Thursday, April 14, 2016
Specifically with respect to DFIR, there are training courses available that you can attend, and it doesn't take a great deal of effort to find many of these courses. You attend the training, sit in a classroom, listen to lecture and run through lab exercises. All of this is great, and a great way to learn something that is perhaps completely new to you, or simply a new way of performing a task. But what happens beyond that? What happens beyond what's presented, beyond the classroom? Do analysts take responsibility for their education, incorporating what they learned into their day-to-day job and then going beyond what's presented in a formal setting? Do they explore new data sources, tools, and processes? Or do they sign up again for the course the following year in order to get new information?
When I was on the IBM ISS ERS team, we had a team member tell us that they could only learn something if they were sitting in a classroom, and someone was teaching them the subject. On the surface, we were like, "wait...what?" After all, do you really want an employee and a fellow team member who states that they can't learn anything new without being taught, in a classroom? However, if you look beyond the visceral surface reaction to that statement, what they were saying was, they have too much going on operationally to take the time out to start from square 1 to learn something. The business model behind their position requires them to be as billable as possible, which ends up meaning that out of their business day, they don't have a great deal of time available for things like non-billable professional development. Taking them out of operational rotation, and putting them in a classroom environment where they weren't responsible for analysis, reporting, submitting travel claims, sending updates, and other billable commitments, would give them the opportunity to learn something new. But what was important, following the training, is what they did with it. Was that training away from the daily grind of analysis, expense reports and conference calls used as the basis for developing new skills, or was the end of the training the end of learning?
Learning New Skills
Jump ahead about 13 years, and my linear algebra professor during my graduate studies had the same philosophy. Where most professors would give a project and the students would struggle for the rest of the week to "get" the core part of the project, this professor would provide us with the core bit of code (we were using MatLab) to the exercise or lab, and our "project" was to learn. Of course, some did the minimum and moved on, and others would really push the boundaries of the subject. I remember one such project were I spent a lot of time observing not just the effect of the code on different shaped matrices, but also the effect of running the output back into the code.
So now, in my professional life, I still seek to learn new things, and employ what I learn in an exploratory manner. What happens when I do this new thing? Or, what happens if I take this one thing that I learned, and share it with someone else? When I learn something new, I like to try it out and see how to best employ it as part of my analysis process, even if it means changing what I do, rather than simply adding to it. As part of that, when someone mentions a tool, I don't wait for them to explain every possible use of the tool to me. After all, particularly if we're talking about the use of native Windows tool, I can very often go look for myself.
So you wanna learn...
If you're interested in trying your skills out on some available data, Mari recently shared this MindMap of forensic challenges with me. This one resource provides links to all sorts of challenges, and scenarios with data available for analysts to test their skills, try out new tools, or simply dust off some old techniques. The available data covers disk, memory, pcap analysis, and more.
This means that if an analyst wants to learn more about a tool or process, there is data available that they can use to develop their knowledge base, and add to their skillz. So, if someone talks about a tool or process, there's nothing to stop you from taking responsibility for your own education, downloading the data and employing the tool/process on your own.
When I was a 2ndLt, I learned that one of my responsibilities as a platoon commander was to ensure that my Marines were properly trained, and I learned that there were two aspects to that. The first was to ensure that they received the necessary training, be it formal, schoolhouse instruction, via an MCI correspondence course, or some other method. The second was to ensure that once trained, the Marine employed the training. After all, what good is it to send someone off to learn something new, only to have them return to the operational cycle and simply go back to what they were doing before they left? I mean, you could have achieved the same thing by letting them go on vacation for a week, and saved yourself the money spent on the training, right?
Now, admittedly, the military is great about training you to do something, and then ensuring that you then have opportunity to employ that new skill. In the private sector, particularly with DFIR training, things are often...not that way.
So, the point of all this is simple...for me, learning is a matter of doing. I'm sure that this is the case for others, as well. Someone can point to a tool or process, and give general thoughts on how it can be used, or even provide examples of how they've used it. However, for me to really learn more about the topic, I need to actually do something.
The exception to this is understanding the decision to use the tool or process. For example, what led an analyst to decide to run, say, plaso against an image, rather than extract specific data sources, in order to create and analyze a timeline while running an AV scan? What leads an analyst to decide to use a specific process or to look at specific data sources, while not looking at others? That's something that you can only get by engaging with someone and asking questions...but asking those questions is also taking responsibility for your own education.