Since I started in Week 2 of this year I figured I should do an additional post to take it up to 52 total for the year. Here are a few things I’ve learned about blogging and things I’ve noticed. You’ve read it all before elsewhere, but now it’s coming from me 🙂

First off I wanted to say thank you to everyone that reads my posts, and the others that have sent me links to include. It’s always good to know that people appreciate my work 🙂 I’m also glad to have had a little bit of an impact on the community.

Blogs are hard work, especially if you set yourself a weekly target. I’m slowly working on improving my ability to focus so that I can spend less time writing and more time outside. That involves sticking to one task at a time; something that’s similar in all work – distractions cause you to lose your place and decrease your overall productivity! I think that working through this and has helped me realise that I spend a lot of my time chasing rabbits when I could get my work done faster going through sequentially.

With regards to content, thankfully the entire community is doing the heavy lifting and I’m just trying to keep up with the information that’s shared in a variety of different mediums. There is still a huge amount of information that I’m not linking to or sharing – mainly stuff that’s coming out of the universities, conference papers that aren’t publically shared or I don’t know about, pretty much anything behind a paywall, and the huge well of knowledge in the various listservs. There’s not all that much I can do about it, but if I can’t find it, there’s a good chance a number of other people can’t either.

I’ve noticed that the malware community shares a lot more information regarding reversing specific malware; I think that has to do with the companies making it part of their job – they do the research, they incorporate it into their scanning/defense product, and then the write-up is basically advertising: “here’s how this malware works, here’s the IOCs, and our product detects it”. It’s a good model overall because it helps their customers (mainly regarding peace of mind), it’ll help find new customers (it’s intellectually stimulating marketing), and it gives people the information around the malware. I suppose it’s also because there’s new malware popping up constantly and it’s easily accessible. There isn’t really the same virustotal-type site for forensic artefacts, just images (there’s a good repo on DFIR.training) that you can pull down and extract data from. Maybe if someone created an online parsing platform for artefacts using open source tools that provided parsed data in exchange for sharing the files?

For the DFIR community, most people have their own blogs, and there aren’t too many paid-tool/forensic company blogs that write posts. Most of the blogs I’ve found are people writing on their own volition for their own benefit, or altruistically (but most probably both).
Regarding vendor posts, some show how to best utilise their tool to complete an action, others go into the depths of how they’re getting and parsing the data. It’s great when a vendor comes out and says “hey we automatically parse XYZ now”, but there’s usually very little as to how they do it (aka secret sauce). I get it, it’s just that no tool is perfect, and our industry has (valid) trust issues.

A lot of information is shared in presentations rather than write-ups. My theory behind this is there’s a benefit in speaking publicly for the individual more than there is writing a blog post. You get the benefit of moving around to different conferences (usually for free) and getting your name out there. Thankfully a lot of presentations are also shared online, recorded etc so that the information is there. It’s just harder to index, so may be slightly more difficult to find. If someone was looking for a (time-consuming, but useful) project, start a blog where you watch a presentation and either transcribe or summarise it.

With regards to tools, I’ve noticed that there are a few people that constantly put out updates to their products and others that are seemingly silent. There are a lot of open source/freely available tools being released and/or updated which is good to see.

With regards to my site, does anyone have any suggestions about things I’m missing, things you want to read? Do you like what I’ve done and the small amount of evolution that I’ve gone through since day one at the beginning of the year? I’m open to suggestions 🙂