Sitemap

Member-only story

Why I Wrote My Own DFIR Code Instead of Using Professional Tools

4 min readJan 20, 2026

There’s a point in every security journey where tools stop teaching you anything new.

Author Created Image

That’s the moment I decided to write my own code.

Not because professional DFIR tools aren’t powerful — they are.
But because I wanted to feel the friction, not abstract it away.

This article is about why I wrote this code, what I’m learning from it, where it fits in DFIR, when it matters, and how it’s shaping the way I think.

WHAT: What I’m Actually Learning by Writing This Code

On the surface, this C# project scans:

  • Browser artifacts on Linux
  • Network state (ports, ARP cache)
  • Stores findings in SQLite
  • Generates a forensic-style report

But the real lesson isn’t how to scan.
It’s how operating systems resist you.
By writing this myself, I had to confront:

  • Files locked by running processes
  • Databases in active use
  • Permission boundaries
  • Volatile data disappearing mid-scan

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web
Already have an account? Sign in
Musa Ndlala
Musa Ndlala

Written by Musa Ndlala

Software developer. Delivering scalable, efficient solutions. CCNP certified(once apon a time), Oracle, GitHub, and automation, Salesforce developer.

No responses yet

Unknown user

Write a response