharing can be challenging owing to some unique risks. Not only can a mistake risk someone’s liberty — or safety, if it means a violent offender walks free — but mistakes highlighted publicly can damage a practitioner’s credibility, in a court of law or of public opinion.
In addition, Oliver Darroch, a content moderator at the Digital Forensics Discord Server, observed: “Ask 100 people how they approach problem X and you’ll get 100 different answers. Not every situation requires the wheel to be reinvented from scratch. Forensic tools help guide people down a certain path, but everything surrounding that is still open to variation. [This] is not a bad thing, but it can be overwhelming for people who are just getting started.”
At the same time, sharing is part of a broader push to “give back” in the DFIR community. A number of resources have sprung up in the years since Forensic Focus’ founding — everything from other communities to repositories for tools, artifacts, and other resources.
Brett Shavers, the digital forensics expert who runs DFIR.training, noted: “The only risk in sharing is using real data from a real case. Being wrong is not a concern, because if anything, if you think you are right but are wrong, the sooner someone lets you know that you are wrong, the better off you will be.”
Sharing for peer review
Peer review is central to strong scientific methodology, including digital forensics. Traditionally, it’s done through articles published in journals like Forensic Science International and presentations delivered at conferences.
More recently, to accelerate the review process for such a rapidly changing field, practitioners used blogs and open source communities like GitHub to open up their methods and processes for review, validation, and critique.
“I think it’s all a learning process,” Graeme Horsman, a digital forensics researcher and lecturer at Teesside University, in a 2019 Forensic Focus podcast, “and I think by engaging with it, whether it be again by a blog, or a journal, or at a conference level, it’s a chance to say ‘This is what I’ve done. What do you think of it? Can I do anything better?’ And learn from that process, and keep that iterative process going… adding to the existing body we have of information that can support our investigations as we go through them.”
At the same time, however, sharing is difficult. “It’s time-consuming,” Horsman added. “[W]here do you share it? What do you share it with? What platforms do you use? We don’t really have a massive infrastructure for that.”
The result: a kind of inadvertent “hoarding” of information. Horsman cited near-constant casework as a limit on the time it can take to sanitize, package, and share research results effectively. “And that’s not because you don’t want to share it, it’s just because knowledge-sharing isn’t really facilitated,” he observed in the podcast.
Financial interest, whether direct or in the name of competitive advantage, can also factor in. On the other hand, Shavers cautions against withholding research. “I fully believe that any ‘secret sauce’ DFIR research will eventually be (re)discovered by someone and then that person will share the information anyway as if they were first to discover it,” he explained.
Where to share? Practitioners have virtually their pick of where to share various forms of research and information, Horsman said. Repositories for research, tools, and artifacts — and communities to discuss them — are the most common.
The sheer flow of new information led to the creation of DFIR.Training in 2016. Adopted the following year by Shavers, the website aggregates information about tools, training, artifacts, business listings, books, and other resources. Shavers supports the site through vendor sponsorships and individual subscriptions.
Shavers observed that resources such as E-Evidence.info have come and gone over the years, while others, like Forensics Wiki, are inconsistently updated. “Now there are more resources and blogs and repositories and lists than anyone can keep up with,” he added. These include vendor training and research, such as EnCase App Central and the Magnet Artifact Exchange.
“The challenge is that no one person can keep up with what is happening in the field,” he said. “That is the challenge in resources, which is the purpose of me working to make DFIR.Training a central location that organizes everything. I don’t want or intend DFIR.Training to be an original source of all-things-dfir, but more of the ‘Google of DFIR,’ and more organized than a Google search.”
For a similar reason, Devon Ackerman migrated AboutDFIR.com from its original Google Sheets format, where he tracked tools and scripts, to a full website. “[I]t’s a collection of information in a central location arranged in a manner to make discovery of new solutions or strategies quick and painless,” he said in a Forensic Focus interview from 2017.
Now maintained by a team of practitioners — Mary Fernandez, Tony Knutson, Andrew Rathbun, and Nathan Turner — AboutDFIR.com boasts an extensive compilation of tools and artifacts, education, community, research reading, jobs, and other resources. Users can submit resources and research ideas for inclusion, new certifications, training, conferences, and so on.
Scholarly journals — including Forensic Science International: Digital Investigation; the Journal of Digital Forensics, Security and Law; and the International Journal of Digital Crime and Forensics, among others — still exist and are thriving. But publication takes time, and both technology and the methods used to examine it evolve far more rapidly.
Enter DFIR Review, a project of the Digital Forensics Research Workshop (DFRWS). DFIR Review offers a way for ad hoc research to be peer reviewed “such that the findings can be cited and stored in a referenceable format.” By targeting studies of “specific devices, digital traces, analysis methods, and criminal activity,” DFIR Review offers a system of record for research work.
Finally, ThisWeekin4n6 compiles resources on a weekly basis. Blogs, videos, webinars, and other resources from vendors, individual practitioners, and media are rounded out with a monthly podcast, highlighting the biggest news. Founder Phill Moore supports the site through a Patreon subscription.
Artifact and tool repositories
GitHub is perhaps the best known repository for digital forensics tools, in part because it isn’t limited to digital forensics tools. A development platform purchased in 2018 by Microsoft, GitHub enables tool developers to host and review code, manage projects, and even build software. Well-known digital forensics tool developers who rely on GitHub include Eric Zimmerman, Sarah Edwards, David Cowen, Alexis Brignoni, and Ryan Benson, among countless others.
