I just published the second edition of the X-Ways Forensics Practitioner’s Guide. If you use X-Ways Forensics in any sense of running the application, you should get this book.  I can’t say that any stronger than that.  But this post is not about the X-Ways book, at least not completely.

If you want to see the book or buy it, here it is:

In this second edition book, I asked and received contributions from forensic examiners who are X-Ways Forensics users. These contributions were tested and evaluated, and published as a complete section of forensic processes (and war stories) with X-Ways Forensics. This serves several levels of awesomeness.

For one, readers get more perspectives on how to use X-Ways Forensics than just me.  I know some things, but not all things.  Second, these contributors, if they were in a shell, jumped right out front and put their work on the scale to be weighed.  This is a major thing to do, because if you are wrong, you gotta take the hit and then move forward to improve.  But if you were right, that will have validated your previous work as being logically correct.  All contributions were awesome, and now, each contributor has a formally published forensic process using a tool that they know well.  Few things are greater than that in a case when you have published works.  For that, I am grateful, and the readers will benefit.  The contributors also have the right to use their contributions as they wish, whether that be as an attachment to a case report, affidavit, or in their CV.

This brings me to another work in progress (two new book projects that will be ramping up soon).  For one of my next books, I will be asking for contributors in the same manner, for a similar sort of content. My intention is to pull some great forensicators out of their cubicle and into the DFIR community's eye to display their work, their processes, their wins, and their perspectives to share with the community at large.

This takes a lot of guts, but there is such a huge personal, professional, and community benefit when you can help someone else do better and be better by simply sharing.

With that, this next book will be the most comprehensive writings in forensics that I will have ever done, and quite unique is scope and scale.  It will certainly take me a year+ to finish it, but it will be so well worth it.

The short story:

The book is done!

Get it at $20 off during the 100-hour book launch coming up in a few days (but only a limited number of books will be sold in the 100-hour book launch). Free shipping in the USA. International is available to ship, but not free..sorry…

The book will afterward be available for purchase on Amazon (and elsewhere) at the retail price of $69.99 plus shipping.

Get on the notification list here so you don’t miss it:  https://order-dfir.com/optintfu71ito

The longer story:

I used X-Ways Forensics (XWF) a lot, starting from the first version. And somehow, the experience of over 15 years of being an XWF user fit into one book. The neat thing about this book is that any XWF user can go read it and learn from that experience in a much shorter time than 15 years! That doesn’t even count the experience laid out by nearly a dozen contributors* in the book which probably gives this book a century of XWF experience wrapped up in a tad bit over 400 pages.

The intention of this book is that there will be at least one thing that you learn that when you see it, you will forever end an XWF frustration point, and prevent many hours of wasted time for years to come.  That makes any book worthwhile.

I’ll say this as strong as I can: I use all sorts of software.  I don’t have a ‘favorite’ tool, but I do have a favorite collection of tools. XWF happens to be in that collection. For the most part, any of the top forensic tools do a fantastic job and I use them all at different times and on different cases. I use good tools, support good tools, and advocate for good tools, because good tools allow good examiners to do good work.  At best, I am okay at forensics simply because I do not know so much, but the tools help me learn and work.

The only reason that I wrote a book on how to use XWF is because the manual didn’t show me how to use XWF.  This is not a problem with most other tools because many other tools are very intuitive; but not XWF.  Only after learning how to use it does it become intuitive…

For me, I need something or someone to show me how to use XWF (and most other things, too), otherwise I am spending hours trying to figure it out and may end up doing it wrong anyway or never learn the right way. I teach the same way as well...mostly I teach the way that I would like to have learned what I am teaching, not how an engineer thinks the way I should learn.

Books, books, books

This is my seventh book authored with my name, plus one fully ghost-written** book, several ghost-written chapters in other books, plus tech editing a half dozen other books. Three of my seven authored books were published under a publishing house, four with self-publishing, one in the second edition, another to be in a second edition in 2023/2024, and another due out in 2023 with a fantastic forensic expert and co-author.

For this edition, the book is more than 150 pages longer than the first edition, includes content not in the first edition, and has a dozen contributors who gave either an XWF war story, told one of their processes in how they use XWF, or contributed information on their X-Tensions or third party tools. The tech editors, Troy Larson and Michael Yasumoto are awesome.  For those who get a copy of the book, you won’t want to miss Troy Larson’s bio. If you know Troy or of Troy, the bio will make perfect sense and is only missing a shark laser pointer.

The XWF/2E started in 2005 when I was struggling with X-Ways Forensics. I struggled enough that my partner-in-crime (so to speak) and I arranged for the first ever X-Ways Forensics course to be hosted in Seattle, Washington. I will go as far to say that since X-Ways wasn’t giving training up to that point, our frustration with XWF ended up with convincing X-Ways that we’d go so far as host a class, market it, fill the seats, and even cater it if that would make it happen.

I’ve used X-Ways Forensics ever since, taking lots of notes, auditing more training, teaching what I learned at various places, and banging my head along the way. That was the impetus of the first edition: take my pain of learning XWF and write it down so others can learn faster. 

The first edition eventually became outdated

Emails started rolling in asking for a second edition. Lots of emails. This was bound to happen because the first edition was outdated to the point that functions moved around or were removed or added to the point that the book didn’t work.

Unfortunately, the publisher didn’t want to approve a second edition as the first edition was still selling well enough to not justify replacing it, even though it was outdated. Writing a book through a publishing house means the author is simply a contract employee writing for the publisher and has no ownership of the book or content other than a commission of sales (royalties).

I then had a 2-year process with the publishing house and my attorney to regain the copyright from the publisher so that a second edition could be (self-) published. This is probably a story to tell in more detail another time in how to get your copyright back from the words you wrote that the publisher owns.

And now you have the second edition, with more content, better organization, and with contributions from a dozen XWF users.  This gives you a dozen different perspectives of how XWF is and can be employed, all from one book.

You most likely have the same reference books on your desk that I have on mine, with dog-eared pages, highlights, notes, and worn out spines.  This is one of those kinds of books.

*Amazing contributors include Michael Yasumoto, Mark Burns, Derek Eiri, Yuya Hashimoto, Alexander Kuiper, Chad Gough, Craig Bowling, Jeffrey Meissner, Erinn Soulse, and a few others wishing to be unnamed.

**Ghost-written, as in, I wrote it for someone else’s book, but in their name, under contract to not give my name.

I lived a double life for a decade. I have now been away from that life for more than a decade and feel (a little) more comfortable talking about it.

Not long after I left military service, I went to work as a patrol officer in a suburb of Seattle. When I thought the best years of my life were the years in the Marines with the best group of people that I ever met doing amazing things, I entered a different sort of life with more great people doing amazing things in police work.

Side note: I worked with idiots too, both in the military and police world, and in both cases, they were the ones who put my life in danger more than any criminal or enemy ever could.

Here’s my police career in a nutshell. I was in patrol for a few short years, which included riding a bicycle. Don’t laugh. Bike Patrol was AWESOME!  Not being responsive to a radio allowed me to run amuk around town and find some dangerous criminals, some of the worst sort. I did other things too on a part time basis, like SWAT, use-of-force instructor, and things like that.

Then I applied to be a narcotics detective!

I didn’t get selected.  Someone else got it.

So, I waited until for the next opening and applied again. This time, I got it.

That is when shit started going south, as they say.  In less than 2 years, my partner and I seized more dope than the entirety of my drug unit seized in the past 20 years.  We seized that much more cash too. And that many more cars too.  Later seizures included a semi. And a plane. And boats. All with the arrests and cases to back it up. I was doing undercover buy busts, buy walks, meet and greets, surveillance, and everything else you can imagine with “crack heads”, “cranksters”, and all sorts of dealers. I was buying kilos of cocaine, working the DEA, FBI, USSS, ATF, and other alphabet soup agencies, all while being a little city PD detective…

In two years, I was in a state task force and working bigger cases. For those who understand how teams work, this task force was in a perpetual state of “storming”, so that sucked in more ways than you can imagine. Incompetence was the norm and on no less than a dozen occasions I was in more fear of being killed by incompetence of police than the criminal organizations that I infiltrated.

