SANS Digital Forensics and Incident Response Blog

How to Make a Difference in the Digital Forensics and Incident Response Community

Over the years of teaching, I have found that there is no shortage of talent in our DFIR community. There are so many individuals that are incredibly sharp, truly skilled, and solving critical cases for their organizations.

Sometimes we find that we become so focused on solving cases that we forget that we could figure out a way to share some of our talents back to the community. I commend the many peers that I have that have started blogs and author tools that truly make a difference. In some cases, an individual has a lot of skill, but sometimes needs an idea. Many in the community can probably list of multiple research projects that we would love to tackle if given enough time. But simply we don't have that extra time? so we share these ideas with others who might have a spare CPU cycle or two.

The main point? I truly encourage you to reach out to individuals in the community and ask "What would be a great project for me to work on?" or "What still needs to be researched?" You will be surprised at how often the answer to that question will be much longer than you expected. The work you might perform on that project could potentially change the entire digital forensics community.

The Kristinn Guđjónsson Story:

Kristinn is a good friend and someone that I really respect in the community. Back in the summer of 2009, Kristinn reached out to me and started having a dialog about some parsing utilities that he had created. He had just started to blog and seemed to be interested in feedback. I started to use some of his utilities and noticed that he was a fairly decent coder. He was also looking for a project that he would be able to submit for the GIAC GCFA Gold Certification. (Kristinn's paper is here) It was at this point that Kristinn was thirsty for a project and seemed eager to tackle something large so I mentioned the initial idea of the Super Timeline tool to him. Now, extending timeline analysis wasn't exactly new. Brian Carrier and others such as Mike Cloppert had also started research on this topic as well in his GCFA Gold paper on EX-TIP, but work wasn't extended beyond what was initially written. One key step occurred when Harlan and I began collaborating on timeline analysis when I asked him to modify his script to output into bodyfile output in October 2008. As a result, expanding timeline capabilities beyond the filesystem and registry were a key project that had not truly been tackled before. What we needed was someone that had the time to dedicate to the research and development. Enter Kristinn.

Kristinn's reply was wonderful. In the very next email he was already looking at possibly using this project as the submission for his Gold Paper. He began work right away and log2timeline was born soon thereafter. I'm still fortunate that Kristinn calls upon me for feedback from time to time, but the community is now reaching out to Kristinn for the question "What needs to be done?" And that is wonderful. That is the way it should happen.

Kristinn's email discussing whether or not this idea could be submitted for his GIAC Gold Certification.

Kristinn's GIAC GCFA Gold paper was submitted and his project clearly has changed the way many of us all look at forensics. Can the right research project change your future? Yes. Kristin recently landed a job at a top US IT firm doing... IR/Forensic work after moving from Iceland. Much of that is due to his research and work on a project like log2timeline and his contributions to the DFIR community.

Become the Next Kristinn

The main idea here is that there are many out there who want to contribute. There are many research projects that are still left to explore. There are many tools that have not been written yet and many papers that are simply questions at this point. No you do NOT need to program. You do not need to write a thesis. However, I would recommend that you join a DFIR mailing list and ask questions or share your thoughts. If you want to be more formal, start a blog and discuss things that interest you.

If you are looking for a project or a research idea and are short on ideas, reach out to the DFIR community for their input. Email me or others that you think might have some ideas. Tweet @sansforensics to gather some ideas. The field is still extremely new. Many ideas are too time consuming that we cannot explore them properly ourselves. There are also many small groups that work in development teams. log2timeline has started to move in that direction with the creation of a google group development list ( or the incredible group that help develop plugins and memory analysis support as a part of the volatility community or look to contribute via their code page ( There are many small groups like this and individuals who probably would love additional collaboration. If you need ideas of where you can help, ask.

Kristinn's story of how log2timline was created is a great example of this. I'm not only happy that the tool was finally made, I'm truly happy with the new friend we made in the process.

Thanks for the hard work Kristinn, there are many bad guys looking at the inside of a cell due to your research, leadership, and work. *hat tip*

Rob Lee has over 15 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer  forensic courses at  the SANS Institute and lead author for FOR408 Windows Forensics and FOR508 Advanced Computer  Forensics  Analysis and Incident Response.