In our posts for monthly HTCIA chapter meetings, we’ve done something a bit unusual: linked to a virtual conference call that isn’t a chapter meeting. The monthly, hour-long DFIROnline is the brainchild of New England chapter member Mike Wilkinson (@MikeWilko on Twitter), who invites some of the most well-respected minds in the digital forensics and incident response (DFIR) community to interact with participants via live chat.
DFIROnline, like most of our chapter meetings, is open to anyone. We asked Mike to talk more to us about how he got the idea, why he’s doing it, and where it’s going:
HTCIA: How long have you been an HTCIA member, and what led to your creation of the DFIROnline
MW: I have only been a member of the HTCIA since I moved to the US in August 2010. I had been aware of the HTCIA for many years prior to that and was considering setting up a chapter in Sydney, prior to leaving the NSW Police Force. I had run into Paul Jackson, at a [law enforcement] conference the previous year, where I presented a proposal for creating an organization similar to the CDFS, he had just got the Asia Pacific HTCIA chapter up and running and was very enthusiastic about the HTCIA.
I was inspired to create the meetups after watching on from the sidelines as Harlan Carvey started his NoVA [forensic] meetups. I would have loved to get along to one of the meetings, but the travel from Burlington VT to North Virginia was just a little hard to manage!
I ran into Harlan at PFIC and was talking about the meetups with him there. A few days later I thought that maybe an online meetup would work, I contacted Harlan to see if he was interested in getting involved and he was keen, I don’t think it would have worked so well without his support.
HTCIA: What about this particular format (as opposed to a webinar or conference call) did you think would be more beneficial than others?
MW: I have been using this format for in my online classes for the Masters program at Champlain College, and found that it worked well in class. The interface is highly customizable and allows a high level of participant interaction, far more than I have seen with other systems.
So far we have had a heap of chat going on at the same time as the presentation, the audience can ask questions and contribute suggestions as the presentation is running. Last session we had a bunch of helpful links posted and a lot of friendly banter, along with a drinking game, just to make it more interesting!
It also provides a video feed of the presenters so you get to see the person who is talking. In the first session we had a tour of Harlan’s office which was pretty cool. So although it is not the same as getting together face to face it does get pretty close.
Finally it does not require user registration, which helps to keep everything quite informal. Personally I find that if I have to register for something I am much less likely to get involved, I guess I just hate giving out my details.
HTCIA: Why do you think the community is so fragmented, and how can programs like this one help?
MW: This is something that has been bugging me for years. There is no simple answer to this and David Kovar wrote a great post on it last year, everyone in the industry should read it here.
I think historically there has been a high level of mistrust between LE/government and private practitioners. In some cases this may be well founded but for the most part people of both sides have a high level of integrity and are just doing their job.
This is compounded by the different closed lists, whether it is IACIS, HTCIA, CCE or DFIR each one is only open to a select group of people, in some cases based on if you hold a certification and in other if you work for the right organization. In either case you are artificially excluding some great people.
The other part of the problem is the different types of work we do. Forensics for LE is quite different to incident response. Some things (for example documentation) that I take for granted coming from a LE forensic background appear quite novel or even pedantic to some IR people.
Moving forward we should be focusing on what we have in common, rather than what our differences are. I would like to see a situation where the only barrier to involvement was appropriate ethical behaviour. Unfortunately there are a handful of people out there whose behaviour should result in their exclusion from the profession. However this group is very small and it is a pity to stifle the development of the profession in order to defend against this tiny group.
HTCIA: What kind of information sharing do you want to encourage?
MW: Well as an academic everything, from a LE perspective I recognize that there is a small amount of information that once it becomes common knowledge can hinder investigations.
However the at this point in time the bad guys are far more organized and specialized than we are. There is so much duplication of work going on as a result of poor sharing that massive amounts of time are wasted.
Harlan has a great example he uses, where if one person spends 20 hours solving a problem and shares it with another five people, it has the potential to save 100 hours of work, as they will not have to repeat his/her efforts.
One other thing I think everyone needs to realize is that they all have something to contribute. In my online classes we have lots of discussion and I find that it does not matter how long someone has been in the profession they always have something to contribute.
One of the things I love about teaching is getting to interact with all these great people. Just the other day I had a student who has only just completed his bachelors degree and is just starting out in the profession suggest a solution I had never considered. We need to realize that no one has all the answers and it is always worthwhile listening to others as you never know what you might learn.
HTCIA: What would you like to see for the meetups by the end of the year?
MW: More people involved and more great presentations. At the moment the time we run at is not much good for the rest of the world. I would like to run at least one session for Europe and another for Asia Pacific. I have already had people put their hand up to present in Europe and I could probably put some pressure on a few really smart people I know in Australia to do something. I just have to find the time to organize it.
HTCIA: Anything else you want to discuss?
MW: Yes, I have high hopes for [HTCIA partner] CDFS; I think it is the first time we have had an organization with transparent leadership and good representation of all parts of the profession. It is great to see it moving forward, I hope it continues to do so and take my hat off to the handful of people that have put the time into making it happen.
Also on a more personal note I have just created a new Master of Science in Digital Forensic Science, with a fair bit of help from a number of people listed here. This program is designed for people who already have a solid background in digital forensics and are looking for advanced education. Officially enrollment does not start until the fall term, but we can get students into a class over the summer if they are keen.
Again, DFIROnline is open to anyone. It’s next planned for February 16, with sessions planned on cryptology along with e-discovery case studies. Hope you’ll be there!