We use cutting-edge tools to uncover the story of what happened on computing systems. This is awesome! But we often ignore attribution, which is difficult. I understand. Digital forensics alone can hardly identify the suspect (sometimes it does!). Forensics gives us the clues, but it's the DFIR investigative mindset that unlocks the answers.  So, why is this not trained in DFIR?

An unexpected revelation

    In 2005, I was invited along with a few FBI agents to give a workshop to academia in Seattle on teaching digital forensics.  An hour into the workshop, one professor stopped me mid-sentence and said;

“It sounds like you expect all forensic examiners to be investigators.”

    I didn’t mean to imply that, but when she said that, I realized she had a good point.  Forensic examiners are investigators.  DFIR work implicitly describes that of an investigator. And then another professor asked a much more difficult question:

“How are we to teach students to be investigators if we don’t know how to do investigations?”

        I didn’t have a good answer but have thought about it ever since and it took me the better part of a decade after that day to put some of my thoughts of a DFIR investigative mindset in my first book. I didn’t have this concept fleshed out much at the time, and my intention for that book was in a large part for that purpose. Placing the Suspect Behind the Keyboard was intended to be a book for DFIR pros to investigate their cases. The second edition of this book is turning out to be much more intense.

        Now, a decade more has passed, and during that time in every forensic training course and college-level program, and every YouTube video, and every book, I have looked for anyone teaching or writing about a DFIR Investigative Mindset. The closest that I have seen are describing the steps of an investigation (as checklists at best), such as securing the scene or dusting for fingerprints. Nothing about the ‘how to think’ and ‘why to think.’  Outside of law enforcement investigations, very little has been written about it.  The few things written around the topic are very high level, academic theories; nothing practical in just how to do it!

I hosted a limited webinar on the topic and the roundtable discussion came to the conclusion that the DFIR Investigative Mindset should be an integral part of DFIR training and education.

Fight me

    Some argue that DFIR is not investigative because we “analyze” (not “investigate) data. Rather than diving into a semantic debate, let's consider this: The distinction between a data recovery expert and someone who can conclude a case often hinges on one's DFIR investigative mindset, regardless of job title.

    Being labeled as an investigator, detective, or special agent isn't required to adopt their investigative skills. Similarly, you don’t need to be a criminal hacker to catch one. You need thinking skills.

This brings me back to the question of how to teach such a thing..

    For those in law enforcement, access to training and on-the-job investigative experience is automatically provided to you. But like anything, it is up to the person to take advantage of opportunities and either learn or not. I’ve seen great LE investigators working alongside absolutely terrible investigators, both being what they were because of what they chose to be.

    Outside of LE, private investigators and corporate investigators have access to non-LE investigative training and have experiences on the private side. Some have experience in the public and private sectors as an investigator.

    That leaves everyone else out!  You cannot get experience investigating a murder without actually investigating a murder. You can’t mirror a great burglary detective without being able to work alongside one. You can’t be taught these skills if those with the skills aren’t teaching them. And available training on how to investigate is not that common, especially when it comes to the DFIR field.

    On top of that, few in DFIR want to even use the word “investigate” in the same sentence as DFIR because it creates a fear of regulation in DFIR by private investigation state rules!  I have seen testimony where an “examiner” flat out stated that he does not investigate; he analyzes data.  This was in a case where he was testifying as a forensic examiner who discovered evidence.

    The DFIR investigative mindset is not just about finding the suspect. It is also about understanding the motivation behind the attack and how it was carried out. This information can be used to prevent future attacks. The DFIR investigative mindset is not limited to law enforcement investigations. It can also be used by businesses and organizations to investigate internal incidents, such as data breaches. The DFIR investigative mindset is a continuous learning process. As new technologies and techniques are developed, you need to stay up-to-date in order to be effective.

Sharing insights and moving forward

    You can learn and you can teach an investigative mindset.  Specifically, you can learn and teach the DFIR Investigative Mindset.  Most importantly, this skill needs to be part of your toolbox of tools. Some are fooled that it is tool competence that solves DFIR cases/incidents. If your DFIR work solely presents data without a story, without a path of how you found that story, then you are only culling data for someone else to investigate.

    Perhaps the most important aspect of a DFIR Investigative Mindset is that of attribution. Yes, I know that a forensic exam most likely will not place a person at the device.  But I also know that a forensic exam can give enough circumstantial evidence to a case that when combined with other evidence, will do just that.

    If attribution is not your objective, then you are just fixing the system.  There is nothing wrong with that and sometimes this is all that is needed for most incidents.  Find the crack, patch it, and prevent the next crack.  For criminal cases, where a victim is due justice, DFIR should take the other path of attribution instead of patching a hole. Otherwise, what is the point?

Keynote of The DFIR Investigative Mindset

    Catch me at TechnoSecurity’s keynote where I talk about this for an hour.  I’m giving actionable steps that you can take immediately and use in your cases. My intention is to shift your brain in the direction of being a forensic investigator and not just a data collector.

Peer-reviewed paper

    Then, catch a peer-reviewed paper on the DFIR Investigative Mindset being written by Dr. Graeme Horsman and me (mostly him….actually, chiefly by him….). This paper will hit on the academic aspects of teaching this mindset.

A training program that covers all

    I’ll have a book out on this specific topic in a few months (alongside 2 other books……….).  But this book most likely will be done first, tech edited by an experienced detective (Lee Harris), and reviewed by several experienced forensic experts. The book isn’t an exercise in academics or theories, but rather dozens of techniques that you can use right now to develop or enhance a DFIR Investigative Mindset.  Even if you have been investigating for some time, I promise you that one or many of the exercises and practices will be key in closing one of your next cases or even a current case.

*The little that I wrote about a DFIR Investigative Mindset in 2013 in the first edition of Placing the Suspect Behind the Keyboard (excerpt is below) didn't talk about the "how" in developing critical thinking, although that was the intention of the entire book. Still, it took a decade of reflection and many discussions with many people to flesh it out to distill into the topic as I see it.

My investigative background may be important to know to get the perspective of where I am coming from with this DFIR Investigative Mindset.  Here goes 35 years worth in a broad stroke: 

* Municipal police officer (city cop!) for 15 years, 10 of which were as a detective (local and state task forces), and task force officer (federal task forces). Attended more investigative training courses than I can recall, from basic to 'advanced'. Worked all sorts of cases from theft to national security matters.  I was a part-time forensic examiner for both my agency, ICE, and ICAC.  Part-time as in the only forensic examiner for my agency. I worked internationally as case agent, co-case agent, undercover officer, wire room, covert A/V installation, informant handler. 

* Managing principal, consultant, expert witness in ediscovery and forensic cases as a corporate employee and private consultant for 20 years.  Cases ranged from petty cash theft (no kidding), employee investigations, and class action litigation.

My perspective comes from the training, cases, and whatever I could gleen from the great detectives and agents that I had the opportunity to work with, one of which had a move made from one of his cases.