Saturday, March 29, 2014

Writing DFIR Books: Questions

Based on my Writing DFIR Books post, Alissa Torres tweeted that she had a "ton of questions", so I encouraged her to start asking them.  I think that getting the questions out and asked now would be a great way to get started, for a couple of reasons.  First, the Summit is a ways away still, and it's unlikely that she's going to remember the questions.  Second, we don't know how the panel itself is going to go, so even if she did remember her "ton of questions", she may not be able to ask all of them.  Third, it's likely that some questions, and responses, are going to generate further questions, which themselves won't be asked due to time constraints.  Finally, it's unlikely that everyone is going to see the questions and responses, and it's likely that other panelists are going to have answers of their own.  So...I don't really see how someone asking their questions now is really going to take anything away from the panel that Suzanne Widup is putting together...if anything, I believe strongly that getting questions and answers out there now is going to make the panel that much better.

So, I scooped up some of the questions from her tweets, and decided to answer them via a medium more conducive to doing so, and here are my answers...

Forensics research is constantly in a state of new discovery. When does one stop researching and start writing?

The simple answer is that you're going to have to stop researching and start writing at some point.  It's up to you to decide, based on your topic, what you want to address, your outline, your schedule, etc.  The best advice I can give about this is to write the book the way you'd write a report...you'll want to be able to explain to a client (or anyone else) how you reached your conclusions 6 months or a year later, right?  The same holds true for the book...explain what you were doing in your research, in a clear and concise manner.  That way, if someone comes to you with a question about a new discovery after the book is published, you can discuss this new information intelligently.

Publishing Timelines
One thing to keep in mind about writing books is that the book doesn't immediately go to print as soon as "put down your pen". Rather, once you've completed writing the manuscript, it goes into a review process (separate from the technical review process) and the proofs are then sent to you for review. Once you approve the proofs and send them back, it can be 2 or 3 more months before the book is actually available on shelves.  So, the simple fact is that a published book is always going to be just a bit behind new developments.  However, that doesn't make a book any less valuable...there are always new people coming into the field, and none of knows everything, so a well-written book is going to be very useful, regardless.

If new research disproves something that you wrote, does it work against you later as an expert witness?

With respect to this question, writing a book is no different from conducting analysis and writing a report for a client.  Are you going to write something into a report that someone working for the client is going to disprove in a week or two when they read it?  If you found during your analysis that malware on the system had created a value beneath the user's Run key in order to remain persistent, are you going to say in your report that the malware started up each time the system was booted?  No, you're going to say that it was set to start whenever the user logged in, and because you did a thorough analysis, which included creating a timeline of system activity, you're going to have multiple data points to support that statement.

That is not to say that something won't change...things change all the time, particularly when it comes to DFIR work, and particularly with respect to Windows systems.  However, there's very likely going to be something that changed...some other application was installed on the system, some Registry value was set a certain way, a patch had been installed that modified a DLL, etc.

If you've decided to do "research" and add it to your book, do the same thing you would with a report that you're writing for a client.  Describe the conditions, the versions of tools and OS utilized, etc.  Be clear and concise, and if necessary, caveat your statements as necessary.

When I was writing the fourth edition of Windows Forensic Analysis, I wanted to include updated information regarding Windows 8 and VSCs in chapter 3, so I took what was in that chapter in the third edition, and I ran through the process I'd described, using an image acquired from a Windows 8 system...and it didn't work.  So, I figured out why, and was sure to provide the updated information in the chapter.

Something else to keep in mind is that most publishers want you to have a technical reviewer or editor, someone who will be reviewing each chapter as you submit it.  You can stick with whomever they give you, and take your chances, or you can find someone you know and trust to hold you accountable, and offer their name to the publisher.  This is a great way to ensure that something doesn't "slip through the cracks".  Like a report, you can also have someone else review your work...submit it to peer review.  This way, you're less likely to provide research and documentation that is so weak that it's easily disproved.

