Member-only story
Why I Wrote My Own DFIR Code Instead of Using Professional Tools
There’s a point in every security journey where tools stop teaching you anything new.
That’s the moment I decided to write my own code.
Not because professional DFIR tools aren’t powerful — they are.
But because I wanted to feel the friction, not abstract it away.
This article is about why I wrote this code, what I’m learning from it, where it fits in DFIR, when it matters, and how it’s shaping the way I think.
WHAT: What I’m Actually Learning by Writing This Code
On the surface, this C# project scans:
- Browser artifacts on Linux
- Network state (ports, ARP cache)
- Stores findings in SQLite
- Generates a forensic-style report
But the real lesson isn’t how to scan.
It’s how operating systems resist you.
By writing this myself, I had to confront:
- Files locked by running processes
- Databases in active use
- Permission boundaries
- Volatile data disappearing mid-scan