We use cutting-edge tools to uncover the story of what happened on computing systems. This is awesome! But we often ignore attribution, which is difficult. I understand. Digital forensics alone can hardly identify the suspect (sometimes it does!). Forensics gives us the clues, but it's the DFIR investigative mindset that unlocks the answers.  So, why is this not trained in DFIR?

An unexpected revelation

    In 2005, I was invited along with a few FBI agents to give a workshop to academia in Seattle on teaching digital forensics.  An hour into the workshop, one professor stopped me mid-sentence and said;

“It sounds like you expect all forensic examiners to be investigators.”

    I didn’t mean to imply that, but when she said that, I realized she had a good point.  Forensic examiners are investigators.  DFIR work implicitly describes that of an investigator. And then another professor asked a much more difficult question:

“How are we to teach students to be investigators if we don’t know how to do investigations?”

        I didn’t have a good answer but have thought about it ever since and it took me the better part of a decade after that day to put some of my thoughts of a DFIR investigative mindset in my first book. I didn’t have this concept fleshed out much at the time, and my intention for that book was in a large part for that purpose. Placing the Suspect Behind the Keyboard was intended to be a book for DFIR pros to investigate their cases. The second edition of this book is turning out to be much more intense.

        Now, a decade more has passed, and during that time in every forensic training course and college-level program, and every YouTube video, and every book, I have looked for anyone teaching or writing about a DFIR Investigative Mindset. The closest that I have seen are describing the steps of an investigation (as checklists at best), such as securing the scene or dusting for fingerprints. Nothing about the ‘how to think’ and ‘why to think.’  Outside of law enforcement investigations, very little has been written about it.  The few things written around the topic are very high level, academic theories; nothing practical in just how to do it!

I hosted a limited webinar on the topic and the roundtable discussion came to the conclusion that the DFIR Investigative Mindset should be an integral part of DFIR training and education.

Fight me

    Some argue that DFIR is not investigative because we “analyze” (not “investigate) data. Rather than diving into a semantic debate, let's consider this: The distinction between a data recovery expert and someone who can conclude a case often hinges on one's DFIR investigative mindset, regardless of job title.

    Being labeled as an investigator, detective, or special agent isn't required to adopt their investigative skills. Similarly, you don’t need to be a criminal hacker to catch one. You need thinking skills.

This brings me back to the question of how to teach such a thing..

    For those in law enforcement, access to training and on-the-job investigative experience is automatically provided to you. But like anything, it is up to the person to take advantage of opportunities and either learn or not. I’ve seen great LE investigators working alongside absolutely terrible investigators, both being what they were because of what they chose to be.

    Outside of LE, private investigators and corporate investigators have access to non-LE investigative training and have experiences on the private side. Some have experience in the public and private sectors as an investigator.

    That leaves everyone else out!  You cannot get experience investigating a murder without actually investigating a murder. You can’t mirror a great burglary detective without being able to work alongside one. You can’t be taught these skills if those with the skills aren’t teaching them. And available training on how to investigate is not that common, especially when it comes to the DFIR field.

    On top of that, few in DFIR want to even use the word “investigate” in the same sentence as DFIR because it creates a fear of regulation in DFIR by private investigation state rules!  I have seen testimony where an “examiner” flat out stated that he does not investigate; he analyzes data.  This was in a case where he was testifying as a forensic examiner who discovered evidence.

    The DFIR investigative mindset is not just about finding the suspect. It is also about understanding the motivation behind the attack and how it was carried out. This information can be used to prevent future attacks. The DFIR investigative mindset is not limited to law enforcement investigations. It can also be used by businesses and organizations to investigate internal incidents, such as data breaches. The DFIR investigative mindset is a continuous learning process. As new technologies and techniques are developed, you need to stay up-to-date in order to be effective.

Sharing insights and moving forward

    You can learn and you can teach an investigative mindset.  Specifically, you can learn and teach the DFIR Investigative Mindset.  Most importantly, this skill needs to be part of your toolbox of tools. Some are fooled that it is tool competence that solves DFIR cases/incidents. If your DFIR work solely presents data without a story, without a path of how you found that story, then you are only culling data for someone else to investigate.

    Perhaps the most important aspect of a DFIR Investigative Mindset is that of attribution. Yes, I know that a forensic exam most likely will not place a person at the device.  But I also know that a forensic exam can give enough circumstantial evidence to a case that when combined with other evidence, will do just that.

    If attribution is not your objective, then you are just fixing the system.  There is nothing wrong with that and sometimes this is all that is needed for most incidents.  Find the crack, patch it, and prevent the next crack.  For criminal cases, where a victim is due justice, DFIR should take the other path of attribution instead of patching a hole. Otherwise, what is the point?

Keynote of The DFIR Investigative Mindset

    Catch me at TechnoSecurity’s keynote where I talk about this for an hour.  I’m giving actionable steps that you can take immediately and use in your cases. My intention is to shift your brain in the direction of being a forensic investigator and not just a data collector.

Peer-reviewed paper

    Then, catch a peer-reviewed paper on the DFIR Investigative Mindset being written by Dr. Graeme Horsman and me (mostly him….actually, chiefly by him….). This paper will hit on the academic aspects of teaching this mindset.

A training program that covers all

    I’ll have a book out on this specific topic in a few months (alongside 2 other books……….).  But this book most likely will be done first, tech edited by an experienced detective (Lee Harris), and reviewed by several experienced forensic experts. The book isn’t an exercise in academics or theories, but rather dozens of techniques that you can use right now to develop or enhance a DFIR Investigative Mindset.  Even if you have been investigating for some time, I promise you that one or many of the exercises and practices will be key in closing one of your next cases or even a current case.

*The little that I wrote about a DFIR Investigative Mindset in 2013 in the first edition of Placing the Suspect Behind the Keyboard (excerpt is below) didn't talk about the "how" in developing critical thinking, although that was the intention of the entire book. Still, it took a decade of reflection and many discussions with many people to flesh it out to distill into the topic as I see it.

