Link to article
http//
I started in the digital forensics community about five years ago, and I already feel old, and I am a Johnny-come-lately. This post may come off as a “Hey, you kids, get offa my lawn!” rant. Rather than a rant, I really hope that people start talking about a way to find a small number of safe lawns for all the kids to play on.
In those five years I’ve noticed that the computer forensics community has become *less* supportive, not more supportive. This runs contrary to trends to other communities such as software engineering tools, web frameworks, and startups. I have some feelings and thoughts on why this is. I wish I had some good ideas on how to turn this trend around.
I think there are four major problems
1) Fragmentation of the sites supporting the community.
When I showed up, there was Forensic Focus, the CCE list, and HTCIA. (And other people probably had their three or four sources that don’t overlap with mine.) Now, I’ve got Forensic Focus, CCE, HTCIA, HTCC, DFCB, wn4n6s, and a host of OS and tool specific sites. Then there is LinkedIn, with an almost one to one mapping of all the external groups, plus subgroups, plus additional new groups not represented elsewhere.It seems that everyone wants their own lawn to play on rather than contributing to the health of an existing lawn. How often have you seen a post along the lines of “Hey, I set up a new forensics wiki! Come check it out and help it grow!” Or found yet another computer forensics LinkedIn group?
This leads to two related problems Where do you post, and where do you go looking for information? I belong to a lot of the mailing lists and use my personal mail archive as a research tool when I have questions, but that doesn’t reach into the various web based forums. And if I want to post a question, where does it go? Some people blast every mailing list they’re on, hoping for an answer. And the more we balkanize, the more likely those questions are to go unanswered.
I still use FF and the CCE list mostly, but then there are items #2 an #3.
2) Web of trust.
When I joined the CCE list with certification #832. There’s no way I’d ever meet all 832 people, but by proxy, we knew of most people on the list. It was a small, tight community. Forensic Focus was similar – it was a place where we had a pretty good sense of most of the people posting, and most of the new people took some time to get up to speed on the community.I don’t know how many CCEs there are on the list now, but it seems that I know fewer of the people who are posting now that I did two years ago. People I used to see regularly on Forensic Focus are rarely seen, often replaced by very new people who are unfamiliar with the community. Many of these new posters seems to be looking for a solution to some university project. There are now people on the HTCC list posting anonymously.
3) Archiving, auditing, and reach of social media.
The growth in the number of forums, and the number of participants in those forums, greatly increases the number of potential employers, detractors, auditors, etc. Five years ago I felt pretty comfortable about asking stupid questions on the CCE list (a closed list) and even on Forensic Focus. Now, I’m very reluctant to ask anything that might display a lack of knowledge in an area where I am an expert.
We all know that none of us knows everything, and we’re all better for the support and feedback of our community. But when those questions can be spun, taken out of context, or turned back on us in some way, it makes us wonder if the potential downsides are worth it. Since there are almost always other people with the same question who aren’t speaking up, our failure to ask those questions means the entire community is worse off for these questions not being asked.
4) Pointing out that the Emperor might not be wearing any clothes is discouraged, actively and passively.
Some of this is due to “there but for the grace of God go I”, some due to over sensitivity to political correctness, some due to fear of legal action, and some due to fear of getting dragged into the mud. (“Never wrestle with a pig You both get all dirty, and the pig likes it.)The end result is that bad information lingers in the community, bad behavior persists, and people get fed up and move on to other places to invest their time and energy. And once you lose people, getting them to come back is often very hard.
I know I’ve become far more of a content consumer than generator over the last few years, though I still go through bouts of trying to contribute. My solution was to grow a small group of people I can trust to bounce ideas off of and I’ll turn to them rather than the larger community.
I am poorer for this fragmentation, and if you aggregate the loss of many people such as myself, the community is poorer as well.
"Real knowledge is to know the extent of one's ignorance."
Confucius
I think you make some very good points but IMHO, colleagues are just as supportive but maybe word of mouth or a good old fasioned phone call can be more usefull. Nobody knows everything about forensics so it is the nature of the work that there will and shoud always be questions out there waiting to be answered. In the UK, we are lucky enough to have F3 ( actually, its not luck but the hard work of the F3 team) whose members general seem happy to share their research etc
One other point to add to your list is the issue about making public critiicisms or negative claims about a piece of software. As the forensic brands grow larger and more corporate in nature, it could be a matter of time before we are all afraid to say "product ABC is a pile of poo" as then we await a letter from their lawyers.
