Sunday, September 23, 2018

It is our responsibility: Supporting DFIR researchers and content creators.

Putting out free Digital Forensics and Incident Response (DFIR) content, be it blogs or tweets, is a time consuming endeavor for sure. Even my blog and its basic DFIR content, which I work on my free time, takes me hours to just finish one post. This fact made think of those who create more frequent and extensive heavyweight content. I have lost count on how many times I have used information from the DFIR community in my case work. How can we thank these fine folks for the work they put in for us and most of the time for free? How can we motivate them to continue doing so?

How to say 'we got your back' to DFIR content creators.

1.     Say thank you.

Was something you learned useful? Tell the person so through a retweet, direct message or email. You might not be allowed to tell them how it helped you specifically in a case but most folks appreciate the knowledge that something they worked on and shared had an impact even if specifics might not be available. That being said if you can provide some details do it. There might be more to what you found useful that the person you are thanking might be able to tell you that you wouldn't have known otherwise if you hadn't reached out.

2.     Share and promote the work.

By sharing and promoting not only gives the content more impact and distribution but it might motivate others to also share their own work. For an example see here.

3.     Support their Patreon if they have one.

Time is not free. Hosting a website is not free. Equipment to record audio and/or video is not free. Editing software and DFIR tools are not free. Thanks to Patreon and other similar sites we can directly encourage and support these folks monetarily. Here are some DFIR content creators I support:

DFIR website by Brett Shavers and it contains a wealth of information. Being a Patreon supporter comes with awesome educational perks. Depending on your level of support you will have access to videos and even DFIR course content.

If you don't read Phill's weekly blog post and hear his monthly DFIR roundup, who are you? I think Phill has a time slowing machine that enables him to listen, read and then do a summary of all the latest happening in the DFIR space.

Rally Security is an Information Security (Infosec) focused Twitch channel. Great group of known experts that discuss the latest in Infosec as well as interviewing interesting people in the field. The Twitch channel keeps a copy of each show if you missed one.

Richard Davis creates great videos that showcase different DFIR techniques. Being able to see how something is done helps immensely. As an example check out his video on SRUM here.

4.    Buy their books but also review them.

Recently I have made the point of buying the books of people that are active in DFIR twitter/blogs. Great decision. Most of the time tweets and blog posts do not do justice to the research or work these individuals put in. When they sit down and write a book about it one can really benefit from all the details that do not fit in social media. Was the book useful? Leave a comment in Amazon or in your own twitter. Think others will benefit from knowing your take on the book? Make a review and post it on your blog. I am currently reading Harlan Carvey's new book titled Investigating Windows Systems and hope to have a review done soon.


A free resource is never actually free. People put their time, knowledge and even their hearts out there because the have a passion for this field. It is our ethical responsibility as beneficiaries of such efforts to encourage and support as many of these folks as we can, and if possible, become one of them too.


  1. This is a very interesting post, particularly given that I've said some of the same things, specifically "say thank you". And I've been shot down, with many of the respondents saying that they don't thank someone every time they use a tool or rely on the resources provided.

    I hope you get a better response than I did.

    1. Thank you so much for your comment, for taking the time to notice this post.

      I think most folks would definitely agree with us on the importance of saying thanks. That being said I think that a content creator should not need or expect to receive thanks in order to continue sharing their insights. I've described the sharing process as a moral imperative on the part of the content creator in past Twitter threads on the topic. I should have added at the time that saying thanks is also just as important as consumers of the information. This post is a way of doing so.

      Oh and awesome book. Still working on it. My review will so far focus on how your book has a lot of value for LEO DFIR folks that want to transition from mostly file/artifact recovery based investigations (like child exploitation) to more complex intrusion cases as seen in the private sector space. I say this cause finding the contraband image mindset is not at all like the one needed to understand a case that involves the use of malware and the analysis of network traffic artifacts.

      Again, thanks!

  2. We all live on the same small planet for a short period of time.

    Showing a little appreciation via a nice word or two goes a long way to validate someone's effort, especially when the effort is sharing information. The unfortunate reality for some is the expectation that everything should be free, that 'someone else' needs to do the work for them, and that they are entitled to have whatever they need without even a 'thank you' to the person, persons, or organization that spent the time and effort to create it.

    I also believe that purchasing a book, a course, or tool is the same as a 'thank you', without having to say it.