As to the part about being an expert witness, well...as Alissa said before, "forensics research is constantly in a state of new discovery".  I've never been an expert witness, but I could not imagine an attorney putting an expert witness on the stand to testify based on research or findings that are five years old, or so weak that they could be so easily disproved.   I mean, I'd hardly think that such a witness would qualify as "expert".

You all have to address time management as well - how did you juggle paid work/full-time job with book writing?

Short answer: you do.

Okay...longer answer:  This is something you have to consider before you even sign a contract...when am I going to write?  How often, how much, etc?

I learned some useful techniques while writing fitness reports in the Marine Corps...one being that it's easier to correct and modify something than it is to fill empty space.  Write something, then step away from it.  When I wrote fitreps, I'd jot some bullets down, flesh out a paragraph, and step away from it for a day or so.  Coming back to it later would give me a fresh perspective on what I was writing, allowing my thoughts to marinate a bit.  Of course, it also goes without saying that I didn't wait until the last minute to get started.

Something that I've recommended to folks before they start looking at signing a contract to have a book published is to try writing a couple of chapters.  I will provide a template for them...the one that I use for my publisher...and have them try writing a chapter or two.  I think that this is a very good approach to getting folks to see if they really want to invest the time required to write a book.  One of the things I've learned about the DFIR community, and technical folks as a whole, is that people really do not like writing...case notes, reports, books, etc.  So the first hurdle is for a potential author to see what it's like to actually write, and it's usually much harder if they haven't put a good deal of thought into what they want to write, and they haven't started by putting a detailed outline together.  Once something is ready for review, I then offer to take a look at it and provide feedback...writing a book, just like a report, isn't about the first words you put down on paper.  Then the potential author gets to see what that part of the process is like...and it's like having to do 50 push ups, and then being told to do them over because 19 of them didn't count.  ;-)

So far, good questions.  Like I said, I think that getting some of these questions out there and answered now really doesn't take away from the panel, but instead, brings more attention to it.  And it appears that Suzanne agrees, so keep the questions coming...

Addendum:  Shortly after I tweeted this blog post, Corey Harrell tweeted this question:

What's the one thing you know now that you wish you knew writing your first book?

That it's so hard to get input or thoughtful feedback from the community.  Most often, if you do get anything, it's impossible to follow up and better understand the person's perspective.

Seriously...and I'm not complaining.  It's just a fact that I've come to accept over the years.

Most folks who do this sort of thing want some kind of feedback.  When I taught courses, I had feedback forms.  I know other courses, and even some conferences, include feedback forms.  It's this interaction that allows for the improvement of things such as books, open source tools, and analysis processes.  I'm a firm believer that it's impossible to know everything, but by engaging with each other, we can all become better analysts.  The great thing about writing a book, in this context, is that I've taken the first step by putting something out there to be scrutinized.

One of the things I've found over time is that my books have been and are being used in academic and training (government, military) courses.  This is great, and I really appreciate the fact that the course developers and instructors find enough value in my books to use them.  When I have had the chance to talk to some of these instructors, they've mentioned that they have thoughts on what could be done...what could be added or modified in the book...to make it more useful for their purposes.  When I've asked them to share their thoughts, or asked them to elaborate on statements such as "...cover anti-forensics...", most often, I don't hear anything.

Now and again, I do hear through the grapevine that someone has/had comments about a book, or specific material in one of my books, but what I've yet to see much of, beyond the reviews posted on Amazon, is thoughtful feedback on how the books might be improved.  That is not to say that I haven't received it...just recently I did receive some thought feedback on one of my books from a course instructor, but it was a one-shot deal and it's been impossible to engage in a discussion so that I can better understand what they're asking.

Had I known that when writing my first book, I would've had different expectations.

5 comments:

43nsicbot said...

Hi Harlan
to expand a bit on the question by alissa "Forensics research is constantly in a state of new discovery. When does one stop researching and start writing?"

Do you feel the blogging medium is better than writing a book for sharing that research as long is it is concise and easy to understand? or do you feel more books are needed in the DFIR space?

thanks...