David,
I'm an untested rookie, not even…a professional at a career crossroads that has chosen the path of D.F. with over a decade and a half of experience in 'other' work, I.T. and engineering. I monitor this site and some others I've gotten from guys I've crossed when discussing this industry prior to taking the leap. I'm actually just finishing a prep course for the CCE and hope sit for the exam in the next month or so….your concerns do raise a flag to me. I think that the environment you entered has probably changed quite a bit in 5 or 10 yrs. I think it will continue to evolve. I hope to find my feet on the ground in this discipline in the coming months, my careeer and family could depend on it in the future. I do hope that I can find a cohesive, supportive network of mentors I can look to for advice that have experience can be driven through the CCE and expanded to forums such as this. I'm on the other side of the continent in NJ. I hope you'll share successes in what you seek so that othrs like myself who, seem to be looking for the same thing can share and contribute moving forward as well.
I agree with everything you have stated, and wish I could say that I see a future that is more inclusive rather than exclusive, but I don't. Individuals who choose to follow a career in Digital Forensics, are more aware of their on-line presence and reputation than the general public. Everyday there are more cases involving on-line actions causing havoc with an individual's career and personal life, regardless of time passed or the supposed privacy of on-line sites.
Comments, questions and rookie mistakes posted on-line, may in fact follow us for years into the future; employers and/or business associates will judge us based on what we say or do on-line, making people leery of admitting they need help or helping others.
To some extent we are victims of the very technology we work in and love.
I blame (for-pay) universities and their desire to maximise income through treating CF as the FOTM degree, combined with lecturers who clearly have no clue because they are sending their students to the forums we use to ask (what are to experienced practitioners) questions that one could answer reading any decent book on the topic, or 3 minutes of online research.
I've been in this field for over 10 years so I guess I'm (figuratively) a grandpa telling these new kids to get off my lawn.
I still have people that I can ask tough questions of, and other more limited forums where I make greater contributions with both the expectation that the audience is both more receptive, and more appreciative. It seems like kids come on here asking us to do their homework, and get insulted if we don't do so, as if the world owes them something. Of course I likely had the same attitude as a kid to some degree.
I would just be glad that you have your own network that you can trust. I'm glad that I do.
In those five years I’ve noticed that the computer forensics community has become *less* supportive, not more supportive. This runs contrary to trends to other communities such as software engineering tools, web frameworks, and startups. I have some feelings and thoughts on why this is. I wish I had some good ideas on how to turn this trend around.
I think there are four major problems
.
I agree, and I propose one other cause call it the generation gap if you want.
- x years ago, digital forensics was not clearly defined, and there was a lot of pioneering going on. People who were forensic investigators were used to doing research/work to get results.
- Pioneers share and create (same thing when the internet started to take off in the 90's). After that, the next wave drops in they find tools already prepared, and consider themselves more consumers than pioneers.
- This consumer mindset makes it impossible for them to create new solutions, while they continously put out demands.
I only have to look at Harlans' efforts to see what that means you put out something like Regripper, and the masses immidiately want to know when it will support X, or why it can't do Y. As soon as he asks for any amount of effort big silence.
Only a very small portion will actually thing about creating support themselves. An even smaller portion will build it, and an even smaller portion will share it.. "sharing information is multiplying knowledge", but it's a bit demotivating if it's always the same people doing the sharing.
Of course, this is not about you, dear reader 😉
- Roland
I blame (for-pay) universities and their desire to maximise income through treating CF as the FOTM degree, combined with lecturers who clearly have no clue because they are sending their students to the forums we use to ask (what are to experienced practitioners) questions that one could answer reading any decent book on the topic, or 3 minutes of online research.
Some of the forensic tutors at my uni have only done a training course in Encase. Encase is the only tool available on the course. I'm glad I did my forensic degree elsewhere.
I blame (for-pay) universities and their desire to maximise income through treating CF as the FOTM degree, combined with lecturers who clearly have no clue because they are sending their students to the forums we use to ask (what are to experienced practitioners) questions that one could answer reading any decent book on the topic, or 3 minutes of online research.
Some of the forensic tutors at my uni have only done a training course in Encase. Encase is the only tool available on the course. I'm glad I did my forensic degree elsewhere.
Dissappointing, but not surprising.