More DFIR With Less Time

Photo by NeONBRAND on Unsplash

If you haven’t noticed, there has been a lot of amazing DFIR contributions lately! Eric Zimmerman rocks the community once again with KAPE. Speaking of doing “more DFIR with less time”, KAPE does just that. Of course, between the daily blogging, Test Kitchens, and grading of Sunday Funday answers, David Cowen is a contribution machine. Phill Moore helps everyone know what’s happening in the world of DFIR weekly (a resource you should join me in nominating for the 4:cast awards!) Alexis Brignoni is doing some cool stuff with his Android Usage Stats and Recent Tasks Graphical Parser. Needless to say, I feel like there is a Golden Age of DFIR upon us.

Seeing all of this contribution can lead me to some hard thoughts though. Am I contributing meaningful content to the community? I want to be just like these people and be beneficial. But how can I? My play time seems to be disappearing. I bet there are a lot of people in the community that also have these thoughts (at least I hope I am not the only one). I almost dare say I am suffering a bit of imposter syndrome. Ouch!

I think its okay to have these thoughts though. It forces me to look past my comfort zone and it gives me a chance to search for answers. So, where am I going to start looking for answers? My current dilemma is this, my play time is shrinking. So my question becomes, how can I be more beneficial with less time?

I start my quest for this answer with a book. Its a non-technical book! I haven’t read (okay, listened to) a non-technical book in a long time. The book — Essentialism: The Disciplined Pursuit of Less. The gist is “doing more with less” and I can’t recommend this book enough. It is exactly what I need to hear right now. I wish I would have read it 5 years ago. I even wish I would have read this book before I learned to program.

I think I am going to start to dedicating part of my play time to some much needed non-technical skill building. I am going to start trying harder to journal my thoughts. That being said, I do want to continue with some technical play work. I was recently looking over my repository and trying to decide what one project I wanted to renew focus in and make my prized project. I narrowed down to two projects. PancakeViewer or PyWindowsThingies (which I will probably change the name of). I really like PancakeViewer, but, it is so outdated it does not work with newer versions of Wx, DFVFS, or Python 3. That being said, I see so many benefits of monitoring forensic artifact changes in real-time. How do I pick which project should get all my time? I guess a poll would help.

At this point, I am pretty set on devoting my play time to the real-time artifact change project (https://github.com/forensicmatt/PyWindowsThingies).

Thanks for reading my non-technical post! I look forward to sharing my progress in learning to do more with less.