H. Carvey said...

Do you feel the blogging medium is better than writing a book for sharing that research as long is it is concise and easy to understand?

Very much so. Blogging is an excellent medium for this, particularly when it's used by someone who is sincerely interested in conveying information. Great examples of DFIR folks who have used the medium this way are Corey Harrell and Dan Pullega.

The only issue with blog posts as a medium for this use is that many folks don't think about the possibility of referring to them later, and simply loose track of them. Yes, the blogs stay in the same place, but as new posts are added, the specific posts of interest get "pushed down", and some folks may have difficultly finding the information at a later date.

A great compromise between blog posts and a book is the wiki. When used correctly, the information is more immediately available to those who need it, and it's more easily updated than a book. It's also much easier to find and reference at a later date.

The only shortcoming of any online resource is that there may be times that someone needs access to the information, but is in a location or position where they do not have access to the Internet.

Overall, blogs offer a great way to convey information in a much more timely manner, particularly when that information is reviewed prior to posting. However, blog posts are subject to the same shortcomings as any other medium...a lack of feedback. The interconnectedness of blog posts with social media makes it easy for readers to "+1" or "Like" something, thinking that doing so provides some benefit to the community at large.

43nsicbot said...

Harlan,
Thanks for responding, between your blog and Corey's i have been able to learn as an entrant in the DFIR space. Some of y'alls recent blog entries have inspired to be more interactive rather than be a spectator. Lastly some follow up questions, besides initiative what do you think is needed for that feedback in the community to happen? And do you think the dfir community will continue to have pocket groups or will it evolve out of that?

H. Carvey said...

...besides initiative what do you think is needed for that feedback in the community to happen?

Everyone just needs to put their egos in check. When someone asks a question, don't assume that there's an ulterior motive, and when answering, it really helps to not assume what you think that the person may be asking further down the road.

It also helps that when a question is asked, some effort is put into determining the answer before posting the question, either through research, or just sitting and thinking for a moment. I've seen folks send questions to mailing lists, not get a response, and figure it out themselves.

But to your question, the best examples I can offer are Corey Harrell and Dan Pullega. Look at how they've contributed...anyone can provide feedback and contribute to the community in a similar manner.

And do you think the dfir community will continue to have pocket groups or will it evolve out of that?

No, I don't think that will ever change...nor do I think that it's specific to DFIR. Any number of people bound together, however loosely, by a common profession will have something just like what we see.

H. Carvey said...

ForensicDev sent a comment in, and for some reason, it's not getting published...so here it is:

"Love this post. I have been interested in writing a book for the DFIR space, yet never knew where/how to start. This is giving me some pointers. Thank you.

I was always wondering about publishers vs. author royalty ratio.

On that note, I am curious to get your thoughts on using "self-publishing" services like Lulu.com or Amazon? While there are still processes to follow before publishing material, these services seem more flexible from the author's perspective.

The obvious challenge of marketing the book falls back on the author with the self-publishing services."

Some responses:

...yet never knew where/how to start.

Start by sitting down and figuring out what you want to write about. Do market research...what else is out there? If nothing, say so. If there is something else out there, what makes what you want to do better, worth someone purchasing it?

I was always wondering about publishers vs. author royalty ratio.

I've only dealt with two publishers, and they both start new authors off with 10%.

With respect to self-publishing...like I said, it's been a while since I looked at it, but if you self-publish, you don't have the same infrastructure behind you that you would with a publisher. I'm not saying that's bad, just that a lot of the things you get from a publisher, you'd have to do yourself.

Also, a good deal of the marketing falls back on the author, even if you're using a publisher. One of the biggest issues I've had with my publisher is that their idea of "marketing" is "we'll send out emails to a list of people who don't care, and we'll send copies of the books to other people who don't care". I've gone to them and said, "...instead of sending out 100 books to people who don't care, send me 20 copies, and I'll send them to people who will write a review on Amazon." Seriously...I get that Richard Bejtlich is a big name in "security", but what does he care about Windows, or host-based, forensics?