Two years later, I was drafted to a federal task force that virtually took the types of cases that I had started in my state task force and turned it into a laser-focused-federal objective. I’ll get into that with more detail sooner or later. During the next years, which turned out to be my final years in law enforcement, I traveled nationally and internationally doing undercover work with outlaw motorcycle gangs, Asian organized crime, and Mexican cartels. I was running informants across the country, initiated a dozen OCDETF cases on my own that were eventually managed by DHS, ICE, FBI, DEA, and the IRS.

I worked undercover for foreign agencies, one of which, again, had not only incompetence, but corruption with the very international criminal organization that I was undercover in….

Dozens of stories of having a gun stuck in my gut, followed home, investigating high level organizations where the children of my targets were in the same classroom as my kids, nearly being shot mistakenly by police, and getting the “once you are in, you are never getting out” talk by those that I was investigating while undercover all led me to getting into digital forensics.  I figured a computer would never kill me...

My double life involved my wife and kids. Now, my wife is amazing. She was a Marine wife. An army wife. And a cop’s wife. Growing up, my kids were amazing (they are even more amazing now!). My double life had me a husband and father at home, while at “work”, a drug dealer, and an arms dealer, and a human trafficker, and a hitman, and a money launderer, and a trafficker in stolen cars, and a smuggler, and eventually, involvement in “national security-type” investigations, that involved other types of assoCIAtions.   I trained my wife and kids in reacting to danger, reacting to me being confronted in public by criminals, and other reactions that families shouldn't have to be exposed to learning.

The point of this story

After being asked more times than I remember to write these stories down, I finally decided to podcast them. I am starting with some cases a little distant to me, and only the ones where someone was convicted. There are plenty of non-convicted criminals that I investigated but never filed the cases for one reason or ten others. For them, I hope they all turned a corner and are living an honest life. Some however, I know never will.

My podcast is behind a paywall because I’m a bit of a paranoid person, and if someone wants to hear these stories…well…I’d rather keep the audience a little smaller than the entire planet..

If you are interested, I'll be on Patreon.  I'm even going to do some live video chatting to talk about things that I don't want to put down on paper or in a podcast...the cool thing about these stories is that only one is under an NDA :)

The really funny thing is that you won't be the only ones hearing these stories for the first time, because my wife and kids will be hearing them for the first time too.  Little did they know that not only could daddy help mommy with housework, but he was flying armed and partying with people who killed people for a living.

Update: Some former and current narc buddies want to write a book with me about undercover work. With that, no time for a podcast as I'll trade podcast prep time with writing time!

Today, I posted on social media that my posts about not being censored were not censored. Obviously, the posts were not (yet) censored. But if they had been censored, no one would have ever known. That was the point of the posts.

Twitter did not #censor this tweet.

— Brett Shavers 🙄 (@Brett_Shavers) January 29, 2022

There are two major events happening world-wide that affect you directly, personally, professionally, and profoundly: 

1. Your access to information (ie: increased censorship)
2. Other’s access to your information (ie: decreased privacy)

When your access to information is blocked, banned, eliminated, or restricted, you will be uniformed. If the information that you are allowed access has been manipulated, you will be misled. With either scenario, you have no control of what you think, regardless of what you think.

Were you manipulated in 2012?

If you were on Facebook in January 2012, you were probably one of the guinea pigs in Facebook’s experiment in manipulating you to either be happy or sad, without your knowledge or consent.  The bottom line of the experiment was that you can be manipulated through the control of information, by a private company no less….

And of course we know now just how much Facebook has mined not only our personal information, but has algorithms that predict your behavior to the point of knowing when you are going to divorce or go poop.

A little pregnant

Either you are for censorship, or you are not.  When Howard Stern says “I’m against any kind of censorship, really, you know, I really am. I don’t like censorship.  But when you are talking about life and death……,” we have a paradox. It is as if we are saying that we want censorship to prevent censorship. This is no different than banning a book that is disagreeable.

Howard Stern says Neil Young’s threat to pull music from Spotify over Joe Rogan using the platform to spread “fake information about vaccines” is not about censorship because it’s “about life or death.” pic.twitter.com/uBayuzHwaR

— The Recount (@therecount) January 26, 2022

Private is personal

Do you want someone looking through your dresser drawers? You probably have nothing illegal in your socks drawer, but if a stranger were to ask to search your dresser “just in case you have evidence of a crime”, do you want to give consent? 

Your underwear drawers are personal and private, and so should be your emails and everything else that is intimate and personal to you that you don’t want to share with a private company, the government, or your neighbors.

We are ‘a little pregnant’ with this one, too. We waive our privacy in so many ways for a ‘free’ benefit of using a service that eventually there is nothing private anymore.

The future

Imagine if a corporation wanted you to buy their product that you really didn’t want to buy in the first place. With effective and targeted marketing designed to personally manipulate you with information mined from your life, you would most likely be inclined to pay whatever the price for that product, and even stand in line for hours for it. This could be described as “effective marketing” but the more accurate definition would be “manipulated” through invasive, yet covert means, using your private and personal information.

Now imagine if your country wanted to go to war for reasons that were not for true national security. If a corrupt government that controlled all information that you see and given that so much of your personality and behavior is known (like your most intimate and personal belief systems), they could manipulate information to make you feel a certain way. You won’t see censorship. You won’t be aware of your mood being manipulated. You will believe what you are led to believe.

What then would be the odds that your country would go to war with you waving the flag in one hand and carrying a $1200 iPhone in your other hand?

Two things that set you apart from other practitioners are (1) what you know and (2) what you can do. In this litigious world where courts (and corporations regarding internal matters) rule on evidence, the rulings are usually based on a “person.”  By this, I mean that the ruling body, whether the court or corporate makes their decision by trust of a person that what that person said or did was true and relevant to the case at hand.

Disclaimer! 

I have personally witnessed where ruling bodies (legal or corporate) made decisions that were completely unexpected! I’ve seen where an expert opinion would have made a huge difference in a case, but a judge rule that an expert opinion is not necessary. There are cases where a witness will be disallowed because the witnesses simply asked to be excused from testifying because they were “too busy” or “too important” to testify.  I have seen “conflicting testimony” that could otherwise be called boldface lying (perjury under oath!) without any consequence. In other words, you might be the best, but might not be allowed to be the best.

Don’t hinge everything on my disclaimer applying 100% of the time. You can only be sure to keep doing what you should be doing in your preparation of laying down facts and opinions when called upon.  One way to look at this is that DFIR work is a competition.  Your peers will judge your work. Your organization will judge your work. A judicial body will judge your work. And your opposing expert will judge your work. The better you get, the more judgmental people become, and the more you need to be prepared.

The most important thing to know

Only you will document you the way you need to be documented because only you will be putting words that you say and write on the record.

Document what, exactly?

This is not about your resume, and this is not about your CV.  This is about creating and maintaining your record of what you know.  Here are 10 tips to get it right, save you time, prevent unnecessary stress, and stand apart from other DFIR practitioners.

Write it down

If you don’t write it down, it didn’t happen. This simply means that if there is no evidence to support that it ever happened, then for practical purposes, it never happened.  That includes documenting the course you completed last week and the one you complete five years ago. Many courses do not provide a certificate of training, for reasons that are beyond me. At least with a certificate of completion, you have a record of the training you completed.

What can you do if you are not provided a record?  First off, consider that there is a record, whether that be an email confirmation, enrollment sheet, or canceled check. Something exists to document that training.  Use the information from that documentation to ‘write down’ your course.

Corroborate it

If you have a cert, keep it!  No cert? How about an email confirmation?  Maybe send an email to the vendor and ask for an email that states the course was successfully completed.  Consider that if you can’t prove it, who will believe it when challenged?

Update it

Keep adding everything relevant to your training record. Everything.  Make it a habit to update. It is far to easy to go through a lot of training, education, and experience and plan to later, only to forget the details.

Validate it

If you were taught something, keep the practice, at least some of it. Keep your notes and practice. You can easily scan to PDF entire student manuals for archival purposes. If you take great notes and ever challenged, those notes will validate that you were exposed to information and validated it with practice, exams, tests, and notes.

Make it Detailed

It is one thing to say you attended Course 123 sometime in the year 2018 and quite another to say Course 123, 32 hours in length, in Washington D.C., with dates of 3/3/2018 through 3/6/2018, presented by Vendor A, instructed by Instructors B and C and the course covered topics 1-9.