Other repositories are designed specifically for digital forensics:
The Artifact Genome Project (AGP), an online system for uploading and viewing digital forensic artifacts, began in 2014 with 19 “cyber observables from MITRE’s CybOX,” according to AGP’s website. The project, begun under the University of New Haven and Purdue University’s VACCINE, enables users to upload artifacts via form submissions, and to search artifacts using keywords.
DigitalCorpora.org aggregates sets of free corpora including disk images, memory and cell phone dumps, and network packet captures for use in computer forensics education research — all without need for prior authorization or IRB approval. Real data is also available for use “under special arrangement,” and scenarios with solutions “are available for faculty members of accredited governmental and non-profit educational institutions.”
The Computer Forensic Reference Data Set (CFReDS), a National Institute of Standards & Technology (NIST) project, aggregates 160 dataset sources including Digital Corpora, the NIST Computer Forensic Tool Testing (CFTT) project, the University of New Haven Cyber Forensics Research & Education Lab (UNHcFREG) cyber forensics datasets, and others. (Note: as we wrote about earlier this year, a new portal is in beta and seeks feedback.)
Our own Forensic Focus forum has been a community focal point since before the advent of social media. In the 20 years since our inception, though, DFIR communities on Twitter, LinkedIn, Reddit, and even Instagram have all sprung up.
Not everyone feels comfortable sharing in public, however. Even anonymous handles can be traced, and practitioners have expressed concerns that opposing counsel could use their assertions — however well-intentioned or made in the spirit of learning — to assail their credibility or knowledge in court.
No online community is “safe,” of course, but closed networks like the Digital Forensics Discord Server offer an additional level of comfort. Spawned in March 2018 from an IRC channel (#mobileforensics) after its 10 members realized they needed more multimedia features that IRC didn’t offer, the DFIR Discord Server has evolved to fit its growing community’s needs.
Numerous channels, said founder Andrew Rathbun, cover 90 percent of the DFIR world including various aspects of mobile forensics; forensics on the cloud, multimedia vehicles, drones, and internet of things (IoT) devices; and even disciplines like open source intelligence (OSINT) collection and cryptocurrency investigation.
Co-moderator Darroch (OllieD) appreciates the platform’s channels for two reasons. First, he said, real-time, informal conversations can take place between members of law enforcement, the private sector, tool vendors and academia from around the globe.
Second: “The variety of channels means that there’s something for everyone…. If you have a question that clearly fits into one of the channels, you can get a better response as certain users engage with certain channels more, but having every channel open to everyone allows people to broaden their horizons.”
Co-moderator Jobbins, who asked to be identified only by their moniker, added that this channel mix can be crucial in a complex investigation. “Every investigation can be different and require different resources,” they said, observing that a single case could take an investigator through mobile extraction and decoding to OSINT and cryptocurrency. Even if no other user encountered the same issue, they added, “You can post a new question and most likely get an answer from someone no matter what time it is as we are a global channel now.”
Co-moderator Julien Bot (Mistercatapulte) points out that that can be critical when it comes to a new skill. “The mix of genres in our fields is essential, even if we are not 100% on all the topics it can happen that we have to carry out a research in OSINT and we are sure to find an attentive listening and people at the forefront, that’s where the strength of the server lies,” he said.
Another strength, according to co-moderator Steve Holmes (sholmes): “The fairly instant access to vendors, as well as the fact the vendors monitor the groups to be able to access and assist their clients has been amazing. This was done on the Google Groups, but it was a much slower turn around for responses.”
Filling the gaps
No resource exists at the expense of another; each has its own niche. “There will always be gaps in general,” said Rathbun, “but platforms like the Digital Forensics Discord Server will fill in more gaps for some people than others.
“I think everyone has their own way to fill in the gaps as best as they can. Some people don’t take to Discord/Slack/etc so much and prefer email listservs or forums/Google Groups over a real-time chat environment. Others are the exact opposite and there are plenty of people in between both of those extremes.
“I think the fact these resources exist for those who relate to what it provides is the key takeaway. Each resource is embraced by those who it resonates with based on its model of delivering content and answers to everyday problems.”
Shavers believes it’s wise to support the best existing resources, unless a true gap is determined. “With the number of new bloggers creating their own lists of resources, the duplicative effort is incredible, but respectful because of interest and need in the field,” he said.
That makes for a difficult-to-follow plethora. “There are hundreds of new links created each week just in digital forensics, hundreds more in incident response, and double that in links related to ‘cyber security’,” he said.
That can appear daunting. “I think the hardest part is just having enough time to keep it current with all the new content constantly being generated on a daily/weekly basis,” says Rathbun.
For newbies, he recommends perusing the categories at both AboutDFIR and DFIR.Training, as well as signing up for the SANS recorded webinar, “Securing Your Future in DFIR.” In addition, finding a mentor might make sense.
“There’s so many bottomless rabbit holes in this field,” he explained. “To recognize that without any direction or mentorship can be overwhelming and lead to the onset of severe imposter syndrome before you even know what is what in this field. Having someone to help you navigate through the noise and give you direction is invaluable nowadays.”