A More Complete DFIR Professional
The field of digital forensics and incident response (DFIR) has seen significant advancements over the last decade or so. The community has increased in size and (generally speaking) technical skills have improved. There are many more tools available today than there were even ten years ago, and our mainstay tools (e.g., Guidance Software's EnCase, AccessData's Forensic Toolkit (FTK), X-Ways Forensics, and others) seem to have gotten better – though, that is a topic for another post/discussion. Even education has gotten much better with colleges and universities offering courses specific to our field. That is not to say that all college courses are good; in fact, some are quite bad. But everything has to have a beginning. With all of these improvements and advancements, are we better today? In other words, are we, as DFIR professionals, more well-rounded and better at our work today than we were ten or fifteen years ago? I would submit to you that we are not; something is still missing, and that something is very important.
Technical skills aside...
I started with digital forensics in the late 1990s when hard drives were expensive and small, and our tools were much simpler and sparse (we didn't have nearly as many tools as we do today). Some of us used DOS and Linux on old, hand-me-down hardware. The community was much smaller and we learned from each other. We exchanged ideas as best we could and learned most of our processes by trial-and-error. We read manuals and we used hex editors. At times the whole process seemed painstakingly slow, but it worked. We did not take college courses specific to digital forensics; they didn't exist yet. Those fortunate enough to have the budgets to do so took training courses from vendors, such as Guidance Software and AccessData, or third-parties, such as the National White Collar Crime Center (NW3C) or the Regional information Sharing Systems (RISS) (Anyone in the US remember those? MAGLOCLEN, MOCIC, NESPIN, RMIN, ROCIC and WSIN.) Larger law enforcement and government agencies even developed their own training courses and mentoring programs for new examiners (e.g., the FBI's CART and FLETC). In just a few short years a new examiner could amass a significant amount of training and develop a wide array of technical skills. Was that enough though? Did that make us excellent examiners? Ironically, one of the best training course I took back then was a one-day course on report writing. Yes, report writing.
You can do the work, but can you explain it?
My background is in law enforcement. I retired some time ago and moved to the corporate world, so my experience is varied. This, among other things, has provided me with the opportunity to meet and work with a lot of very smart people – people with incredible technical skills – in both the public and private sectors. Unfortunately, far too many of those highly-technical people lack the fundamental skills required to present their findings in a meaningful way. They can do some amazing work, but they can't describe their work to an attorney, a judge, an investigator, or even a jury. If you cannot present your findings in a meaningful way, does it really matter how good your work is? I was taught very early on, "if you didn't write it down it didn't happen." So I ask again; are we, as DFIR professionals, more well-rounded and better at our work today than we were ten or fifteen years ago?
As an aside, I had the pleasure of working for an organization that actually employed editors to work along with their DFIR professionals – a traditional editor (grammar, spelling, sentence structure, presentation, etc.) and a technical editor. That organization took writing seriously and it showed.
Training gaps
Consider the training that exists today for DFIR professionals. When was the last time you took a course related to DFIR that included any substantial material focused on report writing and how to successfully present your findings? I'm not taking about a short, one-hour section on the last day of a class comprised of a short lecture and a weak PowerPoint deck. I'm talking about substantive training. Consider a training course which includes the following:
- Students are required to complete a short examination based on a pre-defined scenario with specific evidence;
- Students are required to complete a written report which details their findings;
- Students are required to turn over their examination notes to the instructor with their written report;
- That's right, your examination notes and written report are two different things;
- Instructors check each written report for accuracy (technical and otherwise), completeness and presentation value and provide meaningful feedback to each student;
- Instructors check all written notes for accuracy and completeness and provide meaningful feedback to each student.
Even better, add a short mock trial to the mix and you have a real training program.
I am only aware of two organizations in the United States that incorporate this type of training into their DFIR curriculum, the Defense Cyber Investigations Training Academy (DCITA) and the National Computer Forensics Institute(NCFI). Unfortunately, those two organizations are unavailable to most DFIR professionals. Perhaps there are others?
Final thoughts
During my law enforcement career I worked for an agency that focused heavily on documentation and report writing. I often found myself writing for hours each day, depending in large part on the type of complaints I was assigned. And, while I had all the usual courses one might be required to complete during an under-graduate degree program, I wasn't a very good writer. I didn't know that at the time; but I came to understand my deficiencies very early on in my career. Then one day I saw a brochure for a one-day training course focused on "presenting evidence in legal matters." The course was actually meant for attorneys and paralegals, but that didn't stop me from attending – and the results were dramatic. My entire approach to report writing and presenting my findings changed almost overnight. Within a short amount of time I found myself being one of the "go-to-guys" for drafting search warrants, court orders and even subpoenas. That course had a profound impact on my career.
Fast forward to the late 1990s when my career transitioned to DFIR work and I found myself stuck again. In one respect I was fortunate; I had the opportunity to attend a wide variety of DFIR training courses. On the other hand, I found myself struggling again with report writing and presenting evidence, and none of the DFIR courses available at the time helped. It took years of practice and mistakes for me to settle down and feel more comfortable with my writing. And I am still honing my report writing skills, just like I am with my technical skills. We frequently practice our technical skills; shouldn't we also practice report writing?
Would a course like the one I described above help you to be a more well-rounded DFIR professional? Would you attend a course like that? Perhaps we can convince Alan Paller and Rob Lee to add a course focused on report writing and evidence presentation to their SANS DFIR curriculum?
FWIW, Edward Tufte offers an amazing course entitled "Presenting Data and Information." Although not focused specifically on DFIR topics, it is an amazing one-day course which – in my humble opinion – can help most DFIR professionals. If you ever get a chance to attend Mr. Tufte's course, I would highly recommend you do so.
Thought? Ping me on Twitter @DFIRSPEAK