Make it Accurate

The last thing you need to do is embellish. There is rarely any DFIR course that by itself doesn't speaks volumes more than embellishing could.  If the course was 5 days and listed at 40 hours, then that is what to document.  40 hours, not 60 hours unless it was 60 and you can show it.

Don’t treat it like a resume

Your training documentation is for you to see.  It is not a resume or CV.  This is your record as a source for your resume, CV, or statement of qualifications. Sure, you can offer it as your training record to support expert qualifications or when asked by a client, but typically, this is your official training record.  Treat it as such.

Don’t rely on your organization to do it (correctly)

Your organization might keep decent training and education records, but if you are going to rely on someone else keeping track, you are doing it wrong.  It is actually the other way around. You use your records to make sure that your organization is keeping track accurately and appropriately. Plus, there will be items in your personal record that won’t need to be in your organization's records.

Use it as a reference

When you write a report and have already documented research on what you are reporting on, refer to your training/education record.  You will have the dates and details of what you’ve done for easy reference.

Include your research (workflows, innovative processes, software, scripts, blog posts, presentations given, courses, workshops, conferences, books read, books written)

Your practice counts.  Your study counts. Your homework counts. If you read a DFIR book, document it.  All of them.  If you take a course online, document it. Almost as important as taking a course is noting who taught it. The perceived value (quality?) of a course is directly related to the vendor and/or the named instructor of that course.  An anonymous presenter of a DFIR subject on YouTube will have a much lower perceived quality view than a topic presented by a well-known vendor or well-known named expert.

Something as simple as a spreadsheet to keep track of your training will save you grief in putting together a CV for court, or a resume for a job, or listing qualifications on a report.  Keep in mind that the important points to track are:

• Name of course/book/class/conference/etc…
• Presenter/author name
• Vendor/company/organization sponsoring or presenting
• Date(s) attended or date published
• Hours completed
• Cert received if applicable
• URL if a YouTube video or video series
• Brief of topic/s
• Anything else of relevance that could be useful to remember later

Of the two things that will differentiate you from another practitioner, this one is the easiest because you just have to document everything to show what you (should) know. For the other thing…you have to show what you are doing based on your actual work.

These are the two things to get you that .5% edge that will set you apart from everyone else.

I had an interesting discussion with a highly educated and self-proclaimed computer-literate professional on the process to dedupe emails.  The interesting part is that I couldn’t believe what I was hearing about his process on how to dedupe files.

https://www.merriam-webster.com/dictionary/self-taught

I’ll sanitize this story to protect the guilty.  So, here is the scenario.

Step 1: Find exact duplicates in a batch of 3,000 emails (.msg format)

That’s it. No step 2 or 3 or 4. Simply find the duplicate emails from a folder of emails.

I know what you are thinking; that you would just drop the files into an app like HashMyFiles (https://www.nirsoft.net/utils/hash_my_files.html), or maybe even get fancy by creating a case in your favorite forensic suite and adding the emails as evidence items, and output a formal report which would add maybe 5 or 10 minutes to the process.

Either way, the total processing time to find the exact duplicates would take about a minute.  Here is where it gets a little interesting. The process that was described to me was way more elaborate. It went something like this:

1. Import the emails into MS Outlook.
2. Print the inbox.
3. Compare the titles of the printed inbox against emails in a folder.
4. Export the emails to a spreadsheet.
5. Use Excel to remove duplicates.
6. Visually compare each email in the spreadsheet against the emails in a folder.

The time spent deduping emails this way took 60 hours, and strangely, the IT pro was bragging about how long it took.

Speed test!

This is what it looks like when compared to using a free file hashing utility.

This would be fine if there were no resources available to know otherwise, you had no training or education in technology, you were physically unable to ask anyone for advice, and you had never been exposed to file hashing before. However, in this instance, not a single resource was used. The IT professional didn’t use anything that was taught formally in either the BS or MS degrees, nor from any of the  CompTia courses completed, didn’t ask anyone how to do this, and didn’t even search the Internet to see how to find duplicate files. That might normally be ok, but not here.

The problem is that this IT pro intentionally didn’t ask for help or search online for a process and boasted that “this is the way we do it in this field do it; by being self-taught.” With that statement, I figured that if one person thinks this is the right way, maybe others do too, therefore, this post needs to be written.

There are many right ways to self-learn. This was not one of them.

I am a big believer in self-learning. We learn better when we learn information on our own. It is as if we discovered the information, therefore we “own” it and can be proud of it. But there is a line between self-learning and simply doing it wrong, and worse, doing it wrong on purpose.

Being self-taught means that you first look for the answers (or the processes) that others have discovered.  You can modify and improve upon processes that exist, but you use these as a starting point of self-teaching.

An analogy

I once built a motorcycle from the frame up. I had no idea of what I was getting into.  This was years before the Internet, so my only resources included a friend that knew a lot about motorcycles and my local library. It took me a summer to build the bike, but I could not have done it without help from someone who knew what he was doing and the books that I checked out of the library.

Had I not asked for help or researched in a stack of manuals, I would have ended up with boxes of parts for a garage sale. Instead, I had a bike that I fully built myself.

Self-taught means that you learned outside a classroom. It means that you used resources available to learn, such as books, Internet searches, and asking others to show you.  Of course, being self-taught includes practice and experimentation, but even that requires some resources as a baseline of where to start.

Excel

It might not be a stretch to say that practically everyone in DFIR is competent with spreadsheets. Excel is a flexible and necessary tool in DFIR to view, analyze, and display data.  But just because you dump data in Excel does not mean that you are using it correctly.

In the example of dumping emails into a spreadsheet to find duplicates when there are probably dozens of applications (free, open-source, and commercial) that can do this task easier and without error, using a spreadsheet because it seemed like the best way goes directly against the meaning of being self-taught.  This would be the same as me buying every nut, bolt, and part of a motorcycle and trying to put it together blindly in order for me to be self-taught in building a motorcycle.

So now, when I hear that someone is self-taught, I have to dig a little deeper to get the details. If I hear that self-taught involved deep research, replicating what others have done, and improving upon what others have done, only then will I believe that the person was self-taught. To do otherwise is to waste time and do the direct opposite of learning.

Self-teaching advocate

Once you become competent in any field, self-learning is what you do for the rest of your career. You will always “self-learn” a process new to you by seeing someone else do it or write about it. Then you replicate it. Eventually, you improve upon it. And if you share it, it will further be improved upon by others.  If you are lucky, you have co-workers who share what they learned with each other, which takes team competence to much higher levels.

For managers, be aware of those who rather learn absolutely everything on their own without some sort of process (research > ask > replicate > improve). Blindly trying anything is likely wasting time and making things worse. It will be a net negative and can border intentional incompetence.

For practitioners, “trying something new” is all well and good, but before spending 60 hours on something, spend 6 minutes to see if what you want to do has already been done before. If it has, then you can replicate it. Use that 59 hours and 54 minutes of time you just saved to improve upon your replicated process.

Leaps and bounds

Do you ever wonder why some in DFIR jump so fast and far ahead of others? It is not usually because they have a higher IQ.  They are smarter tho. They are smarter in the fact that they know to RTFM (aka: research first). With a firm foundation, their experimentation starts at a higher level and propels them ahead as if having booster rockets.

Those who start from scratch and intentionally choose not to do even the barest minimal research not only have no foundation of which to build, but will learn the wrong way to do DFIR things.  This is not only not moving forward, it is moving backward.

The deduping emails story

The end result of the story of this deduping emails is that the IT pro was proud of the time spent as it was an “exhaustive effort”.  Yet, the emails were not deduped because admittedly, the IT pro admitted that he was unsure of some emails being exact duplicates or not, so they were produced anyway (no email was even hashed).  All of this wasted time could have been avoided with a phone call, an ask of someone else in the IT shop, or just one Internet search. Instead, we have self-taught incompetence that wasted weeks of work with a defective work product.

If you want to be entertained, block out 5 minutes of your time at 9am (PDT) on Friday, June 11^th, to see how something so simple as asking for public records turned into a major cluster. I’ll be giving comments in an Open Public Meeting about a lawsuit in which I asked for some public records, they were all not provided, and some have been destroyed.

https://www.norcom.org/event/governing-board-meeting-2-2021-06-11/2021-06-11/

So this team of lawyers has been hammering away at me…

I’ll get into the details of the records in my public comments, but some of the records include a workplace so bad that one employee committed suicide over it, another contemplated suicide, another suffers from PTSD from it, and an independent evaluation determined this workplace to be so bad that he described it as  “workplace violence”.   Then there are the non-disclosure agreements of up to $150,000 of hush money to public employees so that they don't disclose how bad it is! It is as whacky as it sounds.

