“You must continue to gain expertise, but avoid thinking like an expert.” Denis Waitley
I’ve been in Austin, TX for the past eight days at the SANS DFIR Summit and to teach the SANS FOR 585 Advanced Smartphone Forensics course. I love the yearly DFIR Summit. Really great speakers in the digital forensics and incident response worlds come together in a superbly cool city to speak on a variety of cutting edge topics. It is a yearly forensicator-family reunion, bringing together veterans in the field with new up-and-coming professionals and enthusiasts. The summit allows the opportunity for veterans and newbies alike to share our passions for this field. We celebrate advances in our field and mourn the loss of dear friends.
There is silliness, too. After hours, epic Giant Jenga tournaments ensue, Deer Hunter competitions happen, and Cards Against Humanity impresses upscale hotel employees. Beginning bright and early Saturday morning, expert and well-respected instructors teach in-depth courses for six days immediately after the summit.
That’s right. We teach right through the weekend. And our students love it.
SANS doesn’t let just anyone present, teach, or develop courses for them. There is a vigorous vetting process that occurs before becoming a SANS Instructor or course author. SANS instructors have years of real world experience as practitioners and public speakers, and as such, have a degree of notoriety in the field. The recognition is nice, but I doubt I will ever really get used to signing Advanced Smartphone Forensics posters or being asked to pose with people for pictures. I’ve even had a couple of people stutter and tear up when they meet me. As a friendly, approachable, hardworking Midwesterner, I find these things somewhat disconcerting.
Year after year, the expertise of presenters, attendees, and students amazes me. So much so that sometimes the high degree of interest shown in my work surprises me. I come to the summit as an eager learner, to see what’s new in forensics and to offer my insight where it makes sense.
When I teach the FOR585 course I helped to write, I hope to impart to students a solid skill set and as much knowledge and wisdom as my experience might vicariously add.
But I learn from my students each and every time I teach, too. Whether it’s a handy navigation trick or a cool new smart phone artifact, or a totally new technique, I come away with new knowledge every time. And that fuels my fire to keep learning.
In the DFIR world, the distance between Padawan and Jedi Master can be both vast and tiny, all at once. This field changes too fast and has too many sub-niches to ever decide that you’ve learned enough. One person can’t possibly know everything there is to be known. This year’s summit covered topics ranging from Cloud and Drone forensics to exploits for Hello Barbie; artifacts from .bash_history to SQLite databases; topics ranging from tool testing process to innovation.
Wikipedia says an expert is someone who is “widely recognized as a reliable source of technique or skill whose faculty for judging or deciding rightly, justly, or wisely is accorded authority and status by peers or the public in a specific well-distinguished domain.” I am recognized as an expert in my field based upon my education, training, research, writings, teaching, and experience as a practitioner. But I don’t rest on those laurels because I have respect for the things I don’t know. And there is a vast pool of unrecognized or lesser recognized expertise represented among attendees and speakers that keeps our digital forensics and incident response worlds fresh and intensely interesting.