Sunday, September 23, 2018

It is our responsibility: Supporting DFIR researchers and content creators.

Putting out free Digital Forensics and Incident Response (DFIR) content, be it blogs or tweets, is a time consuming endeavor for sure. Even my blog and its basic DFIR content, which I work on my free time, takes me hours to just finish one post. This fact made think of those who create more frequent and extensive heavyweight content. I have lost count on how many times I have used information from the DFIR community in my case work. How can we thank these fine folks for the work they put in for us and most of the time for free? How can we motivate them to continue doing so?

How to say 'we got your back' to DFIR content creators.

1.     Say thank you.

Was something you learned useful? Tell the person so through a retweet, direct message or email. You might not be allowed to tell them how it helped you specifically in a case but most folks appreciate the knowledge that something they worked on and shared had an impact even if specifics might not be available. That being said if you can provide some details do it. There might be more to what you found useful that the person you are thanking might be able to tell you that you wouldn't have known otherwise if you hadn't reached out.

2.     Share and promote the work.

By sharing and promoting not only gives the content more impact and distribution but it might motivate others to also share their own work. For an example see here.

3.     Support their Patreon if they have one.

Time is not free. Hosting a website is not free. Equipment to record audio and/or video is not free. Editing software and DFIR tools are not free. Thanks to Patreon and other similar sites we can directly encourage and support these folks monetarily. Here are some DFIR content creators I support:

DFIR website by Brett Shavers and it contains a wealth of information. Being a Patreon supporter comes with awesome educational perks. Depending on your level of support you will have access to videos and even DFIR course content.

If you don't read Phill's weekly blog post and hear his monthly DFIR roundup, who are you? I think Phill has a time slowing machine that enables him to listen, read and then do a summary of all the latest happening in the DFIR space.

Rally Security is an Information Security (Infosec) focused Twitch channel. Great group of known experts that discuss the latest in Infosec as well as interviewing interesting people in the field. The Twitch channel keeps a copy of each show if you missed one.

Richard Davis creates great videos that showcase different DFIR techniques. Being able to see how something is done helps immensely. As an example check out his video on SRUM here.

4.    Buy their books but also review them.

Recently I have made the point of buying the books of people that are active in DFIR twitter/blogs. Great decision. Most of the time tweets and blog posts do not do justice to the research or work these individuals put in. When they sit down and write a book about it one can really benefit from all the details that do not fit in social media. Was the book useful? Leave a comment in Amazon or in your own twitter. Think others will benefit from knowing your take on the book? Make a review and post it on your blog. I am currently reading Harlan Carvey's new book titled Investigating Windows Systems and hope to have a review done soon.


A free resource is never actually free. People put their time, knowledge and even their hearts out there because the have a passion for this field. It is our ethical responsibility as beneficiaries of such efforts to encourage and support as many of these folks as we can, and if possible, become one of them too.