For simply requesting public records, which anyone in any city, county, or state in the US can legally do, I somehow ended up with a team of attorneys against me causing nothing but obstruction.

Forensics?

What does this have to do with forensics or anything related? That’s a good question, and the answer is quite a bit.  The lessons that I have learned in this case can benefit you in forensics, ediscovery, or even if you want to request public records yourself if there is something of public interest that you are aware of. I’ll talk about that later, but for now, you might want to tune in to enjoy the fireworks in the virtual public meeting this Friday at 9am (PDT)!

Schedule:

0900 Meeting starts.

0902 I speak.

0905 I'm done.

The technical piece of DFIR is not difficult. If you know what you are looking for, and you know how to find it, the work is actually easy. I do not say this to mean that anyone off the street can do this work without training or education. I mean this as in once you are technically competent, the actual work allows you to excel even more so, technically, because it becomes easier.  But this is where a bottleneck holds up progress in the DFIR cycle. The presentation phase of DFIR work is the only piece that turns the most competently proficient forensicator into a little kitten.

The Too Long: Didn’t Read version of this post

If you can’t effectively tell the story of your DFIR work, your DFIR work doesn’t matter, no matter how good you are.

Now for the important details

Since I am a visual learner, colorful infographics and flowcharts make it easy for me to understand a concept. In DFIR, we have lots of these, for which I am grateful. Cycles of this, that, and the other, all showing easy-to-follow workflows.

One problem with an infographic is that the information is generally very minimal. For DFIR, we have many visuals that broadly display a “Cycle of DFIR” as:

1. Create a plan of the work
2. Do the work
3. Evaluate the work
4. Repeat

This is good. Practically every infographic related to DFIR, or the Intelligence/investigative cycles give varying visuals of Wash > Rinse > Repeat.  The one-piece that I see little on is that of the importance of being just competent in the presentation as in technical. And eventually, the presentation is the end of an investigation or response. No case is never-ending. Some are longer than others, but eventually, there is an end of some sort.

Who should be chosen as the best person to present a finding or case?

Every person on your team must be proficient to some extent in the presentation of their interpretation of data. Data can be a single artifact or the entirety of an incident/investigation, and everything in between. Not being able to effectively present evidence nearly negates doing any work at all. Let me say that again: If you can’t tell the story of what you did, then nothing you did matters.

You may have done the most awesomeness of DFIR work in the world, but if you can’t relay the story of that work, it was for naught. This applies to any work. If a police officer makes an arrest of the most violent felon in the community but cannot effectively present the facts of the investigation to a court, then the violent offender might not be convicted and go free. If a forensic analyst finds the key artifact on a storage device but is not able to describe the why and how of that artifact, then that artifact is meaningless along with the effort to find it.

The reason that ‘we’ do not take presentation seriously is that ‘we’ understand what we did. We understand what happened. And we expect everyone else to know exactly what we did without us having to explain ourselves. This is partly due to ego (see my post on ego in DFIR).

Presentation Training

Where are the courses in presentation? How about courses in court testimony? Sure, I have seen one or two over the past decade, but nothing as compared to the technical courses available. Not even close. Yet, every technical training course in the world is useless if the presentation is not up to the same level of competence. It is one thing for a policy to state, “Evaluate the actions taken” and quite another to train and give someone the experience in relaying technical information to another.

The newest and most junior person on a team must be able to present their work to their supervisor or trainer. Expect the presentations to be better over time, and this is up to the seniors to critique the juniors.  An attorney-friend of mine always preferences his questions to me with, “Forgive me, but to make sure I understand what you are going to say, pretend that I am a fifth-grader.” My friend-the-attorney is on the genius level of IQ and knowledge, but he has his ego under control enough to make sure he is going to understand what is coming.

Report writing is presentation?

I’ve not met anyone who loved writing reports. I have seen some do more work to get out of writing a report than the time it would have taken to quickly knock out a sheet of paper with words on it. Report writing is a presentation and should be taken just as seriously as speaking in front of 500 people or the CEO of your organization.

Report writing is also a fantastic training opportunity for junior DFIRers. If someone can effectively get the words on paper, they most likely will be able to get the spoken words out as well. Both of these take practice. It will never be perfect. But it will improve over time. And it will keep improving as long as the practice and experience continue.

Are you in charge?

Train your team to present! You will benefit your team more than you can imagine with just a few minutes at a time. Have a team member write up a half-page of an artifact (or anything) and explain it to everyone. Be sure that every person is verbally engaged in debriefs and evaluations. Encourage and require every person to present their work, their opinion, and their suggestions in both a written and spoken format.

Your team will grow by leaps and bounds when every person can articulate their reasoning, their opinions, their findings, and their conclusions. If there is one person that cannot do this, you have a weak link that will minimize the work of the team, regardless of how technically competent that person may be.

Motivating your team

Sometimes you may have a team member that does not see the importance of being able to explain effectively. Expect it. They simply don’t care that someone else doesn’t get it. This is your weak link and one way to motivate someone who doesn’t want to present their story (ie, their work), is to require it. I’ve not met good senior leadership who wouldn’t take a few minutes out of their day to help their organization, specifically helping someone in the organization that may need it. With this, I have had juniors who just didn’t get the importance, ultimately get the importance when being told to explain their work to the ‘big boss’ and that the ‘big boss’ better be able to understand the story in less than 2 minutes. Motivation achieved!

Becoming a better storyteller

Speak in front of others. Speak some more. Then when you think you got the hang of it. Keep speaking. If you happen to throw up occasionally, you are on the right track. (see my post on Puking in DFIR). I am speaking at a few events in April, May, and later this year. All are virtual, but the experiences of presenting are just as important to me as the information that I hope to convey to others. There is no point in your career where you don’t have to practice presentation skills because you obtained competence. Competence is like a sinking boat. Once you stop scooping out the water of a sinking boat, it will sink. Same with presenting DFIR information: once you stop doing it, your competence will wane.

When does presentation happen?

Ultimately, at least with a legal or internal investigation, there is a final presentation. This is the last chance to fully tell the story of your analysis. The final presentation should be a culmination of all the other presentations that should have occurred during the investigation to team members.

There are intermediate points in any analysis where periodic updates are given, questions asked, course directions changed, and leads followed. Use each of these opportunities as experience in storytelling as you adjust the story to the varying audiences you have. The same story told to your team will need to be told much differently when told to decision-makers who are outside of your technical world. These are valuable experiences that teach you how to change the pace, flow, and language based on your audience when telling the same story. This is a skill that can’t be bought and more importantly, can’t be faked.

About that motivation

If you are like me, whenever you get a task assigned, or volunteer to do something, tension starts. You want to do a perfect job. You don’t want to make any mistakes. And you over prepare to expect the worst.  This is what happens when you agree to present on a topic. Hours to prepare over weeks for a short presentation. Then checking your presentation. Then research again to make sure nothing changed since the last time you checked your information.

In addition to re-learning the topic, however, is that the experience of presenting will make sure that your next presentation will be even better. So, every presentation that you see someone do, keep in mind that that presentation was probably better than the last one, but won’t be as good as the next one.

I'll be at @NCCC_MA's cyber crime conference (virtually) on April 27.https://t.co/AEmFaRyMEb #DFIR pic.twitter.com/0D7ya0jFuI

— Brett Shavers 🙄 (@Brett_Shavers) April 16, 2021

Come join me and many others this year at the @MagnetForensics
Virtual Summit #MVS2021 #DFIR.

Registration can be found below & YES it's FREE!https://t.co/zECTwOkAp9 pic.twitter.com/IOOXdKWtRV

— Brett Shavers 🙄 (@Brett_Shavers) April 10, 2021

To those who helped me

I will openly admit that I have held some serious grudges in the past with team leaders. I distinctly remember one of my squad leaders in the Marines who ordered me to describe a field mission to my section leader because I didn't put the effort to explain it well enough to my squad as asked.  To be honest, I put no effort in it to my squad as I thought it was a waste of time.  After all, we had been planning that thing all day together....we all knew what we were going to do. That was a painful lesson to learn, but was needed. I used the same lesson many years into my law enforcement career. For those who helped me comprehend the importance of telling a story, I hope to repay that patience of dealing with me with my continuing to help others learn the same lesson.

