I often come across this topic among those interested in digital forensics and incident response (DFIR). People seem to ask the same question – “Do I need to learn how to code?” – as if it’s a dreaded task. While you don’t have to be an expert coder in order to have a successful career in DFIR, having some programming knowledge can help you excel.
1. It can make it easier to access & collect cloud data in an investigation
As organizations around the world move to cloud-based resources, so too does the need for digital forensics in the cloud. This presents a challenge for digital forensics professionals, as there is no physical hard drive to acquire or USB drive to examine, and no smartphone to extract data from.
Accessing cloud data can be a tricky process, as it is often only available through Application Programming Interfaces (APIs) created by the service provider that controls the data. In some cases, there may be ways to export or collect this data via web interfaces. Additionally, certain forensic collection tools may exist for collecting cloud data; however, there are many more services that these tools do not cover.
To successfully navigate this issue, it is imperative that you learn how to use scripting skills and understand how to access and collect data via RESTful APIs—especially if you wish to be a leader in the field of forensics in the future.
2. You can create your own tools
Have you asked yourself “I wonder if there is a tool for this” about 100 times in the last week? If so, you likely work in DFIR—and in most cases, unfortunately, the answer to your question is no. This is due to the chaotic and unpredictable nature of DFIR which requires us to solve new and interesting problems on a regular basis. As such, it’s not possible for the industry to anticipate and make all the forensic software we need right now.
This means there is always an opportunity to develop your own software or apps to address any problem, no matter how minor. This could range from a short 50 line Python script to an extensive case management system for digital forensics. Having programming skills will improve your ability to overcome technology roadblocks you may encounter.
3. You can learn programming skills for free (really)
For those looking to break into the DFIR industry, it’s essential to understand the demands of the field. From having quick-thinking abilities, to staying up-to-date on new technologies and being prepared for difficult challenges – this is an area that requires a diverse set of skills. Fortunately, there are plenty of FREE resources available online where you can teach yourself how to program.
With so many free resources available online, it’s almost impossible not to learn how to code. From YouTube videos and Medium blog posts to Stack Overflow posts, there is an abundance of learning materials you can access without spending a dime.
Here are a few FREE resources to get you started:
https://code.visualstudio.com/
https://www.youtube.com/user/TechGuyWeb
In addition to all the free learning opportunities, many coding technologies are open source and absolutely free. VSCode, one of Microsoft’s greatest creations, is a totally free software that will make you feel like an expert programmer in no time.
If you are part of or aspire to be a part of the DFIR community, learning to code at least to some degree can help you be more successful.
This article was written by Matt Danner, Founder & CEO of Monolith Forensics.