My investigative background may be important to know to get the perspective of where I am coming from with this DFIR Investigative Mindset.  Here goes 35 years worth in a broad stroke: 

* Municipal police officer (city cop!) for 15 years, 10 of which were as a detective (local and state task forces), and task force officer (federal task forces). Attended more investigative training courses than I can recall, from basic to 'advanced'. Worked all sorts of cases from theft to national security matters.  I was a part-time forensic examiner for both my agency, ICE, and ICAC.  Part-time as in the only forensic examiner for my agency. I worked internationally as case agent, co-case agent, undercover officer, wire room, covert A/V installation, informant handler. 

* Managing principal, consultant, expert witness in ediscovery and forensic cases as a corporate employee and private consultant for 20 years.  Cases ranged from petty cash theft (no kidding), employee investigations, and class action litigation.

My perspective comes from the training, cases, and whatever I could gleen from the great detectives and agents that I had the opportunity to work with, one of which had a move made from one of his cases.

I recently posted a webinar on the DFIR Investigative Mindset, which is a snippet of a program I’ve occasionally taught internally over the past years. 

I distilled a major component of the DFIR Investigative Mindset for this post into seven words:

DFIR is a mindset, not a skillset.

That is pretty much all you need to know about getting into DFIR, excelling in DFIR, getting promoted in DFIR, achieving your highest potential in DFIR, and hiring people in DFIR. It fairly well sums up what I teach.

There are so many courses that I’ve taken that focused solely on a tool or a set-in-stone process without ever touching on problem-solving. The practical exercises are almost always perfected by the trainers beforehand, and everything works perfectly. Students walk out of classes thinking they know the buttons to push and all cases are solved.

Students then learn afterward that they must be doing DFIR work wrong because of the problems that continually pop up, totally unlike the training!  What they fail to recognize is that DFIR is a problem-solving field. Obstacles are expected to exist in every engagement, to the point where if you don’t have any obstacles, you probably missed them! This is a training failure point. 

I screwed up, a lot

In terms of the number of hours of professional training that I have taken, I stopped counting at 2,000 hours. In none of the courses has any instructor outright said that they made mistakes, make mistakes, or that mistakes are allowed in order to learn. This should be the opposite! 

Side note: I do not advocate making mistakes intentionally so that you will improve! I advocate to try not to make mistakes.  You will make mistakes and errors anyway no matter how hard you try!

Anyone competent enough to teach a skill should be confident enough to talk about mistakes and errors that they have personally made in that skill. Any person who claims to be free from errors and mistakes is not credible to teach, because they have not learned or not tried to do what they are teaching, or not being honest.

At the Magnet Forensics' summit in Nashville, I crammed two decades of my mistakes into an hour. I could have rambled on for another 2 weeks straight without breaks, but an hour was more than enough to prove a point.

Note: making mistakes and not learning from them means making the same mistakes over and over again. 

.@Brett_Shavers is starting the day off with a story time keynote #MUS2023 pic.twitter.com/ZbqDR7o9k4

— Kevin 🤖🕵️🍺 (@KevinPagano3) April 19, 2023

My objective in this keynote was to have everyone breathe a sigh of relief that their mistakes are okay, expected, and are needed to improve, but only if they learn from the mistakes each time that they will happen.

Kudos to Magnet for allowing such a keynote of errors and mistakes!

If you shy away from talking about or admitting to your mistakes because of embarrassment, I give you permission to use me as the example of having made that mistake already for you. I’ve already copped to it, paid for it, and moved on.  You just need to hop onto my errors and you can move forward too.

Figure it out

I wrote about figuring out problems a few years ago (https://brettshavers.com/brett-s-blog/entry/i-don-t-need-to-learn-just-give-me-the-answer) and I still believe this is the most important skill to have over absolutely anything. If you cannot solve problems, you are worth only as much as you can follow a checklist in a process that never has problems.  But if you can “figure anything out”, you value is near priceless.

Practice until you get it right and then practice until you can't get it wrong

Practice does not make perfect. Perfect practice does. With every key that you press on the keyboard, be mindful of what you are doing. Do it better each time. Be aware of what you are doing. You should not be on autopilot when dealing with data in a DFIR case!  Just like driving, you have to be aware of obstacles, distractions, and unexpected disasters just waiting to happen.

When your perfect practice makes perfect, your errors will be minimal, the impact on the cases will be minimal, and you will have good learning experiences. When you are lazy, apathetic, or complacent, your errors will be mistakes and the learning will be painful. That is if you choose to learn from them.  Otherwise, this is a career of constant pain and stress.

The DFIR Investigative Mindset

Through plenty of failures with investigations that I have had, the one thing that makes successful conclusions is being able to figure out solutions to obstacles using whatever means is at hand. That is also how I teach a DFIR investigative mindset, and how I prefer to be taught. Teach me the why and I’ll be able to figure out the how in any given situation.

It is true that the more tools that you have in your toolbox, the more problems you can solve, and more that you can solve difficult problems. But you need to have an investigative mindset first, otherwise, your tools are as useful as a fish using a hammer.

When your brain is turned into an investigative mindset, you see everything differently. Distractions are blocked, attention is focused on seeing (and observing!) evidence, and inferences scream out to you. To the outsider, this looks like magic when you solve the unsolvable, or solve cases in half the time because you can see the totality of the circumstances and the specifics of an incident.

Practical vs Academic

Everyone who has heard me speak knows that I am not an academic. Although I have taught graduate-level programs, I have never taught the academics of digital forensics (which at times irked schools….). I appreciate academia in giving practitioners incredible information in this field, otherwise, practitioners would not be as incredibly effective as they are today. But as for me, I appreciate practitioners teaching practitioners what they need to do both physically and mentally to do the job and succeed.

Get your brain into a DFIR Investigative Mindset and you can learn anything in this field, do anything in this field, solve any problem in this field, and look like a magician to everyone when you accomplish the impossible.

