Every year, Lee Whitfield asks everyone in DFIR what stood out in the space—what tools, people, content, etc. defined the last 12 months. It’s an awesomely democratic process, and we thank Lee for putting it all together year after year.
To help anyone interested in participating, we’ve put together this list of super-unbiased recommendations.
We took a long and hard look at every possible suggestion in each category during literal weeks of objective number-crunching to come to our conclusions.
The process was brutal, but we did it for you.
Two things before we dive in:
- Here’s a link to the nomination form
- This year’s nominations are due on May 14.
With that, let’s get started.
Commercial Tool Of the Year: Cyber Triage
13Cubed’s review of Cyber Triage
Cyber Triage is a unique DFIR tool in that it’s been designed to assist you as much as possible in your investigation.
- It scores and prioritizes artifacts to give you some fast starting points, but retains the other data for you to dive into
- To make sure you don’t miss things, it will recommend artifacts that you should review based on what you tag
- It works on both live systems and disk images.
There is no other DFIR tool out there like Cyber Triage, and it’s common for experienced investigators to tell us how they are saving hours or days with each investigation.
Non-Commercial Tool of the Year: Autopsy
It was an exciting year for Autopsy. (Now, if we could only get Brian to look more excited).
Autopsy continues to bring in new features that investigators need and we think is ideally suited to win this category again this year. Since the last 4:cast awards, we added:
- A new set of “Discovery” features to help focus on relevant data
- New interfaces around web domains
- Summary views of data sources
- Map viewers, and much more.
Autopsy has 70k+ downloads each quarter from around the world and has dozens of community plug-ins.
Show of the Year: OSDFCon
Brian Moran is the Man.
OSDFCon has always been a great place to meet open source developers and learn about new tools. For over 10 years, 400+ were able to meet up and learn at the conference. The community truly rose to the occasion this year, as more than 5,700 people were able to learn about open source forensics when it went virtual.
Despite the limitations of remote-only participation, the energy at the conference was incredible. And so was the content, with presentations that covered memory forensics, iOS, macOS, Autopsy, remote desktop, and so much more.
Training Course of the Year: Divide and Conquer DFIR Process
This course really did take Brian months to create.
We launched a new, free Divide and Conquer DFIR Process Training class this year. We built the concepts behind it as part of our incident response training and Cyber Triage philosophy. The course gives an overview of the concepts and helps responders approach investigations and remember the various types of artifacts.
The basic idea is to focus on the investigative questions you need to answer and break them up into smaller and smaller questions (basic problem solving). Almost 16,000 students have registered so far. The material itself is worth many billions of dollars, but we decided to give it away for free.
Digital Forensics Dog of the Year: Cache
Cache is really cool. Stay tuned for her in our new branding and website!
Cache was introduced (and named) at OSDFCon 2020 as the new Cyber Triage mascot to fight crime alongside Renzik and Hash.
Renzik (Autopsy)
Hash (The Sleuth Kit)
While it’s true that Cache is a dog—she’s also a cyber first responder. Smart, tough, and brave, Cache does her part to fight cybercrime. And like any digital investigator, we think she deserves recognition. We may have imagined this as a 4:cast category, but we of course think it should be a category moving forward. Dogs aren’t just our best friends anymore: they’re becoming a vital part of DFIR too.
It’s Time to Hear from the People
Even if you don’t vote for us (which is very much against our recommendations), the whole DFIR community benefits from participation in things like this. So, here’s that link to the nomination form.
If you have a few minutes, think about sharing your thoughts.