My great-grandfather was a furniture maker. I am writing this on his table, sitting in his
chair. His world was one of craft, “the skilled practice of a practical occupation.”1 He made
furniture late in life that was in superficial respects the same as that which he made earlier,
but one can see his craft advance.
Cybersecurity’s hallmark is its rate of change, both swift incremental change and the
intermittent surprise. In the lingo of mathematics, the cybersecurity workfactor is the integral
of a brisk flux of step functions punctuated by impulses. My ancestor refined his craft
without having to address a change in walnut or steel or linseed. The refinement of craft in
cybersecurity is not so easy.
Forensics might at first seem to be a simple effort to explain the past, and thus an
affectation. It is not, and the reason is complexity. Complexity is cumulative and, as the
authors say at the outset, enough has accumulated that it is impossible to know everything
about even a de minimus network. Forensics’ purpose, then, is to discover meaningful facts
in and about the network and the infrastructure that were not previously known. Only after
those facts are known is there any real opportunity to improve the future.
Forensics is a craft. Diligence can and does improve its practice. The process of forensic
discovery is dominated by ruling out potential explanations for the events under study. Like
sculpture, where the aim is to chip away all the stone that doesn’t look like an elephant,
forensics chips away all the ways in which what was observed didn’t happen. In the terms
popularized by EF Schumacher, forensics is a convergent problem where cybersecurity is
a divergent one; in other words, as more effort is put into forensics, the solution set tends
to converge to one answer, an outcome that does not obtain for the general cybersecurity
Perhaps we should say that forensics is not a security discipline but rather an insecurity
discipline. Security is about potential events, consistent with Peter Bernstein’s definition:
“Risk is simply that more things can happen than will.” Forensics does not have to induce
all the possibilities that accumulated complexity can concoct, but rather to deduce the
path by which some part of the observable world came to be as it is. Whereas, in general,
cybersecurity the offense has a permanent structural advantage, in forensics it is the defense
that has superiority.
That forensics is a craft and that forensics holds an innate strategic advantage are factual
generalities. For you, the current or potential practitioner, the challenge is to hone your craft
to where that strategic advantage is yours—not just theoretically but in operational reality.
For that you need this book.