Mistakes in any career field are inevitable. And much like car accidents, the severity of a mistake can range from a simple ‘oops’ to something more disastrous and permanent.  In the DFIR field, errors and mistakes will usually fall in the more serious of the bad results because a DFIR investigation typically involves life, liberty, or the pursuit of happiness being at stake.

The dilemna is that DFIR work must be accurate and true, but we know there will be errors and mistakes.  

What about this ‘evidence storage device?’

There is not a time where I touch physical or electronic evidence that I do not pause for a split second and remind myself of what I am touching. This instantly puts me in the frame of mind to focus, to evaluate, and to plan what I need to do with that evidence.

This is no different than anytime I touch a firearm. Or drive a car. Or pick up a baby (although, has been a long time since I held a baby…).  Touching anything that can or will have an incredible impact on others or myself is not a simple thing.  Seeing a reckless driver on the freeway shows me a person who doesn’t get it and a wreck is in the future.  Seeing a forensic examiner haphazardly handle drives shows me that mistakes will be happening at some point in that examiner's case.  

There is rarely a training or talk that I do where I do not give the same ol’ advice in the form of a self reminding statement, like, “This is an evidence storage device.”

An evidence storage device, whether it be a flash drive or a server room, stores evidence.  It is a key component to a DFIR investigation.  Recognizing that you can ruin the investigation by altering or destroying evidence should be the most motivating factor in taking care of it.

Stupid basics?

I dare you to say to yourself, every time you touch evidence, “This is an evidence storage device” and not have that one sentence give you some motivation of care that you didn’t have prior.  This is so basic but essential to preventing mistakes.

Vince Lombardi, when training the Green Bay Packers, began training with his statement of “This is a football” to reinforce that mastering the basics is the magic of the advanced skills.  Lombardi went on to win 5 NFL championships and never had a losing season....due to focusing on the basics.

The intention of saying to myself “This is an evidence storage device” is to remind me that no matter how times that I handled evidence correctly before, today could be the day that I mess it up by being complacent, lazy, or overconfident. 

Any DFIR investigation (you might call these “exams” or “analysis”) involves at least one alleged victim. Your duty is to uncover the activity on the devices, which will either prove or disprove the allegations.  When you do this wrong, when you err, and when this happens because of your lack of care, you will be the one victimizing the victim a second time. 

On my desk, no matter where I have worked, I have had a small disk drive sitting on it. On this disk drive is a sentence that I wrote that says, “This is an evidence storage device - Brett Shavers.”   It is a constant reminder to me that any storage device may have evidence on it and I am its care-keeper, its examiner, its interpreter, and its voice.  I am accountable to what happens to it and for accurately telling the story that exists on it.

The next time you touch evidence

Try it.  Say to yourself or say out loud, “This is an evidence storage device.”  See if you feel different.  Question if you look at the device with a more careful and attentive eye than if you simply and robotically picked it up.  If you do, you will have greatly reduced your chances of making an error in that case, because your focus is on the evidence.  Isn’t that where your focus should be?

So, if you are ever asked why you say, “This is an evidence storage device” when you touch evidence, the answer is simply because you want to reduce the risk of making mistakes.

In this thing of ours, the world of digital forensics, there is one thread that ties us all together: the truth. All else is malleable.  Processes improve. Technology changes. Laws are added. Training morphs.  But the thing that remains unchanging is the truth.  We must speak it. We must live by it.  We must defend it.

I know that you are thinking that this post is simply reminding you to be truthful, but it’s more than that. Let’s start with this example (keeping politics aside, imagine this being someone in DFIR):

A liar will not be believed even when he speaks the truth.  AESOP

The point of this video is that credibility was lost because lies were uncovered.  I chose it because of the simplicity and public nature of the video. In nearly all other aspects of life, lying can get you promoted, elected, hired, and even married. The ramifications of getting caught lying generally affect nothing more than what you received in return for lying.

In DFIR, lying is different.  Lying, at best, ends your career.  At worst, innocent persons could be convicted or the guilty may go free, and you earn a perjury charge to top it off. Much like staying healthy, being known as truthful is not a box that you can check on Monday and never worry about it again.  Being truthful is a box that you must check every day.  The day that you neglect to check the honesty box and lie in a report or on the stand is the day that all your past truths are now questionable.

Not more than 2 years ago, I peer-reviewed reports where the examiner clearly omitted information in his report to the point that it was (at least to me) written to clear the guilty.  The rebuttal reports and exam showed this intention as blatantly obvious. That is not a good look by intentionally omitting facts.

In another recent case, I observed two (government) witnesses lying under oath. To be honest, I was in complete disbelief in what I heard and read because there was absolute evidence to the contrary. Even the judge was visibly and verbally stunned.

There are cases where I have not been involved in where expert witnesses have lied under oath. This is not uncommon to the point that an attorney client that wanted to retain me believed that all experts are liars. I didn’t accept his retainer simply because he wouldn’t believe a truth from an expert if he heard it since he has heard so many lies.

Tips to save your career

Tell the truth even if it hurts.  Especially if it hurts, tell the truth. Many times, I have had attorneys tell me “I appreciate your candor” in a manner that they didn’t like what I had to say, but they were grateful to hear it.

Distance yourself from liars. This is not always easy, but important.

The essence of a lie is the intention to deceive. - M. Prideaux 

Call out any lie that touches you. If you let a lie that touches you continue undefended, you could be seen as agreeing and supportive of that lie. Some lies may be inconsequential (like a personal matter with someone) that a reply is not warranted. But those lies that affect more than a comment made against you anger needs to be addressed with facts. Imagine knowing that a co-worker intentionally lied to cover up malfeasance or incompetence in a case that you are also working! You will be in the same boat with silence.

I don’t know

On the stand, I cannot count the number of times that my answer was “I don’t know.”  If I did something, I say that I did it. If I didn’t do something, I say that I didn’t do it. If I know it, I say it. If I don’t, I say that I don’t. Filling in the blanks is like filling a hole on a sinking ship with Elmer’s glue.

