I talked briefly last time about the difference between those who enjoy sharing their knowledge and those who prefer to keep things to themselves. I feel strongly that the vast majority of members at Forensic Focus (and similar sites) fall into the former camp which means we have a tremendous resource at our disposal. Like anything of value, though, it needs careful handling. Just as those who are in a position to help may feel a responsibility to provide accurate information (and don't forget that many answers provided in the forums are highly detailed and have involved considerable time and effort to compose), so those who are seeking answers have an obligation to frame their questions appropriately and do what they can to help themselves before seeking advice.
Forensic Focus is openly and unashamedly a site for both old hands and newcomers to the field, it's certainly not just a site for experienced practitioners. One of the reasons behind that is a focus not just on today's challenges but on tomorrow's too, and more specifically on those members who, although they may be new to computer forensics right now, will be the ones who drive it forward in 5, 10, or 20 years from now (by which time the only computer I'll be using will be one of those gadgets you get at Christmas to keep track of your golf score). So if you're a beginner and there's something you don't understand, what should you do? Here are some thoughts, and I encourage others to add theirs:
- Before even going online, think about the resources you already have to hand. Books and training course notes are often excellent reference sources. If you have neither, now might be a good time to consider laying down some sound fundamentals. Computer forensics courses (both academic or commercial, classroom based or distance learning) have experienced tremendous growth in the past few years. If a course is not appropriate, at the very least read as much as you can. I often still refer to books I've purchased over the years and building a library of the best reference works should be a priority. Subscribe to news feeds and blogs too so you're up to date with general developments.
- Whether your question is general or specific, try a little hands on research and testing yourself. Often, putting together a small network or even a single PC for testing purposes can be achieved at little expense. Want to know what happens to the registry when an external disk has been used and removed? Give it a go and try for yourself. Many useful forensic tools are open source and freely available and in the course of using them you will often build your knowledge in other areas.
- If you have a question about a particular item of hardware or software, consider trying the manufacturer's support site or forum first before looking in a forensic forum for someone with relevant experience. The same applies to forensic hardware and software, often the manufacturer's own web site or forum will get you the answer you need quicker.
- Some software packages come in for particular scrutiny during an investigation of course, primarily those developed by Microsoft due to their dominance in the OS and browser markets. Fortunately Microsoft makes a lot of information available through its own web site (you can search through it here).
- It almost goes without saying, but Google really is your friend. If you don't find what you're looking for immediately, though, don't give up. Read some of the advanced search tips for other ways of searching.
- Before posting in the forums, have a good search of the existing posts. As you're doing so you'll probably ask yourself why there aren't many stickied posts or FAQs and I think you'd be right. It's something I intend to improve next year.
- If you've done all the above (with a particular emphasis on a solid Google and forum search) but haven't found what you're after PLEASE DO ask in the forums - that's what they're there for and I'm certainly not trying to put anyone off from posting. However, there are a few important points to keep in mind when you do post, namely:
1. Always post in the most appropriate forum (yes, there's more than one!)
2. Give as much information as you can about the problem straight away. Most people are very willing to help but it can be frustrating if there are obvious gaps which need to be filled before they can do so. Describe the general context of the situation, explain something about your own background or experience if you're new to the board, describe any hardware or software in detail (including version numbers) etc. The more information you can give, the more likely you are to get a useful reply.
3. Say what you've already done to answer the question or solve the problem. Don't be afraid to admit your own limitations. This has two benefits. Firstly, it prevents other from going over the same ground but perhaps more importantly it shows that you've already put your own effort in and just can't get any further. In that case most people will be only too happy to help and you'll get the result you're looking for.
I hope the above is useful and helps us build our friendly community still further.
Have I missed something? Would you like to add your own tip for making the most of our shared knowledge pool? Don't hesitate to comment.