Tell the story of your work so that it is understood. Decisions are made from it. Your competence is judged by it. And depending upon your job, you could have someone's life, liberty, or livihood hanging on the balance of your spoken words.

I was asked an age-old question via a Twitter DM today:

"Should I pull the plug or image live?"

I thought this was a rhetorical or 'homework' question, because how would I know?  I gave a short answer of it depends on this and that, assuming that the question was being asked generally. But then,

....he messaged that he was standing in front of a machine, onsite, and was wondering which was best...oh my..

Some of the problems

I sincerely did not know which was best because:

(a) I was not there,

(b) I was not part of the planning process,

(c) I have no idea of the case/data objectives, and

(d) I have no idea of the machine configuration.

Apparently, this forensics company had no plan other than to meet onsite and image whatever computers were there...

Some solutions

My only and best answer ended up being:

(a) Make a reasonable decision for today and

(b) Make a plan next time.

The forensic process begins before processing forensics begins

We hear all the time about making plans before starting work. "Work" can be a highly critical military mission or just driving to the office. Both require a plan. The highly critical military mission will have many more details and require more time to prepare than simply driving to work, but both require planning. If you think that driving to work doesn't require planning, then I would assume that you are continually late to work.

If we visualize what "forensic processing" is, we tend to think of things like indexing, running Python scripts, filtering data, and carving data. Rarely do we think of planning as part of forensic processing, yet planning should be considered the number one top tier aspect of every DFIR "operation". Before starting any process on data, you need to make a plan, regardless of your evidence being a 1MB file or 1PB of storage on dozens of devices.

No plan survives first contact

Few things go perfectly as planned, no matter how much time and effort you put into the plan. You would be mistaken to take that to mean planning is a waste of time. It simply means that you cannot plan for absolutely everything, but you can plan for many things, and for those things that were unforeseen, you will handle them on the spot. Having a plan gives you more time to make decisions. More time to think means less chance of rash, uninformed, misinformed, or ignorant decisions.

So the next time my Twitter DM buddy goes onsite, he will have a plan on how to approach devices. Even if the plan is to dead box image everything (ie: pull the plug), having a plan for devices where pulling the plug is impossible or unreasonable (encryption, etc..), can be made beforehand. This reduces time to preserve data, decreases risk of data destruction, and increases success in collecting all targeted data.

No. I am not just talking about pulling the plug

There is not a time that I touch evidence without a plan unless the evidence is unexpectedly placed in my hands. This goes way back to working a district as a police officer. If I saw evidence, I would have some plan of how to (1) identify and preserve the evidence and (2) how to collect it before touching it. Sometimes this would take half a second and on occasion, it would take hours. The same applies to electronic evidence. Do not process it without a plan.

Case failures

Cases can fail by no fault of your own. And they can fail specifically and spectacularly because of you. Personally, I'd like to take myself out of the failure equation with planning and then use the gifts of planning to address the unforeseen circumstances.

Plan for the known to give you more time to handle the unknown.

Practical Benefits

In case none of this makes sense or means much to you, here is the practical aspect to take to the bank: If you were to spend 30 minutes planning your DFIR work (collection or analysis or presentation or etc...), you can save days or weeks over the life of that one case.  DAYS OR WEEKS by spending MINUTES to plan. ON EVERY CASE. Have you ever wondered why a coworker can plow through case after case, doing great work while you might be struggling to keep your head above water? hint...it is not because of being better skilled...

If you are overwhelmed with work (who isn't?), you can mitigate a good portion of that caseload with proper planning. I have seen investigators drowning in a heavy caseload for the sole reason of failing to plan anything on any case. At some point, it is obvious that an investigator is the bottleneck in cases being late or unfinished because the investigator, or analyst, chooses to not plan.

Side note: I asked permission to blog about this from the person who DM'd me with a promise of not disclosing the name of the person or company.  I think it important to share past errors to reduce future errrors.

We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we are skilled in the effective wielding of the most powerful weapon on the planet: INFORMATION!

We are experts in searching for it. Experts in interpreting it. Experts in sharing it. Experts in creating it. Sometimes, we are completely inept, or even malicious in handling it and totally screw up.

Ethics matter

Ethical behavior not only keeps your reputation solid but also keeps you from being sued or jailed. The cancel culture falls into a category of ethics, where if an infosec professional engages in canceling a person on the Internet, they are (in my opinion), the epitome of being unethical by wrongfully turning legitimate OSINT into the Baseball Bat of Internet Mob Justice. Ethics matter. The truth matters.

A recent example. Welcome to 2021.

Refer to the story for details (https://patch.com/illinois/chicago/trolls-wrongly-accused-retired-firefighter-capitol-riot-murder). In brief, an unidentified person (Figure 1) suspected of murder was misidentified (Figure 2). The identification was based on a posted image of the actual suspect in which OSINT was most certainly used to find a similar image online. The OSINT worked to find a similar image, but the verification of the match by the finder failed as did the action taken afterward. Rather than forward to law enforcement to verify, an Internet mob piled on an innocent person.

Could it get any worse? Sure. Once you blindly jump feet first into a rabbit hole, everything you come across that you believe to be true will become collateral damage. Even in this example, the innocent son of an innocent victim gets drawn into the wrong accusations. This may not seem to be a big deal, but the careers and reputations can be permanently damaged. Friendships, family, promotions, and even careers can be lost on a false allegation! It is so so easy to prove yourself correct if you are hellbound to do so, even when everything that you find is false but perceived in a way to support your belief.

An older example. Back to 1996

An older example from 1996 is the Richard Jewell case. Refer to the story for more details https://en.wikipedia.org/wiki/Richard_Jewell. Again, this was another misidentification, and Internet pile up that resulted in an innocent person’s life is forever turned upside down. This one was so bad that a movie was made out of the story. There are plenty of other misidentifications that you can find online or unluckily be involved in. Misidentification is not new. Law enforcement has had its fair share of accusing and arresting the wrong people for the same reason that Internet mobs have made: failure to verify and corroborate.

Did I somehow forget that I dated Nicole Brown Simpson?

Part of my incredible year of 2020 was getting a phone call from a reporter. I get calls from reporters on occasion, but this one was totally different. The reporter asked if I wanted to give him a statement before he printed an article about me having an affair with Nicole Brown Simpson in 1993.

First off, this didn’t happen. My shock was how could I be accused of something that I didn’t do by a nationally recognized reporter? Second, I immediately had visions of being splashed across the Internet of having an affair with OJ Simpson’s wife! My wife would not be pleased….

The details on this story, as told to me by the National Enquirer reporter was that he was holding photos of me arm-in-arm with Nicole Simpson in Cancun or Cabo San Lucus (I forgot which he said) in 1993. I told him that he has the wrong “Brett Shavers” but his response was that his ‘database’ was correct. I suggested that he not print the story because it is false, but if he did print it, to let me know because I’ll see what crazy mileage I can get out of it, mostly to write a blog post about it.

Then it got a little weirder. I told the reporter that I was in my first year of patrol in a police department during that time and I probably wrote a ticket or made an arrest on the alleged date of the photo, didn’t take any vacation that year, and married (my wife would certainly know if I flew off to Mexico without her and our kids!).

The reporter’s first reaction: “So you’re telling me that law enforcement was involved in her murder?!?”

So now you have a reporter who accused the wrong person and immediately created a conspiracy that law enforcement was involved in a murder and ready to write a story about that.

All I said was that he needed to check his sources and verify and that if he printed the story, I’d prove it false and go from there. By mere coincidence, I had a dated photo of me from a local newspaper from that time frame. I emailed it to the reporter and I think the reporter accepted that I looked much different from the person in the photo that he had. The more I think about it, that probably means that the guy with Nicole Simpson was better looking than me....

The point of this story is that anyone can be falsely accused by anyone for anything, and once the Internet dogs of war have been released, irreparable damage will occur. On top of that, this reporter was so dead set that I was the Brett Shavers that dated Nicole Brown Simpson, that he immediately jumped to a conclusion that since I was in law enforcement at the time, that law enforcement must be involved in her murder!  I do credit the National Enquirer for actually double-checking and finding out that they had the wrong person. Of course, if they printed their photo, my photo (backed by a local newspaper) would prove it to be false. Still...don't do this!

