I know nothing. That's the only conclusion I can draw from my four years in the field thus far. Every time I work on a new case I learn something. Most of the time these are little morsels of forensicating goodness but occasionally these things are so immense that I believe that my findings are worthy of sharing with the world. Of course, then I log on to the SANS Digialt Forensics Blog and find that someone else has typically beaten me to it.
As many of you may already know I have spent some months investigating and analysing volume shadow copies (difference files) in Windows 7 and Vista. The result of this is that I have found how these files are structured and can manually dissect these files to find valuable data. I have shared these findings on both my website and in several presentations. Now my question to you is this: What would have happened if I hadn't shared my findings? Stretching further, in what state would digital forensics be if people like Rob Lee, Harlan Carvey, Troy Larson and Jesse Kornblum hadn't shared their own research and findings?
To quote one of my favorite geek films, I know it isn't a classic but still...
"This business is living organism... There's no rule for idle time or second guessing... New discoveries are made hourly...
This business is binary; you are a one or a zero, alive or dead." (Antitrust 2001)
How true this is for our own field.
Too many forensic investigators are happy to sit on their laurels. They go to work, they work on a case, they come home. Now I'm not saying that there is anything wrong with this per se. These people are helping their clients, sending guilty parties to prison and helping innocent parties to escape punishment but what are they contributing to the field? What are YOU contributing to the field?
Returning to volume shadow copies, I saw something in the field that I believed was a potential stumbling block to digital forensic investigators around the world and I did what most people would have done; I sat and waited for someone else to solve the problem. I waited for well over a year for one of the big names in the field to come up with the research and the solution to the problem. Some good solutions were offered but not the complete solution that I wanted. At this point I decided that, rather than waiting for someone else to find the solution I would do it myself.
I wonder how many of us are reading this thinking "I have this problem and no one seems to know the answer." Is this the right way to think? I don't believe so. While I think that blogs, podcasts, and forums are excellent resources we should be investing our time and talents in finding solutions to our own problems. Why wait for someone else to figure it out?
Another scary thing to me is not that we aren't finding the solutions to these problems but that we are finding them and not passing on the information. Now, this may well be down to NDAs and the rules set out by our employers but we should be doing everything we can to improve the field as a whole. After all where would we be if the forensic forerunners had found all this information and kept it to themselves?
Don't stand still. Be anxiously engaged in a good cause and do something productive to benefit the field. If you want to know something research it. If you have something then please share it. You've only gotten this far yourselves by standing on the shoulders of giants.
Lee Whitfield, GCFA, is the computer forensic supervisor for Disklabs Ltd in the UK. He also runs the Forensic 4cast website and podcast.