A strong desire to be right

DFIR seems to draw the same type of folks into the field.  Driven to perfection.  Persistent in gathering facts. Curiosity to the point of breaking apart every bit of data. And a strong desire to be right. These are all great personality traits to have.

But there is a line between “strong desire to be right” and “will do anything to be proven right.” Being right in your analysis is supposed to mean that you did everything possible to corroborate and verify the information you recovered.   “Doing anything to be proven right” means that you did everything necessary to be right even if you are wrong.  One of these makes a great examiner and the other should not be working in DFIR.

Tips to stay truthful against pressures to ‘stretch the truth’

When asked by a client, attorney, or boss if you can simply omit the bad information, your immediate response must be ‘nope.’  When asked if you can stretch the truth, you may want to consider being even more forceful, that you won’t lie, even a little.  This has happened to me on three occasions with three different attorneys.  I fired all three attorneys as clients in each of these cases.

Cutting ties from those who pressure you to lie makes work so much easier. The pressures of any case is more than enough to handle without being pressured to embellish, omit, or outright lie.

If offered any amount of money, consider that this one payment may be your last and that your reputation is eventually going to be mud when the truth eventually comes out.  This kind of offer happened to me once.  I turned it down, of course.

Encourage everyone around you to be truthful. Compliment candor as if it was not common.  Good managers know this. In an environment where mistakes are openly discussed without condemnation, people will (1) more likely admit their mistakes, (2) feel comfortable to talk about mistakes, and (3) will help the remediation of mistakes.

If you can’t help but lie

Find a new career. Some career fields seem to require it.  Otherwise, there is no such acceptance of untruths in DFIR. Zero.

In 2013, I wrote a book and throughout the book, wrote of telling the truth as it relates to your investigations. One area of telling the truth that I should have covered more, was ensuring that your team also tells the truth.

The only statement in this book that skims this advice is that of not letting someone else make mistakes IF YOU KNOW of the mistakes being made or will be made.

Placing the Suspect Behind the Keyboard, 2013

I have felt this pain before and was fortunate that no one was killed the one time that I didn’t act. I’ll give the story at the end of this post of how this lesson was scarred into my brain.

Testify

https://www.merriam-webster.com/dictionary/testify

In a previous chat session, I gave a few personal examples of “inaccurate/conflicting” testimony in two separate trials. I’ll be talking details about these two cases more in another chat or webinar. Both instances miffed me quite a bit because I don’t like seeing untruthfulness in what absolute truth should be, especially in a courtroom, under oath.

I might also talk about two clients strongly pushing me to embellish forensic analysis findings and how I fired them instead.

Inaction and errors

For me, taking action to prevent mistakes has been ingrained in all of my professional careers.  In most jobs that I’ve had, the accomplishment of any task was usually a planned team effort.  From military to law enforcement to collecting evidence in the private sector, there has been multiple planning steps prior to taking any action.

In any of these planning steps or stages, every involved person has the ability, if not the outright obligation, to call out errors and potential errors in the plan. By the time action is taken, most of the known issues are settled which allows for the unknowns being more effectively handled in real-time. Plan for the worst, hope for the best, and handle everything else in between as it pops up.

One aspect is tactical planning. Be tactically sound in what you are going to do.  I don’t mean “tactical” as wearing battle gear, but rather being methodical and engaged in your actions to mitigate risk.

Another aspect is honesty. Anything that we touch, seize, write, say, hear, or see in the DFIR world has a potential, no matter how slight, of being offered and accepted into a legal case. If you had any part of the operation, you are potentially a key witness in some aspect of it for good or bad.

The truth can hurt. The truth can be embarrassing. The truth can be career ending. But no matter how difficult the truth may be, a lie or embellishment is 10x that, even if you had no part in other than watch it unfold without saying a thing.

Your input (or lack thereof) in planning, your reporting, your witnessing or others' actions and reporting, and the willful inaction of those involved must be looked through these lenses.

When you don’t speak up to prevent a problem, you are part of the problem

Here is one incident where someone could have been killed and I would have been part of the cause. I reflect on this one day as a constant reminder.

While assigned as a Task Force Officer, a fellow detective asked for my opinion on the plan of a drug operation takedown.  The operation was for my fellow detective to assume an undercover role, meet a drug trafficker, and subsequently end in a takedown of the drug trafficker.  Simple and common operation. I have participated in every aspect of this type of operation in more operations that I can remember. But....

After he gave the basics of the op plan, the first thing that I said to him was, “You are going to be robbed.”  He agreed, which is why he asked for another opinion. He then invites me into the briefing for this operation that consisted of maybe 5 or more police agencies, including an administrator overseeing the operation.

They go over the plan again for my benefit and I said bluntly said, “You guys are going to get robbed.”  From there, it didn’t go well for me. Every person in the room was for the plan, and I started to give my reasons of why their plan sucked.  My verbal skills have improved, but I believe my exact words were something like, "You plan sucks and you are going to get robbed 100%."

I won’t go into the reason that I felt this way, other to say that in the world of takedown operations (buy busts and the such), there are a few rules that must never be broken. I won’t say any of those rules publicly either, but if you have done this type of work, you know them already.  In this operation, they already broke two of the rules and were going to break a third.

I gave my suggestion of preventing a robbery. My suggestion was ignored, and this group of experienced detectives decided to go forth specifically against my advice. I didn’t push it.  This is where I should have strongly demanded action. But I let it go forward.

Since I was too chicken to stand up in front of a bunch of police agencies that were putting my officer at risk from my own agency, I asked, “Who is on the officer rescue team?”

The answer was condescending with a “We don’t need a rescue team for this.”

This was another opportunity for me to argue against the op. But again, I did not. This was my inaction again, where I knew the risk was unreasonable to go forward, but I didn’t push it.

At the time, I was tasked for support of another operation for a different agency, but since I was not a pivotal part of that operation, I was able to withdraw and I offered to be this detective’s rescue “team”.   They let me drive a family van as the “rescue team” to keep me quiet.