Unleashing the Internet dogs of war!

One thing about mob rule is the lack of personal, moral, and legal responsibility. It is quite easy to create a passionate stir, lead a group of people to the edge, incite emotion, and nudge the group over the edge into an all-out attack while at the very same time, avoid responsibility for causing it, especially if done anonymously. This is not ethical.  The Baseball Bat of Internet Mob Justice does not stop. It does not think. It grows and beats the victim until nothing of substance is left.

The anonymous and double-anonymous complaints

Here is something that happens commonly on the Internet:  “I will not name this person, but they are (name a group that this person belongs to) and they did (name the social norm violation).”

This type of accusation demonizes an entire group of people for committing some violation of a social norm, and now everyone in that group is now suspect. Any person speaking up in that group will then call attention to themselves and be misidentified as the violator. Additionally, it doesn’t solve any problem and most importantly, the claim cannot be verified or disproven.

This is not justice in any sense of the word. Quite the opposite and worse when the complaint is anonymous. Even if the offender is identified but the complainant is anonymous, the offender has no way to face their accuser. Yes, I know the Internet is not a court of law, but as we all know, the court of social media is sometimes harsher than any court of law ever could be.

How does any of this apply to us?

The Digital Forensics/Incident Response field is primarily investigative in nature and as such (1) be aware of your personal biases and beliefs, and (2) take measures to keep your personal biases in check. It is far too simple to let an internal bias affect your judgment, which affects your investigative/analysis plan, and ultimately affects your conclusions.

Society does not need a law enforcement officer who has a bias against any specific or general group of people, as that bias will negatively affect the community at large and wrongfully targeted individuals.

Society also does not need unethical people who work in ethical fields to wrongly accuse others because of internal biases, beliefs, or false conclusions to what they believe to be true. Any one of us can go down rabbit holes of “investigating” someone or some event and lead ourselves down the wrong path because of preconceived beliefs, failure to verify information, and a determined mindset to prove ourselves right rather than find the truth.

Professionalism in this field requires us to be professionals to be trusted and have our word to be trusted. That doesn’t mean a stiff personality, lack of humor, no personal opinions, or being impassionate. But it does mean being fair and impartial, and also maintaining the appearance of being fair and impartial.

Best investigative method to prevent this from happening to you

Follow the evidence. Disprove that which is false. Prove that which is true. Confirm, verify, corroborate.

In my law enforcement career, I have seen a few examples where investigators did not do this. In one example, a search warrant was served on an innocent family’s home. The warrant was served by SWAT (I was not on the team at that time), but SWAT was innocent. They only served the warrant as written by the case investigator and signed by the judge. The investigator failed at the most basic task of verifying an address. The address on paper wasn't even close to the physical address. I’ve seen this almost happen in another warrant service, but fortunately, I was aware of the real address and stopped the warrant from being served while the team was AT THE FRONT DOOR! Again, this was an instance of not verifying information.

In every instance (there are more!), verification was not done. Investigators had a belief and followed only the evidence that supported their belief. When an investigator does that, every single time they will prove their beliefs to be right, when factually, they were wrong. This never ends well.

All of us are prone to making mistakes with assumptions. Unfortunately, there is not much accountability when this happens with Internet allegations. Reporters may falsely accuse someone, ruin the person’s life, and the only accountability is publishing a correction article. On the Internet, people delete their posts and walk away without care that the Internet remembers forever.

On the Internet, accusations can be made, even anonymously, spread through the Internet like a virus, and even if proven to be false, no accountability to the accuser when destroying someone’s life. We need to be better than that, and if any of us falter, others should take the care to gently remind to take a step back, breathe, and verify before releasing the dogs of war online.

**side note**

I was "OSINTing" the reporter while on the phone and verified his name, number, email, and other information.

Who really reads the Terms of Service anyway?

Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply to dissuade users from reading past the first paragraph?

A few highlights from Instagram

Translated: All your content is ours. We do with it as we wish.

Opinion: You create it, Instagram/Facebook will make money off of it with no compensation to you. This is the model of how “free stuff on the Internet” works.

Translated: We have access to your camera, I mean “Instagram’s” camera.

Opinion:  They haz your phone camera.

Translated: Instagram keeps track of everything that you do on their platform, including the use of their camera.

Opinion: Sure. I get it. But this would be like a car rental company keeping track of every place you drove the car that you rented. Car rental companies probably do that too…

Translated: Instagram collects data about you even when you don’t provide it.

Opinion: Do they mean private messages too? Sure. Why not.

Translated: We gonna map out your network.

Opinion: Yikes!

Translated: Everything. We take everything.

Opinion: For the love of all that is good and holy! This looks like a digital forensics examination (and I mean “digital exam” as a “digital prostate exam”.

Translated: In case you didn’t get it earlier, we take everything, even that which is not on our platform.

Opinion: Instagram/Facebook is a third-party data collector that takes your data from another third-party data collector which probably takes your data from another third-party data collector. All to be curated ultimately by Facebook/Instagram. You don’t even need to have a Facebook account!

Translated: We know what is best for you. This might because we know everything about you or because we want you to behave a certain way and believe in what we want you to believe in.

Opinion: When you want to see a movie, you might want to ask a friend or read reviews, but you don’t have to. You can simply choose to see or not see a movie. Facebook/Instagram requires that you agree to be pushed toward groups that they want you to join. Kinda like getting jumped into a gang that you didn’t think you wanted to do, but got pushed into it by the local gang bangers.

Translated: We know everywhere you been, exactly where you are now, and can accurately predict where you will be going next.

Opinion: This is life on IoT and our addiction to “smart” devices. And we must agree to it in order to use ‘free’ services.

Translated: Ha! We haz your biometric data too!

Opinion: Facial recognition is one of the security features that we have to give up, but is something that we can’t change like a password.

Translated: Not only do we see what you search for, but we keep that, just in case…

Opinion:  Forensic peeps know this. Anything you type online is there for everyone to see, even those you don’t want to see it, potentially forever.

Translated: We not only take, curate, analyze, and store your information indefinitely, but we will share it around the world to our “partners”.

Opinion: Who are the “partners” and WHY DO THIS?!?

Summary

Free is not free.

Social media platforms are like leopards stalking dinner. You don’t see the leopard. You don’t think anything about it. And you don’t care that tidbits of your Internet activity are being analyzed by humans, ML, and AI. By the time you realize how much private data is gone, it is too late to much about it. Presumably, this is all for a profit motive, in which you make none. Worst case scenario is a nation-state obtaining this immense data. But that would never happen..

update: This from Twitter, best visual of EULAs that I have ever seen.

https://t.co/uYXup8iEdE

— #StopTheStupid! Goat (@bill_e_ghote) December 26, 2020

I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). 

Here is my white paper analysis.

#1 - If a device has connectivity with at least one other device, it can be,  has been, or will be compromised.

#2 - If a device has the ability for connectivity with at least one other device but isn't connected yet, see #1.

#3 - If a device is airgapped from any other device, it can still be compromised.

#4 - If a device has a speaker, someone you don't know can hear you.

#5 - If a device has a camera, someone you don't know can see you.

#6 - If one nation-state is monitoring your device, probably another one is too (maybe your own government!).

The good news is that criminals are more easily identified, tracked, arrested, charged, convicted, and incarcerated.

The bad news is that every bit of your life is logged somewhere, by multiple entities without your consent or knowledge.

Question I received: How long does it take before I can expect to get into a DFIR career?

Answer: It depends!

It depends on your available resources + available time + motivation to learn.

Meaning

The more of each of these that you have, the faster it will be. A lack of resources (software/hardware) means scraping together machines and free/open-source tools. A lack of time means squeezing in minutes here and there over a longer period of time.

A lack of motivation is the most important factor because, without motivation, you will never make it regardless of your available resources. Period.

Motivation

By the same token, motivation is the biggest factor to make up for a lack of resources.  Do not ever underestimate the power of motivation.  The sheer force of drive. The unstoppable energy of determination.  If you are driven to succeed in face of anything, then you will make it. It does not matter where you start from, age is irrelevant. Education level meaningless. Socio-economic background means nothing.

