Hello Reader,
I'm up in the air on my way to Bangkok, Thailand at the moment. I was planning on doing some attachment testing by changing file system timestamps but leaving the internal metadata timestamps in place to see what happens. BTW Emirates Wifi is good enough for googling and blog posting. However I've also been reading, or trying to read, what other people have been writing as well and I thought I'd reference what I've been seeing.
If you've seen Brett Shavers most recent post he made the point that of all of the quick publishing methods available to the examiner/researcher/enthusiast that the blog is still the longest live form of documentation we could make. I agree with Brett on this as I regularly google blog posts, including my own, to find details of things I've seen in the past. I find that googling a blog is much more reliable than trying to find a tweet or a slack message.
If you have been following my cohorts in the Zeltser challenge (knowledgebean and archerforensics) you would see that both are putting out content they think is relevant and helpful based on their own interests. Between the three of us we've covered iOS backups, getting into DFIR and my own journal into Extended MAPI (again). What I want to point out here is that each one of us is focusing on what we think is interesting, if you the reader agrees you'll follow.... if you don't it's ok there are other blogs out there for you.
What's important to me as the person who is finding time to write a blog post everyday even when traveling around the world and losing days (its a good thing I number these!) is that doing this pushes me to keep researching and publishing. While I appreciate everyone who reads this in the end I do the blog and the work within it because it makes me stay curious about DFIR. Every time I find or validate an artifact or technique I'm pushing myself to stay current and relevant.
If you noticed prior to daily blogging my posts were sparse and far between. In that time I didn't stop working on cases, far from it. Instead what happened was that I made it OK not to focus on anything that wasn't case work. Not forcing myself to look at new things means eventually I won't be prepared for the case that needs those answers, or to answer a question one of you or a student has. That is what pushes me, trying to know as much as possible and staying on the edge of what possible.
That I believe is the real point of the Zeltser challenge and its why what really inspired to do it in the first place was Lenny's comment when I first heard about it. After doing it for 16 months in a row (Lenny holds the record btw, maybe this time I'll go for two years) I mentioned he most feel some relief. Instead he looked at me and said 'Actually, I miss it'. At the time I didn't fully understand what he meant but after doing my own year and then taking a multi year break in between, I get it. Pushing yourself to do researching SOMETHING, write SOMETHING, think about SOMETHING every day makes you better no matter what that SOMETHING is.
So what I would say to my compatriots in the daily blog challenge. the point isn't writing a blog every day. The point is to never stop pushing yourself, because no matter who you are and how long or short you've been in DFIR we all have more to learn and things are always changing. So if you missed a day, SO WHAT! No one is keeping score, instead we are all hoping you keep going so we can keep learning from each other. If you are thinking about doing it, just go for it. Even if you just write one or more posts and stop, you still did more than 99% of the people out there and someday someone is going to be helped by what you wrote.
So reader, remember this. Just by reading this, we are friends. You share a common passion for finding the unknown in our field. Whether your interests lie in memory, malware, reverse engineering, mobile, windows, osx, linux or even car forensics we share a need to solve the unknown and answer the questions that need answering.
Want to know what you can do to help? Leave a comment, like a tweet, say hello in person to anyone you read. Everyone thinks that we must be overwhelmed with messages and don't want to be bothered but the truth is most of the time I'm just looking at a glowing screen writing to who I assume is reading this by view count hoping that it helps someone today or in the future.
Tomorrow, back to technical posts. But today I thought it was important to just reaffirm what others are saying. Write now. Write Often, Never stop learning.
I'm up in the air on my way to Bangkok, Thailand at the moment. I was planning on doing some attachment testing by changing file system timestamps but leaving the internal metadata timestamps in place to see what happens. BTW Emirates Wifi is good enough for googling and blog posting. However I've also been reading, or trying to read, what other people have been writing as well and I thought I'd reference what I've been seeing.
If you've seen Brett Shavers most recent post he made the point that of all of the quick publishing methods available to the examiner/researcher/enthusiast that the blog is still the longest live form of documentation we could make. I agree with Brett on this as I regularly google blog posts, including my own, to find details of things I've seen in the past. I find that googling a blog is much more reliable than trying to find a tweet or a slack message.
If you have been following my cohorts in the Zeltser challenge (knowledgebean and archerforensics) you would see that both are putting out content they think is relevant and helpful based on their own interests. Between the three of us we've covered iOS backups, getting into DFIR and my own journal into Extended MAPI (again). What I want to point out here is that each one of us is focusing on what we think is interesting, if you the reader agrees you'll follow.... if you don't it's ok there are other blogs out there for you.
What's important to me as the person who is finding time to write a blog post everyday even when traveling around the world and losing days (its a good thing I number these!) is that doing this pushes me to keep researching and publishing. While I appreciate everyone who reads this in the end I do the blog and the work within it because it makes me stay curious about DFIR. Every time I find or validate an artifact or technique I'm pushing myself to stay current and relevant.
If you noticed prior to daily blogging my posts were sparse and far between. In that time I didn't stop working on cases, far from it. Instead what happened was that I made it OK not to focus on anything that wasn't case work. Not forcing myself to look at new things means eventually I won't be prepared for the case that needs those answers, or to answer a question one of you or a student has. That is what pushes me, trying to know as much as possible and staying on the edge of what possible.
That I believe is the real point of the Zeltser challenge and its why what really inspired to do it in the first place was Lenny's comment when I first heard about it. After doing it for 16 months in a row (Lenny holds the record btw, maybe this time I'll go for two years) I mentioned he most feel some relief. Instead he looked at me and said 'Actually, I miss it'. At the time I didn't fully understand what he meant but after doing my own year and then taking a multi year break in between, I get it. Pushing yourself to do researching SOMETHING, write SOMETHING, think about SOMETHING every day makes you better no matter what that SOMETHING is.
So what I would say to my compatriots in the daily blog challenge. the point isn't writing a blog every day. The point is to never stop pushing yourself, because no matter who you are and how long or short you've been in DFIR we all have more to learn and things are always changing. So if you missed a day, SO WHAT! No one is keeping score, instead we are all hoping you keep going so we can keep learning from each other. If you are thinking about doing it, just go for it. Even if you just write one or more posts and stop, you still did more than 99% of the people out there and someday someone is going to be helped by what you wrote.
So reader, remember this. Just by reading this, we are friends. You share a common passion for finding the unknown in our field. Whether your interests lie in memory, malware, reverse engineering, mobile, windows, osx, linux or even car forensics we share a need to solve the unknown and answer the questions that need answering.
Want to know what you can do to help? Leave a comment, like a tweet, say hello in person to anyone you read. Everyone thinks that we must be overwhelmed with messages and don't want to be bothered but the truth is most of the time I'm just looking at a glowing screen writing to who I assume is reading this by view count hoping that it helps someone today or in the future.
Tomorrow, back to technical posts. But today I thought it was important to just reaffirm what others are saying. Write now. Write Often, Never stop learning.
Also Read: Daily Blog #411
Post a Comment