The result of the operation was that multiple suspects in a car pulled up, pulled out guns, and attempted to rob the undercover.  The rescue team is usually within rescue distance, so with this chaos, here comes the family rescue van “team”, rushing in, and ramming the suspect’s car while the rest of this highly trained task force made it through a crowded mall parking lot to clean up.   No one was killed. No one was shot. Suspects were arrested.

This could have been much worse, including for me.

Had I pushed in the planning process more, there would have been 90% less risk or 100% no risk by canceling the op.  For that, I cringe every time I think about what could have happened had not the rescue “team” not been there to chase armed suspects pulling out guns on an undercover officer in the middle of a shopping mall parking lot. 

That was not a unique situation unfortunately, but every time after that, I was not a quiet mouse in the room when I was the only person seeing red flags or the only person saying something.

Honor and integrity

For the Marines reading this, you will get it.  Everyone else….well, this kind of integrity reinforcement is constant in boot camp.

On one day in Marine Boot Camp, myself and two other Marine recruits were standing in the quarterdeck talking.  I was “firewatch” while my platoon was being given physical activity by drill instructors. Two Marine recruits, also on firewatch in adjacent squad bays came into my squad bay, and we were only talking and laughing.

One of the DIs from my platoon stormed in like a hurricane, saw us laughing, and in a manner that only a Marine DI could ask, “Are all of you having a party?”

Two of us said that we were not having a party. I confessed and said that we were having a party. I am using the word ‘party’ in a professional manner. There were other words used.

Anyway, that DI spent an entire training session teaching those two recruits the value of integrity and the consequences of dishonesty. I was advised to go back to doing my duty.  But, I learned that integrity will save you, because it is all that we have. I believe the other two recruits learned the same lesson, but lost a lot of water weight learning.

Courts get this. People get this. I get this.

Because of that, when you see or hear something that is not right, that you are part of, that you know is going to cause harm to someone, speak out and prevent damage from happening or getting worse. 

Sometimes people can get killed. Sometimes people can lose their careers. In this DFIR field of ours, you never have a worry if you are always truthful and candid in all that you do.

There is a saying of "Tell it to the Marines."  You may have heard of this but not know what it means. It simply means that if a Marine said it, it must be true, because they have seen everything.

Use that example to build your reputation, that clients, courts, employers, employees, friends, and family will be able to say about you, "That if s/he said it, then it must be true."

I recently finished a lawsuit, and it was the most time consuming process I’ve ever experienced.  I have been involved in lawsuits for about 30 years as a defendant, lay witness, expert witness, and now as plaintiff.  Let me break each of these down for you first:

As defendant:  I have been named in several lawsuits as a police officer. In every instance, my name was withdrawn because I was never involved in the allegations.  I was named sometimes just because I was on duty at the time. I’ve never done anything in my law enforcement career to justify being sued.  Still, the experience of having a process server serve me at home is unpleasant. 

As a lay witness and expert witness: I’ve testified plenty as a police officer, detective, task force officer, swat officer in law enforcement and in the public sector as a consultant. Looking back on this aspect, this is the absolute easiest of the entire legal process.

As a plaintiff: One time, and hopefully the only time. 

More than just a lawsuit

I once thought that I knew the justice system, after all, I have been working within it for three decades in both the public and private sector. I have spoken with hundreds of attorneys, hired by many of these, spoken to judges, have had judges sign my affidavits in their living rooms at 2am, testified in front of Grand Juries, courtroom juries, and in front of judges at bench trials and administrative hearings.  I have worked cases from initiating the case, filing it with a prosecutor, prepping for trial, and testifying. Still, this did not prepare me for a lawsuit as a plaintiff.

I thought I knew a lot, but I was wrong.

This lawsuit was a simple public records dispute, and through it, I learned more about the justice system that has completely changed my past perspectives of attorneys, judges, and the legal process.

So, you think you know the justice system?  Think again.

Here is where this learning came from: I was acting Pro se, in that I was my own attorney.  I know, I know. The Pro se has an idiot for a client.  But in my defense, my attorney was guiding me along the process, even though I was doing everything (he was checking to make sure that I did it right).  And this was just a public records violation.

What I thought would be a simple public records act violation turned into a full-blown litigation. I was threatened with hundreds of thousands of legal fees and sanctions, I was disparaged, defamed, deposed, and cross examined. I wrote a book’s length of paper in complaints, motions, replies and responses to motions, appeals, reports, opening statements, closing statements, and legal forms.  I sent and answered interrogatories. I demanded discovery and was demanded to provide my personal emails in discovery. I deposed witnesses and was deposed. I conducted direct testimony, was directed in testimony. I cross examined and was cross examined.  I offered evidence. Some was admitted and others not. I argued in trial and in filings. I did practically all legal research in state and federal case law online, in databases, and in a phyiscal, legal library.

Some of the most incredible lessons learned was that the legal process is not about the truth as much as it is which side does better in trial.  Even then, considering that most cases do not go to trial, the truth doesn’t matter if trial can be avoided with a settlement or dismissal.  You might think that you already knew this, but it is worse than you thought. I promise you it is much worse.

Oh yeah, opposing counsel tried to dismiss this lawsuit with multiple motions. When the court denied the motions on the basis of my claims, they made multiple and increasing offers to settle. I rejected every offer to settle.

The evidence

Without getting into the deep aspects of evidence in this case, just know that there were public records that were destroyed, records that withheld, “misleading” and “conflicting” testimony in trial, and every effort by opposing counsel to prevent any of my evidence from being admitted.

On top of that, in some evidence where I proved intentional manipulation of dates, and the court agreed with my findings, the court didn’t seem to care and didn’t use this manipulated evidence.

Considering that the “conflicting testimony” came from the #2 person in the organization but didn’t result in perjury blows my mind, when it was clearly more than just “conflicting”.  Conflicting is the word used by the judge….this, after the judge warned the witness that she was under oath, yet the conflicting testimony continued.