I say this full well knowing that someone with a high education or "elite" status in society with unlimited sources starts farther ahead than you or I. I say this because without motivation, resources are useless and any success is limited and a dead end. With motivation, there is no limit. You will have to work harder.  Study more.  Endure stress and keep moving forward against friends or family advice to quit. Others will appear to effortlessly pass you by. Everything will seem more difficult. And it will be.

Keep the pace

It is one foot in front of the other. That should be your focus. Your goal is not to master the entire registry at the same time that you have a goal to master Linux logfiles.  Learn a registry concept. Then a registry hive. And a key. One step at a time.  As long as you keep moving forward, you will move forward.

Mentor

Find one. Follow your mentor. Know that your mentor, whether you ever met or communicate, has gone through exactly what you are going through. Maybe they had an even more difficult time with circumstances you'll never know. The best mentor is the one that motivates you. It is the person that you know will pull you forward as long as you make the effort to make the effort.

An example of making the effort

When I was a much younger Marine, I had an aptitude for humping a pack (ie; long, forced marches carrying a heavy backpack).  I had the same pains as everyone else, blistered feet, sore back, muscle cramps, and lots of sweat! But I would never quit and never quit putting one foot in front of the other.  A new Marine behind me on one of the marches didn't do so well, but he tried.  So on a really long hump, I told him to grab ahold of my backpack straps (the straps that you use for your sleeping bag). I said, "Hold my straps and as long as you keep walking, I'll help."  The secret was, I didn't pull him at all, but he kept going. He learned that as long as he worked and did his part, he'd be able to keep up.  He never really needed to hold my straps that day, and he only needed it for a few minutes that he could do it. He just needed to know everyone goes through the same pains and understands, but if you do your part, everyone is there for you.

You are next

Know now that someone is going to look to you as a mentor, if not already.  You won't know who they are, but they are watching you. They are hanging on your every word.  They are inspired by you. They are motivated by you, all because they know you made the effort and didn't quit. There are more than a few peeps in DFIR that I watch like a hawk because they inspire me every day. On the days when I don't believe that I know enough, I fall back on my mentors and their work. I fall back on those who give a little of themselves by sharing, and speaking, writing, and teaching.  Do not be surprised that if and when we meet, I tell you that you inspired me.  You never know when something that you did or said made a difference to someone else who is also swimming in the ocean of DFIR information, trying to figure it all out. 

This thing we call "DFIR"

DFIR (Digital Forensics Incident Response) is simply one small part of the Information Security world (or cybersecurity). There are many sub-fields, cross-fields, and related fields, but none are DFIR. The people in DFIR are awesome. Infosec is one thing, but DFIR is something all by itself. I look at DFIR as the Green Berets of Infosec (or Navy SEALs, or Marines, or SWAT...take your pick, but you get the point). In those communities, everyone pulls more than their own weight. They work to excel in their respective expertise. They help each other. They work as team players. For this, DFIR has advanced and advances in skill and knowledge beyond practically any other field.If you are new to DFIR, welcome to the family.  If you have been here a while, be sure to hold the door open to the new folks. They bring a whole new world of motivation, innovation, and drive that benefits us all.

Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded on a deserted island with a group of people and only one knows how to fish. That person just became an expert on fishing.

The legal expert

There are legal definitions of an expert geared specifically toward testimony. In short, experts can give their opinions (interpretations) of facts in testimony, while every other witness can only testify to the facts obtained by first-hand knowledge. There is an exception of a lay opinion, but let’s stick to the high level for now.

Without getting deeper into the legal aspects of a court expert witness, everything below directly benefits becoming a court expert if you ever choose the path of the expert witness.

The community expert

The community expert is the person who knows more than most of their community. In DFIR, this would be the person that could probably be a legal expert, but not necessarily so. It may be someone who writes amazing forensic software, teaches at conferences or courses, writes and shares their work, and all the while, never going to court to testify as a court expert witness.

We have a lot of these experts in the DFIR community, whether they know it (or like it!) or not. We look up to them and glean as much information as we can to improve.

Who knows what

All of us in DFIR know something that all of us know. Things like, ‘what is a hard drive’ is something that everyone in this field knows. Don’t be surprised to hear that many people outside of the computer field do not really know anything about hard drives.  Within this example, there are those who are experts in hard drives, but as a high-level topic, we all know something about hard drives.

Then there are those in DFIR who know something that we don’t know. There are absolutely more people that know about reverse engineering malware at an expert level than me!  If your level of knowledge and skill of reverse engineering malware is not at the expert level, that does not mean you cannot be an expert at anything else, or that you even need to know anything about reverse engineering malware. We have our niches and thankfully, we mostly have different likes and dislikes!

And there are the things that you know more about than the rest of us in the community. This is where your expertise in a topic can shine.  Focus on this one.

Brett’s tip

Work on becoming a community expert from this moment for two reasons. One, you will grow professionally and personally from the effort, and two, the community will benefit from your efforts. This becomes a cycle of the more you work on your expertise, the more the community benefits, resulting in you having more data to become more of an expert.

What should you focus on? Any topic that interests you!  One recommendation would be to pick an artifact and learn all about it. Learn more than anyone else.  Test your assumptions. Validate your findings. And write about it. Talk about. Share it. Congrats. You’re on the way to becoming an expert in that artifact!  Maybe even the only expert in that artifact.

Another idea could be to pick a FOSS (free and open-source software) and master that tool! Help with its development and testing. Make that tool into a widely used community forensic app and BOOM! You’re an expert in it.

Why do you want to be an expert?

• *  Professional recognition (within your community)
• *  Career (get hired or promoted)
• *  Challenge (self-improvement without concern of others)
• *  Fame (media, publishing, teaching)
• *  Fortune (selling yourself but not literally)
• *  ___________ (your personal reason!)

How long does it take?

Some studies show it takes 10,000 hours to become an expert. Other studies 'debunk' the 10,000 hour studies, and still others write that in 2 hours, you can be an expert.  The thing that is left out in many of these studies is the subject of expertise. A world-class tennis player surely will need thousands of hours of practice to reach near perfection in tennis. As would a musician. Conversely, an information technology professional would need far fewer hours of practical application and testing to master a topic such as building a computer.

There is plenty of research online that you can read on the number of hours that research shows results in expertise. I believe that time is an important aspect of expertise, but absolutely not the only or most important aspect.

How to become an expert

Becoming an expert is simple, but that does not mean it is easy. Simple, as in, all you need to do is study, put into practical use, and know well enough to teach it.  This is not easy because it is work!

• *  Focused study (the learning of foundations)
• *  Diligent practice (the practical application)
• *  Teach others (writing and/or speaking)

Study is the foundation, as you can’t teach what you don’t know. Or more accurately, if you try to teach something that you don’t know, it will be painfully obvious to your audience. Diligent practice is completely different than practice. Taking piano lessons and throwing your fingers around for an hour just to fill an hour of practice is not just useless practice, it is detrimental in learning bad habits. Don’t just “read” a book on your topic: engage in the content!  Do not just test a theory, but deep dive into every aspect of it.

When you think you are ready to teach, then prepare to teach by checking everything you know. You will end up learning more, solidifying what you thought you knew, and now almost ready to teach. I say “almost” because teaching in itself requires practice and time to get it right! The mere act of teaching others does not mean you automatically are an expert. You have to be good at it too!

The road to being an expert

There are checkboxes to keep track of your path to expertise. Here are a few, and within each item there are dozens of DFIR related sub-items to fill the checkboxes.

• *  Publish works in trade publications, peer reviewed works, journals, books
• *  Speak at trade conferences, universities
• *  Research, test, and validate your works
• *  Get interviewed by media
• *  Be awarded grants, awards, fellowships
• *  Spend time in academic study
• *  Spend time with practical applications of your work
• *  Discover, invent, develop processes
• *  Peer review the work of others
• *  Have your work peer-reviewed by others
•  

Factors that affect time to reach expertise

Mentor/trainer/coach/formal education

Figuring out how to ‘do it’ takes much longer than someone showing you how it is done.  Finding your errors is difficult, but easy when someone is evaluating, critiquing, and mentoring you.

