Friday, November 30, 2007

Sharing knowledge (part two)

I talked briefly last time about the difference between those who enjoy sharing their knowledge and those who prefer to keep things to themselves. I feel strongly that the vast majority of members at Forensic Focus (and similar sites) fall into the former camp which means we have a tremendous resource at our disposal. Like anything of value, though, it needs careful handling. Just as those who are in a position to help may feel a responsibility to provide accurate information (and don't forget that many answers provided in the forums are highly detailed and have involved considerable time and effort to compose), so those who are seeking answers have an obligation to frame their questions appropriately and do what they can to help themselves before seeking advice.

Forensic Focus is openly and unashamedly a site for both old hands and newcomers to the field, it's certainly not just a site for experienced practitioners. One of the reasons behind that is a focus not just on today's challenges but on tomorrow's too, and more specifically on those members who, although they may be new to computer forensics right now, will be the ones who drive it forward in 5, 10, or 20 years from now (by which time the only computer I'll be using will be one of those gadgets you get at Christmas to keep track of your golf score). So if you're a beginner and there's something you don't understand, what should you do? Here are some thoughts, and I encourage others to add theirs:

- Before even going online, think about the resources you already have to hand. Books and training course notes are often excellent reference sources. If you have neither, now might be a good time to consider laying down some sound fundamentals. Computer forensics courses (both academic or commercial, classroom based or distance learning) have experienced tremendous growth in the past few years. If a course is not appropriate, at the very least read as much as you can. I often still refer to books I've purchased over the years and building a library of the best reference works should be a priority. Subscribe to news feeds and blogs too so you're up to date with general developments.

- Whether your question is general or specific, try a little hands on research and testing yourself. Often, putting together a small network or even a single PC for testing purposes can be achieved at little expense. Want to know what happens to the registry when an external disk has been used and removed? Give it a go and try for yourself. Many useful forensic tools are open source and freely available and in the course of using them you will often build your knowledge in other areas.

- If you have a question about a particular item of hardware or software, consider trying the manufacturer's support site or forum first before looking in a forensic forum for someone with relevant experience. The same applies to forensic hardware and software, often the manufacturer's own web site or forum will get you the answer you need quicker.

- Some software packages come in for particular scrutiny during an investigation of course, primarily those developed by Microsoft due to their dominance in the OS and browser markets. Fortunately Microsoft makes a lot of information available through its own web site (you can search through it here).

- It almost goes without saying, but Google really is your friend. If you don't find what you're looking for immediately, though, don't give up. Read some of the advanced search tips for other ways of searching.

- Before posting in the forums, have a good search of the existing posts. As you're doing so you'll probably ask yourself why there aren't many stickied posts or FAQs and I think you'd be right. It's something I intend to improve next year.

- If you've done all the above (with a particular emphasis on a solid Google and forum search) but haven't found what you're after PLEASE DO ask in the forums - that's what they're there for and I'm certainly not trying to put anyone off from posting. However, there are a few important points to keep in mind when you do post, namely:

1. Always post in the most appropriate forum (yes, there's more than one!)

2. Give as much information as you can about the problem straight away. Most people are very willing to help but it can be frustrating if there are obvious gaps which need to be filled before they can do so. Describe the general context of the situation, explain something about your own background or experience if you're new to the board, describe any hardware or software in detail (including version numbers) etc. The more information you can give, the more likely you are to get a useful reply.

3. Say what you've already done to answer the question or solve the problem. Don't be afraid to admit your own limitations. This has two benefits. Firstly, it prevents other from going over the same ground but perhaps more importantly it shows that you've already put your own effort in and just can't get any further. In that case most people will be only too happy to help and you'll get the result you're looking for.

I hope the above is useful and helps us build our friendly community still further.

Have I missed something? Would you like to add your own tip for making the most of our shared knowledge pool? Don't hesitate to comment.


Anonymous said...

I think that those are all really good points. Just one comment on the part of those answering.

Tempting as it is to say "that has already been answered here" if you do - include a link to it, sometimes people might not get that one post really answers their question, or, they may not have used the correct search terms.

I can only second the request for clear information that leads to where you are now. And things that show that some effort has been applied, tend to increase the desire to help !

Anonymous said...

Well I was expecting a philosophical post, I'm disappointed. You should rename your post "HOW TO get some help - for dummies".

Personally I'd like to have your point of view on a subject related to "sharing knowledge". Nowadays most people have a blog or a little website to share what they have found (in a IT context). I can guest that most of the visitors coming on this website have an IT Security background and probably that most of them publish their work over the Internet.

But, because they/we are *security expert* our purpose is to protect organisations. So by publishing some of our work in public we give a lot of information about subjects we know and also subjects that we do not know about ...

Could this be used by an assailant ? Letting them guess what we can't protect ourselves against could be the other side of the coin of sharing our knowledge on the internet.

Anonymous said...


The question about disclosure, noting for the record the difference between forensics and security, is one which (understandably) crops up now and again in the forums. My take on it has always been that sensible, considered disclosure on open - or even closed - forums/lists/blogs etc. probably delivers a greater benefit than the risks it poses.