Digital Forensic Scientist

2 minute read

This is a reply or further discussion to @Brett_Shavers post Publish your #DFIR Research.

The main idea is that the dfir community needs a better way to manage its research outputs. Academic publishing normally takes a few months if it’s quick, and a year or longer if it’s not. Add additional research and development time, and a single paper may be worked on for two to three years. Of course, in DFIR we have information that is needed now (current OS traces), that may no longer be relevant in a year or two.

Brett believes blogging is “the most effective method to disseminate DFIR methods processes, and discoveries.”

I believe that good DFIR research should be peer reviewed, and that IF the academic model had a reasonable process and time frame for publishing, this would be the way to go.

Academically speaking

Of course, the academic model is too slow and is often stuck behind paywalls. That’s why many areas of study are pre-publishing. There is a lot to talk about here, but the main keyword is open science. Basically, making scientific results open and accessible. This is a huge, controversial area because it requires very powerful publishing groups to completely change their business model. It also requires universities to change the way they assess academic contributions.

Two cases of open publishing

Brett talks about a practical paper he wrote and self published.

Making this paper publicly available in two weeks had a wider and more positive impact to the DFIR community than it would have if I had chosen to publish academically as suggested by my professor friend.

I would add that some DFIR ideas are unlikely to be published in a DFIR journal. For example, I wrote an argument piece on automation in DFIR, and journals I submitted to found it “out of scope”. I published on arXiv as an experiment, and it gets comparatively good citation rates.

Brett’s suggestion

For work published in blogs, forums, chat rooms and courses:

  1. Allow these works to also be published by any and all means that gets the information out (academic publications?)
  2. Academia and high-tech associates peer review these non-traditional channels
  3. A central long-term repository for this information

A realization

I started this post thinking about the problems that would stop data sharing, but as I got to this part of the post I think the academic community already solved a lot of these issues. Specifically, with something like Open Journal Systems. They allow for private or public reviews of material, open access and long term archiving / failover systems.

For practical posts we could just slightly change the review process. As a result, I’m trying to set up OJS as a test run to see the level of interest. More to come.

You may also enjoy

iLEAPP and RLEAPP updates and dev thoughts

2 minutes to read

Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...

What data can you find in RAM?

2 minutes to read

To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.

Modular artifact scripts coming to iLEAPP

2 minutes to read

kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...