If you ask any of the prominent bloggers and instructors in the DFIR community for tips for those just getting started, a pretty common theme is to start a blog. This advice also applies to those who have been doing Incident Response and Forensics for a while. Phil Moore, who operates the thisweekin4n6.com and thinkdfir.com recently put out a blog post extolling the merits of running a blog. I won’t go into any great detail on his post but two things really stood out and encouraged me to move forward.
- Participation Inequality – This is based on a principle that most of the content in the DFIR community is created by a small percentage of contributors. I can see how this may be true but it still seems like there are a lot of people contributing. I love the sharing of tools and ideas that takes place in this field and want to be part of that.
- Imposter Syndrome – I think this is pretty common across most technology fields. We always tend to think that everyone else knows more than we do. Many of you reading this (is anyone reading this?) probably have far more experience than I do in the DFIR world. Just the same, I know my way around Windows artifacts and think I have stuff to share that others will find useful. I had 15 years in the Infrastructure world before switching to an IR position last year and man do I love it! I mean I really love it. I would have never blogged about that stuff. Well maybe I would have blogged about PowerShell but the rest…no way.
So here we are….blog entry #1. I’m planning on putting out something new at least once a month. What can you expect from entries 2 and on? I’ll be highlighting various artifacts along with tools that I find do a great job presenting them. I also really enjoy PowerShell so I’ll be including a few scripts I’ve created over the past few months and discuss how they’ve helped in cases or in my daily workflow. If anything I write peaks your interest feel free to reach out.