@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #412: The importance of blogging,,, daily

Hello Reader,
          I'm up in the air on my way to Bangkok, Thailand at the moment. I was planning on doing some attachment testing by changing file system timestamps but leaving the internal metadata timestamps in place to see what happens. BTW Emirates Wifi is good enough for googling and blog posting. However I've also been reading, or trying to read, what other people have been writing as well and I thought I'd reference what I've been seeing.

If you've seen Brett Shavers most recent post he made the point that of all of the quick publishing methods available to the examiner/researcher/enthusiast that the blog is still the longest live form of documentation we could make. I agree with Brett on this as I regularly google blog posts, including my own, to find details of things I've seen in the past. I find that googling a blog is much more reliable than trying to find a tweet or a slack message.

If you have been following my cohorts in the Zeltser challenge (knowledgebean and archerforensics) you would see that both are putting out content they think is relevant and helpful based on their own interests. Between the three of us we've covered iOS backups, getting into DFIR and my own journal into Extended MAPI (again). What I want to point out here is that each one of us is focusing on what we think is interesting, if you the reader agrees you'll follow.... if you don't it's ok there are other blogs out there for you.

What's important to me as the person who is finding time to write a blog post everyday even when traveling around the world and losing days (its a good thing I number these!) is that doing this pushes me to keep researching and publishing. While I appreciate everyone who reads this in the end I do the blog and the work within it because it makes me stay curious about DFIR. Every time I find or validate an artifact or technique I'm pushing myself to stay current and relevant.

If you noticed prior to daily blogging my posts were sparse and far between. In that time I didn't stop working on cases, far from it. Instead what happened was that I made it OK not to focus on anything that wasn't case work. Not forcing myself to look at new things means eventually I won't be prepared for the case that needs those answers, or to answer a question one of you or a student has. That is what pushes me, trying to know as much as possible and staying on the edge of what possible.

That I believe is the real point of the Zeltser challenge and its why what really inspired to do it in the first place was Lenny's comment when I first heard about it. After doing it for 16 months in a row (Lenny holds the record btw, maybe this time I'll go for two years) I mentioned he most feel some relief. Instead he looked at me and said 'Actually, I miss it'. At the time I didn't fully understand what he meant but after doing my own year and then taking a multi year break in between, I get it. Pushing yourself to do researching SOMETHING, write SOMETHING, think about SOMETHING every day makes you better no matter what that SOMETHING is.

So what I would say to my compatriots in the daily blog challenge. the point isn't writing a blog every day. The point is to never stop pushing yourself, because no matter who you are and how long or short you've been in DFIR we all have more to learn and things are always changing. So if you missed a day, SO WHAT! No one is keeping score, instead we are all hoping you keep going so we can keep learning from each other. If you are thinking about doing it, just go for it. Even if you just write one or more posts and stop, you still did more than 99% of the people out there and someday someone is going to be helped by what you wrote.

So reader, remember this. Just by reading this, we are friends. You share a common passion for finding the unknown in our field. Whether your interests lie in memory, malware, reverse engineering, mobile, windows, osx, linux or even car forensics we share a need to solve the unknown and answer the questions that need answering.

Want to know what you can do to help? Leave a comment, like a tweet, say hello in person to anyone you read. Everyone thinks that we must be overwhelmed with messages and don't want to be bothered but the truth is most of the time I'm just looking at a glowing screen writing to who I assume is reading this by view count hoping that it helps someone today or in the future.

Tomorrow, back to technical posts. But today I thought it was important to just reaffirm what others are saying. Write now. Write Often, Never stop learning.

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.