In this thing of ours, the world of digital forensics, there is one thread that ties us all together: the truth. All else is malleable.  Processes improve. Technology changes. Laws are added. Training morphs.  But the thing that remains unchanging is the truth.  We must speak it. We must live by it.  We must defend it.

I know that you are thinking that this post is simply reminding you to be truthful, but it’s more than that. Let’s start with this example (keeping politics aside, imagine this being someone in DFIR):

A liar will not be believed even when he speaks the truth.  AESOP

The point of this video is that credibility was lost because lies were uncovered.  I chose it because of the simplicity and public nature of the video. In nearly all other aspects of life, lying can get you promoted, elected, hired, and even married. The ramifications of getting caught lying generally affect nothing more than what you received in return for lying.

In DFIR, lying is different.  Lying, at best, ends your career.  At worst, innocent persons could be convicted or the guilty may go free, and you earn a perjury charge to top it off. Much like staying healthy, being known as truthful is not a box that you can check on Monday and never worry about it again.  Being truthful is a box that you must check every day.  The day that you neglect to check the honesty box and lie in a report or on the stand is the day that all your past truths are now questionable.

Not more than 2 years ago, I peer-reviewed reports where the examiner clearly omitted information in his report to the point that it was (at least to me) written to clear the guilty.  The rebuttal reports and exam showed this intention as blatantly obvious. That is not a good look by intentionally omitting facts.

In another recent case, I observed two (government) witnesses lying under oath. To be honest, I was in complete disbelief in what I heard and read because there was absolute evidence to the contrary. Even the judge was visibly and verbally stunned.

There are cases where I have not been involved in where expert witnesses have lied under oath. This is not uncommon to the point that an attorney client that wanted to retain me believed that all experts are liars. I didn’t accept his retainer simply because he wouldn’t believe a truth from an expert if he heard it since he has heard so many lies.

Tips to save your career

Tell the truth even if it hurts.  Especially if it hurts, tell the truth. Many times, I have had attorneys tell me “I appreciate your candor” in a manner that they didn’t like what I had to say, but they were grateful to hear it.

Distance yourself from liars. This is not always easy, but important.

The essence of a lie is the intention to deceive. - M. Prideaux 

Call out any lie that touches you. If you let a lie that touches you continue undefended, you could be seen as agreeing and supportive of that lie. Some lies may be inconsequential (like a personal matter with someone) that a reply is not warranted. But those lies that affect more than a comment made against you anger needs to be addressed with facts. Imagine knowing that a co-worker intentionally lied to cover up malfeasance or incompetence in a case that you are also working! You will be in the same boat with silence.

I don’t know

On the stand, I cannot count the number of times that my answer was “I don’t know.”  If I did something, I say that I did it. If I didn’t do something, I say that I didn’t do it. If I know it, I say it. If I don’t, I say that I don’t. Filling in the blanks is like filling a hole on a sinking ship with Elmer’s glue.

A strong desire to be right

DFIR seems to draw the same type of folks into the field.  Driven to perfection.  Persistent in gathering facts. Curiosity to the point of breaking apart every bit of data. And a strong desire to be right. These are all great personality traits to have.

But there is a line between “strong desire to be right” and “will do anything to be proven right.” Being right in your analysis is supposed to mean that you did everything possible to corroborate and verify the information you recovered.   “Doing anything to be proven right” means that you did everything necessary to be right even if you are wrong.  One of these makes a great examiner and the other should not be working in DFIR.

Tips to stay truthful against pressures to ‘stretch the truth’

When asked by a client, attorney, or boss if you can simply omit the bad information, your immediate response must be ‘nope.’  When asked if you can stretch the truth, you may want to consider being even more forceful, that you won’t lie, even a little.  This has happened to me on three occasions with three different attorneys.  I fired all three attorneys as clients in each of these cases.

Cutting ties from those who pressure you to lie makes work so much easier. The pressures of any case is more than enough to handle without being pressured to embellish, omit, or outright lie.

If offered any amount of money, consider that this one payment may be your last and that your reputation is eventually going to be mud when the truth eventually comes out.  This kind of offer happened to me once.  I turned it down, of course.

Encourage everyone around you to be truthful. Compliment candor as if it was not common.  Good managers know this. In an environment where mistakes are openly discussed without condemnation, people will (1) more likely admit their mistakes, (2) feel comfortable to talk about mistakes, and (3) will help the remediation of mistakes.

If you can’t help but lie

Find a new career. Some career fields seem to require it.  Otherwise, there is no such acceptance of untruths in DFIR. Zero.