Another witness wrote an affidavit to be excused from being a witness, where the affidavit was factually incorrect. It was more than just “incorrect.”   I provided documentation that this witness’s statement was false, but rather than force the witness to be forthcoming with the truth, the judge excused the witness. This witness was the #1 of a government agency and “too busy” to testify.

Lawyers are (not?) under obligation to be truthful

In court filings, the opposing attorney misled the court in such a manner that I replied with documented facts in a filed reply that directly countered the misleading declarations and filings. The result by the judge was that the misleading information was not material, therefore, not a biggie.  As if this is normal. Apparently, it must be.

It was not just one lawyer

Against me, there were at least two attorneys (both Harvard law grads), from a major Seattle law firm, with several paralegals, and a government organization with 20+ C level board members from that many government agencies that spared nothing in the case. In total, over a quarter million dollars was spent on the attorneys in this lawsuit over emails and text messages.  I pleaded publicly for the records to every person represented below, but got nowhere...the only thing I received was that I'd get the records in 17 years...which explains the lawsuit.

Skipping to the end

I won the lawsuit, including attorney’s fees for my attorney who guided me behind the scenes.  There is a story to this ruling and process as well…which I’ll get into via Zoom.

More to the story

I will be doing a Zoom chat session about this escapade within the next two weeks, but I have to limit it only to anyone who ever signed up for a DFIR Training course, or bought a book from me through the DFIR training website.  My Zoom account is good for only 100 at a time, so I am keeping it at that.  If you don't get in, I apologize in advance as there are several thousand people that won't be able to join due to the 100 person Zoom limit.  And it won't be recorded, and I probably will do this once for this topic.

The things that I will talk about will be:

* Some details of the public records request (it was of public and personal importance)

* Why I turned down several offers to settle

* The pitfalls of any lawsuit that you don’t know unless you have been through one on an intimate level

* How I discovered manipulated dates and times

* How evidence, great evidence, can be excluded from trial for literally any reason

* Report writing tips that make an extreme difference in trial as evidence, including illustrative and demonstrative items

* Some details on the trial, misleading statements, misleading affidavits

* What I would have done differently had I known all of this

If you ever took a www.DFIR.Training course from me, or subscribed, or purchased a book directly from me, I have your email and will send out a notice of the Zoom session if you want to join in.  You are not required to participate to join, but I will take questions and give my opinion.  My opinion is my honest opinion, so you’ll hear that anytime you hear me talk on anything.

To the agency that I sued:

Do not worry, I will not be saying anything that I did not say in trial or in court filings, nor will I say an specific name, even though I could since it is all public record.  The purpose is to share the lessons and that only needs me to generalize the specifics and focus on the process and experience for your benefit for your next (or current) case and court experiences.

My intention to share

You’ll get 2 years of this experience in a short Zoom conversation, so if you have questions beforehand that you want me to cover, send them to me and I’ll have answers.

My goal is that you will have an intimate view into a lawsuit process and what truly matters, because there are things that I wish I knew because these things affect how I should know for forensic reporting and analysis.  Not knowing some of these details means your work may be a waste of time and money because it doesn't matter if you do it 'wrong'.  

Not knowing how the legal process works in detail means that case outcomes are affected. I do not care how a case ends up (win or lose) as long as the truth is admitted and that the ruling reflects the truth.

In order for this to happen, you have to argue against the untruths, otherwise, the ruling will not be based on the truth, but on who did a better job at arguing the case.  You, as a witness, play into this.

I have a good friend who is a natural with people.  He makes you feel like you have known him all your life after having just met minutes prior.  I am totally not like that. Seems like many in this computing industry as a whole are generally not extroverted, and that impedes our personal and professional growth.

Yes, there are plenty of exceptions, but honestly, are you more comfortable looking at a screen or in someone's eyes? 

To be clear, I see nothing wrong with being introverted or shy or just wanting to be left alone.  But we limit our potential by willingly staying within ourselves and not engaging with others.

 Give something to someone, expect nothing in return, and you might receive the world

I have plenty of years of attending conferences and training where I did not engage with anyone. I have sat in the rooms, took notes, and gone about my business to learn from the presentations without even trying to say hello to anyone. It took me a long time to talk to “strangers” at a conference or training event.  It is still not easy for me to speak to someone that I don't know, so when I do speak to someone, it generally means that I so much wanted to talk to his person that I will break all restraints that my brain puts on me to just be the fly on the wall.

So, here is something that I have been wanting to do to help others like me as a way to break the ice at a conference, trade show, training course, or even in a workplace. Have you ever wanted to walk up to a specific person to say hello, to say that you appreciate their presentation, or read their blog, or use their software but had nothing to say and walked away?  Or how about ever wanting to welcome a newbie to the field but unsure of what to say?

Consider that if you give something to this person, you may have an unending wave of goodness coming to you in the future. Maybe you won't, maybe you will, but the point is not an intention of getting anything in return. It is about giving and sharing, and there's nuthin wrong 'bout that.

How about giving that person a book?

And not just a “book”, but a book that has been signed by the author with the author’s personal note, and signed by another with their personal note, and signed by you with your personal note? A book that is unlike any other copy that creates an opportunity to engage across several readers.

This the DFIR Book Challenge that I started some years ago but paused during the lockdowns since no one was meeting anyone anywhere. But now we are free to travel and meet and speak and engage.  I am restarting this challenge with my latest book (X-Ways Forensics Practitioner’s Guide/2E) and will be continuing with as many DFIR books that authors will sign for me to giveaway.  Donated books are awesome, but I’ll buy as many as needed to keep giving away. I have one book readied for next month and will work toward others each month forward.

By the way, if you wrote a DFIR book, regardless of when you wrote it, I want to give it away! My email is open.

There are many blog posts on the Internet about engaging in this amazing field of DFIR and all have great ideas. Engagement with another is more than just exchanging technical processes. The DFIR Book Challenge is just one more way to engage.

Cconnecting with another in this field will inspire you, and you can inspire others. Inspiration is the key to learning, in teaching, in sharing, and in doing.

If you don’t have inspiration in what you are doing now, put the effort to find it now.  Or create it. Or borrow it. Or share it. Or be it.