Both of my kids grew up with classical piano and violin lessons. They practiced every morning at 5AM. They practiced after school. They practiced a lot. The biggest lesson that I pushed was that it is better to have perfect practice for an hour than a thousand hours of bad practice. Practice makes permanent, and that is a difficult task to undo. Mentors can check your work, critique it, and enforce the drive for perfection over the drive to compile hours of useless work.  Practice does not make perfect! Perfect practice makes perfect.

Hands-on versus academic research

An expert can solely be a pure academic without much (or any) practical application. An expert can also be a practitioner with virtually no academia.  A mix of both absolutely will reduce the length of the path to expertise.

Trying to master everything or one thing

The bigger the pie you want to be in expert in, the longer it will take to become an expert in it. If you want to be an expert in all-things “Digital Forensics and Incident Response”, you may need more than two lifetimes!  However, if you want to be an expert in “Internet forensics” or “prefetch artifacts”, then you can do that in shorter order, certainly within your lifetime and probably within the next 12 months.

Pick your target. Make sure that it is a reasonable goal. Focus on it and work towards it.

Reaching the plateau

There is a plateau, but you don’t want to get there. As soon as you stop learning and growing, you will have plateaued. Any expertise that you gained fades exponentially as time goes by. Choose to plateau when you no longer need the skill that you mastered.  The DFIR field is an ever-growing and dynamically changing field that needs constant upkeep to keep up, let alone excel in.

Sharing is a big part of improvement

The more that you share your work, along with being open to critical responses, the faster you will reach the expertise you are working toward. If you ignore or do not want to accept critiques, go ahead and put that lawn chair out on your plateau, because that is the result of not evaluating the community evaluation of your work. The more open to suggestions of improvement, the more you will improve.

Who is eligible to be a DFIR expert?

This is an easy one. Anyone. Literally anyone with the drive and determination regardless of background or any individual characteristics can be expert in their youth or old(er) age.  It is never too early and never too late. Whew!

You might be an expert already

You might have read through this post and realized that you have already done everything, but never considered yourself an expert. When you realize this, there one suggestion that I have for you.

Know when it is the time to be humble, and when it is time to bring out the expertise credentials, and know when you are an expert.

Your expertise can (is!) the key to someone else learning, growing, inventing, and discovering amazing DFIR things that are waiting to be found. Your expertise can bring the truth into a legal case based on your opinion and interpretation of facts and evidence. Experts carry an enormous responsibility.

There is no shame in being an expert. If for no other reason, become an expert to be more than competent in your job. I don't recommend shouting from the rooftops that you are an expert, but I do recommend acting as an expert when needed. Everyone will benefit, appreciate, and grow from it.

PS. There is no magic formula, cheats, or vitamin that exists to make you an expert. It is all up to you to make it happen!

Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at the time and if you haven’t read the post, take a read of it to maybe get a tip or two that could be helpful for you or someone you know.

I want to peel back one aspect of preventing burning out that some take too far, which is not doing any DFIR activities on your personal time. There is a fine line between work and personal time, in that keeping both separate from each other is healthy and necessary. However, that line is different for each person and it shifts back and forth during each person’s career. The more skilled that you become, the less time you need to maintain your skills. I find it difficult to have a bright line that no DFIR professional development using some personal time is reasonable.

The short version

The longer version.

What does this have to do with doing DFIR stuff on your own time?

While in the Marines, I married and my new wife made sure that work and home were separate, and that both lives supported each other. Later, in police work (especially when doing undercover work for years), the line between work and home was still solid, and still supportive of each other.  By supportive, I mean that each life (work and home) had focus during each respective shift, in that, when at work I focused on work and when at home I was an active and involved family participant.  I did my best to avoid working at home and also avoid bringing my family life into work. That was my bright line. Your mileage may vary. Understandably, some things are unavoidable no matter what you do.

Working at home (not working from home)

Working from home is not the same as working at home. By working at home, I mean bringing your work into your home when it should be left at work. You know what I mean…working on that exam or report in your off time, away from work because you “need” to get it done, many times without compensation from your employer.  Doing this on a regular basis cracks open the burnout door. This is working at home when you should be working on home. Any employer who overtly or subtly requires this type of unhealthy work ethic will eventually see the destruction of that employee's home and work life.

Back to those tweets and the competition

I have hired and managed people in the field (and let some go) and although I have never implied or required anyone to work at home, I have fully supported their professional development outside of work hours. This is the difference that I feel is imperative to state. If you want to be a competitive hire, advance in your field, or improve your skills, you probably need to spend some of your off-work time on professional development.

For entry-level positions, it is cutthroat. For higher-level positions, it is cutthroat. For promotions, it is cutthroat. Unless other factors are in play, such as favoritism, every single person competes with everyone else to get the job, the promotion, or even be assigned the “best” cases.  Doesn’t this make sense? Shouldn’t the most qualified person be selected? Of course, it does!

Listening to advice is risky, but necessary. It is risky because the advice may not apply to you and only apply to the person giving you the advice. It is necessary because none of us know what all of us know. For example, you might be told to “never improve your skills on your own time unless your work pays for it”, or that “you should only improve yourself at work”. This might be good advice to someone who already has a high skill level but terrible advice for someone without experience or recently learned skills.

Take advice with a grain of salt. Maybe it applies to you. Maybe it does not. Either way, you won’t know for sure until the results are in on whether the advice was good or bad (for you) after it is too late to change your mind. In the end, we are each responsible for the decisions we make. Even fully taking the advice from any person that results in absolute failure is the responsibility of the person making the final decision, not the advice-giver.

Professional development

When I hear DFIR professionals encourage new or not-so-new practitioners to not improve themselves on their personal time, I take a look at who is giving that advice. Have they not taken professional development, continuing education, or college courses on their own time away from work? Have they not read a technical book in their free time, or paid for books with their own money? Have they not ever turned on a computer to test a theory that popped in their head while at home? Or have they held true to their advice of only improving their skills while being paid at work which resulted in their current success? My guess is that most have spent quite a bit of time in their personal life to at least be competitive enough to create opportunities for themselves.

Side story: I was given a comp registration (free!) to a DFIR conference that I was speaking at a few years ago to give away. I offered the seat to someone that I felt could use it since he worked less than 10 miles away from the conference venue. His agency approved his attendance at the conference to attend on his work time (vacation not needed!) but the agency wouldn’t pay for his meals as it was physically a 5-minute drive from his office. What was his response? He turned down the conference! He said that he will not spend any time or money outside of work to learn forensics because he expects his agency to pay for everything. I found someone else that took the offer..and they paid for their meals.

I tell this story as an example that there are some decisions on how much sacrifice you are willing to make to improve your skills. In this example, it was the cost of 2 lunches and 1 dinner, which he paid anyway since he certainly ate during those days of the conference while he was at work instead of attending the conference .  For him, his line was absolutely not a penny spent from his pocket or second used from his personal time to better his skills.

The point

Know the distinction between:

** Working at home

** Working from home

** Improving your skills in your personal time

** Improving your skills on your work time

There is a time and place for everything. Manage the time. Manage the place. If you have the belief that your employer is responsible for improving your skills, I can promise that you will be stunted in your skill growth.

It is within your personal time that balance is important to manage. If your personal life fails, your work life will not be far behind. Balance results in the exponential growth of personal and professional, while the imbalance in one or the other will wreck both.

Generally, work time is immovable, and you should only work during work time (minus breaks). You are being paid to work, so this makes sense. Good management ensures that you have a good work workload balance.

Your sleep time should be solid too. Some nights might be shorter than others because of emergencies, but again, generally, you need to maintain good sleep habits. This is your responsibility.

But for your personal time, balance is much more difficult! Family time, hobby time, vacation time, and basic free-to-do-nothing time is bunched together here. This is 100% your responsibility to maintain and balance. You can’t increase it without affecting something else, but you can manage the best use of it. Anything you add to it will decrease some other parts of it.  If you add too much, then sleep gets whittled away. Add more and perhaps work becomes negatively affected.  Or if you stretch out work, your sleep and your personal time gets robbed.

You and I both have 24 hours in a day and cannot change it. It is how we fill that time that matters.

Summed up!

You make your own decisions based on the information you have at your disposal. Balance your personal life with your work life. Maintain balance within your personal life with professional development that benefits your entire timeline and does not detract from it.

You can have a career without any professional development and without ever spending a minute outside of work on your competence building. But you can also choose to spend time, as needed and as reasonable, to develop your skills using some of your personal time.