Around the internet I keep seeing this topic appear among people interested in working in DFIR. The question is almost posed as “I don’t have to learn to code, right?” like programming is an awful skill to have.
The truth is that you can have a wonderful career in digital forensics and never write a piece of code in your life. However, I argue that if you want to thrive in this industry, gaining some proficiency in programming is a good step to take.
1 – The Cloud
As the world and most organizations within it start moving to cloud based resources, so too will the need for forensics in the cloud. This is a problem for DF because the cloud…is a cloud – there is no hard drive to acquire, no smartphone to extract data from, and no USB drive to examine.
Cloud data is sometimes only accessible via Application Programming Interfaces (API) created by the service provider that controls the data you want. Some of these service providers may have a way to export the data or collect it via a web interface. There may even be a fancy forensic collection tool out there to collect some cloud data, but for every one of these tools there are 12 cloud services that they don’t collect from.
This means that if you want to be at the top of the food chain in the future of forensics, you better start learning some scripting skills and get very familiar with writing code to access and collect data via RESTful APIs.
2 – Create your own Tools
If you currently work DFIR, you have probably asked yourself this question about 100 times in the last week – “I wonder if there is a tool for this”. The answer to your question is probably no. Why? You ask. In DFIR we are asked to help solve new and interesting problems on a regular basis which can be chaotic and unpredictable which means the industry can anticipate and make all the forensic software we need right now to help us.
That means there is always an opportunity to solve a problem with software or application of your own design, even if it only does one random thing. It could be anything from a 50 line Python script to a full fledged and comprehensive case management system for digital forensics…(wink).
3 – Accessibility
One last point for those of you trying to get into the DFIR world. Think about the industry you are entering. This is a field where you have to think on your feet, constantly learn new technologies, and accept difficult challenges. You honestly need all the skills you can get and you can teach yourself how program FOR FREE.
There are literally thousands of free resources on the internet dedicated to teaching you how to code. Thousands of FREE YouTube videos, thousands of FREE Medium blog post, thousands of FREE Stack Overflow posts. At this point you have to try hard not to learn how to code. You don’t even have to buy books on this stuff anymore; most of the software engineering industry is built on Googling a a problem, then copying and pasting the solution (not really, but sort of).
Here are some of those resources:
On top of all the free learning you can do, most coding technology is open source and completely free as well. VSCode is probably one of the best things Microsoft has ever created and it is completely, 100%, pure, uncut, free software that will make you feel like an expert programmer in a few hours.
There really is no excuse to not learn write code at some level if you are or want to be a part of the DFIR community. I’ll write another post on some tips to get started for those of you that I’ve just convinced.