Personal story

Years ago, I taught use-of-force training at the police agency where I worked. After a decade of teaching, an officer who was involved in a deadly force shooting encounter came up to me after a shooting. He gave me a hug and said that during the encounter, words that I had said repeatedly in training was the only thing going through his mind. And he thanked me for the inspiration in training. 

This happened to me both as a trainer in the military and police work. Each time was years after having shared  to others in training that what I knew and experienced.  Never did I expect or want confirmation or appreciation.

Never underestimate the power of a grain of inspiration as it is inspiration that turns a blank canvas into a masterpiece.

I sometimes carried up to 10 cell phones at one time for work. Each phone had its own purpose. One or two of these phones were used for case calling criminal targets in one country. Another phone was used to call another target in a different country. One was used to call informants. Others used to call targets in different investigations locally. On this particular day, I had four cell phones. Three were burner phones and one was my official work phone.

The day was September 11, 2001, and my official work cell phone rang early in the morning while at home. My narc partner called to tell me to turn on the television. That was my introduction to 9/11. That was also the day that many things changed not only in my career field, but in life.

Numbers are more than just numbers

One good thing about numbers is that you can visualize numbers as it compares to something else. The numbers of 9/11 and everything related to it, however, is incomprehensible.

On and from that date of 9/11/2001, there have been over half a million people killed around the world directly related to the attack on the World Trade Center. More than 500,000 dead including military, contractors, and civilians is not insignificant. 

Visualizing that number as people shocks the senses. There are 32 countries on this planet, each having less than 500,000 in population. Most cities on this planet have less than that number in population. Cities like Bakersfield California, Minneapolis Minnesota, Orlando Florida, and even Atlanta Georgia, each have populations that are less the number of people killed because of 9/11.

This number doesn’t even include the number of people who have been wounded. There have been over 50,000 wounded just in the US military service members alone. The term wounded does no justice to describe what that means as it relates to amputations and posttraumatic stress. Add to that the suicides directly caused by so many wars. And I don’t even know if there is any way to measure civilian injuries.

It is just business

Then we have the “business” effects of 9/11. The airline and travel industries were devastated. Stock market erupted into panic selling. The economies around the world were hit hard. This impacted so many more people directly with lost businesses and lost jobs.

If you are old enough, you will remember being able to meet friends and family at the gate in the airport, without needing to have a ticket or boarding pass yourself. You remember not having a TSA or have in your naked body visually scanned with machine and viewed by security. You remember not having to take off your shoes and your belt before being patted down and scanned. Retina scans, swabs for explosives, and scans of your body are here forever more.

New toys with new power

The reaction to 9/11 created entire new markets for innovation, surveillance, legal authority, and new companies. I saw firsthand the creation and implementation of the Patriot Act. I saw the spending of so much government money on so much technology that made a law enforcement investigation so much easier.

At my desk in a federal task force, I had access to databases that I thought only existed in movies like Minority Report. At this time, I was sent to computer forensics training all over the country given by different vendors and government agencies. I had never known there were so many federal agencies until that time of being taught by them and with them. I was given a half-dozen pelican cases full of computers and gear. I must have had more than six months in classrooms being taught forensic analysis of all types of computing devices and networks. I cannot imagine the cost but assume it was more than my annual salary times two or three.  The money was free flowing.

I had access, the ability, and used technology to wiretap cell phones, hardlines, Internet, and even cars. I was slapping on GPS trackers on cars. I was legally stealing cars with search warrants to install GPS trackers. I helped to legally break into homes and businesses to install audio and video devices. I worked “T” cases with the alphabet agencies involving money-laundering, drugs and arms trafficking, and IEDs being conducted by terrorists in the USA. I built up miles from flying all over the country (across, in and out) and no expense was spared in undercover ops with flashy cars, hotels, meals, and "items to impress."

The ability to make a phone call and ask for the financial history of a person was incredible as I could get information on practically every dime made or spent by a person. I was able to arrange surveillance to be conducted by special people (I’ll leave it at that for the type of “special people”) at any US border to watch for my targets cross the border whether by foot, quad, helicopter, plane, and sometimes a tunnel.

I had reports given to me in my ICE group that came from the DEA which came to them from the NSA containing information on communications intercepted by various intelligence communities. The only requirement using this information in my case was to not disclose it, and to corroborate the information elsewhere that could be used in a case. Strange, right?

While I was doing these organized crime and “T” investigations as one small cog here, Operation Iraqi Freedom, Operation Enduring Freedom, Operation Inherent Resolve, and other operations were ongoing overseas. I was fortunate to "play" with so many of this new technology, some of which is still not-so-publicly known.  I was fortunate to have been given a crazy amount of forensic training, certifications, and experience in so many different types of cases.  Little of this was easy, none of it was freely given to me, but all of it is treasured as experiences.

I was drawn up into this fast-paced, incredibly awesome technology development, and witnessed the awesome power of a government, and some of it was not only not good, but it was bad.

What happened to us

We went to far.  We overdid it.  And few tried to put on the brakes to reflect on what was happening. When given a free ticket to ride, government will ride it into the ground, and that is what we did.

We had initially rallied together around a common cause and supported not just our country, but others as well. We were on a good path. We were unified; undivided.

Somewhere along the line, we lost that.

Somewhere along the line, war became norm to the point of not even being mentioned on the news anymore.

Somewhere along the line, economies became war-focused because of immense war profit. 

Somewhere along the line, uncommon investigative methods and technology was being used too commonly, making it seem "normal" and not unreasonably intrusive.

We lost faith and love in our neighbors.

My sadness is that we have an entire generation born after 9/11 who have only experienced war, and many of those are serving in a war that began before they were born. Born into a war only to fight in it is a tragedy for entire generation.

Forgetting

I forget things. My wife reminds me of many things that I forget. Don’t tell her, but some of those things are those that I intentionally try to forget, like vacuuming…

But I will never forget the “before time” where most of today’s technologies did not exist and there was no need for it. I will remember when there were no secret warrants and immense surveillance on every aspect of our lives. 

