07
Jan

DFIR Truisms

I collect quotes. Quoting something or someone is fun and entertaining; sometimes it is challenging – much like delivering a joke, timing is everything.

During the holidays as I was performing my yearly household purge of both true junk and digital junk, I came across a handful of quotes that I had collected over the years and thought each of them were applicable to the world of DFIR so I thought I would share… I hope if you have similar, short quotes, you will share too. For me, keeping a quote in mind while conducting an examination is relaxing and helps me focus on the task at hand.  Maybe the following will strike you in a similar way, let me know.

From  a conference I attended in Atlanta in March 2005 as part of ISSA’s CISO Executive Forum Conference:

That which is unrecorded did not occur;
That which is undocumented does not exist;
That which is unaudited is vulnerable.

― Jeffrey Ritter, Waters Edge Consulting, LLC
www.johnritter.com

 

I first stumbled upon the following quote after someone told me that I had too much DF training “experience” and not enough practical “experience”; I suggested at the time that practice is experience, just in a more controlled setting.  Thankfully that sentiment was expressed to me many cases ago, so I think I now have a good balance between theory (training) and practice (casework.) 

As it turned out, I think the end result has provided me with a strong foundation so for those new to the DFIR world, do not be discouraged because someone says you DO or DON’T have something on your CV. You’ll get the “experience” and “practice” when the time is right in your situation.

The other reason for including the quote is – who doesn’t like to read and re-read Yogi Berra quotes.

In theory, there is no difference between theory and practice.
But in practice, there is.

― Yogi Berra

 

Finally, probably the best quote of the three (with a great DFIR twist)…

Sometimes the QUESTIONS are complicated and the answers are SIMPLE!
―Dr. Seuss

When conducting an investigation, do not let things get so crazy that you loose focus on the ultimate goal of those making the request.  This Dr. Seuss quote I think helps keep that in perspective as DFIR analyst work towards answering The Question!

Do you have some DFIR Turisms to share?

3 Replies to “DFIR Truisms”

    1. keydet89 – I like those additions; especially the absence of artifacts. So very true when looking at evidence when anti-forensics techniques may have been used.

  1. I couldn’t find a link to email the host of this website, so I’m hoping you’ll see this comment. I am the Program Developer over the Digital Forensics program for law enforcement at the American Academy of Applied Forensics in Charlotte. I’d love to offer your association members some training. We have both in-class and online classes, which are free/reduced cost for law enforcement, depending on the class. These include both cell phone and computer forensics, basic to advanced courses. Please email me if interested. graham.kuzia@cpcc.edu

Leave a Reply to Clay Boswell Cancel reply

Your email address will not be published. Required fields are marked *