I will also never forget the trials and tribulations of raising two kids during this time. The arguments (?) of not giving our kids cell phones or unfettered access to the Internet was tough. Listening to "but all my friends are on Facebook" and "all my friends have cell phones" and not giving in was difficult. I was fortunate because of the work that I was doing gave me (ugly) insight to what happens on the ethernet to children.  My wife and I do not regret our decisions and tough love where our kids had to suffer not 'being online' like all of their friends.  As a side note, one did tell me that it was appreciated what we did because of what happened to others in college because of online postings during high school.

The first new generation

For those born into post-9/11, it is “normal” to accept that your smart phone is a GPS device that is logging everywhere you go every day of your life. It is “normal” to accept that practically all of your activity on the computer or in public is being recorded, logged, analyzed, and saved as potential evidence in a criminal investigation in the future. It is “normal” to accept that we are always in a war in multiple countries. It is “normal” to accept that joining the military means probably going to war in some capacity and some country at some point. It is “normal” to accept that your private Facebook messages and Gmail are being read and archived by humans, not just machines.

For me, this is abnormal.

For me, I will never forget.

Sadly, all of this will be forgotten and be normal.

I believe that most every book begins by seizing upon the spark of an idea before the idea fades.  This book, the one that Mark Spencer and I are writing, is no different.

But first, let me give credit where credit is due, for I will never take the spotlight from another who deserves it.  Mark is an extraordinary forensicator (I actually do not like that word, but what else is there?).  His casework has been featured internationally.  He has presented on some of it and the little that he can share has always been impressive.  This book revolves around his casework. I will merely validate what has already been validated many times over.

What is this new forensic book about?

The story in our upcoming book, which won’t be out until 2023 is Mark’s baby.  Mark and his team did incredible work, and this book will highlight some aspects of a case. Although we are writing as one, my intention is to help get the story out, in both a manner that every forensic analyst must read to reduce making mistakes and for the public to read to grasp a sliver of how important DFIR work is to countries and individuals. You will see forensics with a entirely different perspective after reading this book.

At this point, the actual story won’t be let out until we get closer to the end, nor will the forensic feats be detailed until then as well.

I am humbled to see this book from the beginning and can’t wait to read the finished product.  I have another book in progress, which will also be released near the same time or sooner, but this book is different.

This book won’t be like any forensic book that you’ve read before because of the manner of the way that it is being written.

That spark for a book

This is the one-thing that I want to get across in this blog post (if you ever listened to any of my presentations, you know how I feel about “one thing”): 

The spark for a book can and will come anytime and be unexpected. And it will die out faster than Windows ME if you don’t act on it.

In this case, I met Mark for the first time at a conference, where I introduced myself and told him how much I enjoyed his presentation. No need to go into details about Mark, other than it is easy to figure out that he is a cool guy, knows what he is doing, and is also a humble human.

This is another “one-thing” by the way:

Go say ‘hello’ or ‘great presentation’ or whatever when you have a chance to whomever you wanted to speak with, because that opportunity will disappear the longer you wait.

That one conversation was the spark of this book.  It didn’t happen at that very moment, but that seed grew in a few years to when the decision to put a forensic story on paper was made.  Maybe the book would have happened at another point in time, but certainly it is happening faster than ever now.

It is so easy to write a book!!

That’s a lie.  Show me someone who says that it is easy to write a book and I’ll show you someone who never written a book.  For me, I think that I have a harder time writing books than anyone else.  But I also bet that everyone else thinks that they have a harder time writing than me.  The point is that it is not easy to write a book.

I’ve written a few books, tech edited a few others, and ghost-written partial books and chapters. None have been easy.  I expect this current book to be the most difficult and at the same time, have the highest expectations that this will be one of the best books written in this field.  We shall see when it comes out.  If it turns out to be a flop, it will not be due to a lack of effort and research.

Don’t do this

If you are thinking of writing a book, my advice is to not force it. I spoke with someone who wanted to write a book and he wanted to write any book on practically any topic.  The end result was no book. That was years ago and still...no book.  If I spoke to you about writing your book, and you didn't write it, this isn't about you. I was talking about a different guy....

If you are not damned determined to write a book, don’t even start because you certainly won’t finish it.

If you are damned determined to write a book, but don’t have any idea of what to write about, wait for the idea.  You can’t beat an idea out of yourself.  The idea has to be burning to get out of yourself.

If you are planning to write something that you wouldn’t pay to read, neither will anyone else.

Don't assume that everyone already knows what you are going to write about, because everyone doesn't know.

For those who have written DFIR books, kudos to each of you because I most probably read your book and might still have it on myself, even after a decade of being published. For those who will write forensic books, if you get only one sale, that one sale will probably be me.

More (potentially) big news

At a recent conference (TechnoSecurity), I sat down with the author of one of the most popular and useful forensic books ever written, and written by one of the most influential people in the DFIR field.  The book has been in print for over a decade and the topic of a second edition came up...for all you reading this, believe you me when I say that I hoped that I talked him into a second edition.  I really really want an updated version of this book, but I won't give any more pressure than I already did, until the next time I see him...

TL:DR

The difference in skill and knowledge between the very best and everyone else is small but requires so much effort to obtain that most people don’t even try or quit trying.

This post is intended to kick you in your butt.

A little bit more detail

If you watch sports, a common theme is that wins are by thin margins of time or points, sometimes only split seconds or inches make the difference. This applies in everything including the DFIR/infosec field. I have been involved in casework and read cases of others where one person does or finds one small thing that completely changes the direction of the case or even makes the entire case. One thing!  Usually, this one little thing is something that you later look at and say to yourself, “Why didn’t I see that?”

We tend to think that ‘next time, I’ll do that too’ but that next time never comes.  And we keep seeing others do this over and over in different cases and wonder why we keep missing these little things that make big differences too.

The effort needed

In music and sports, perfect practice makes perfect. No practice and sloppy practice is a downward slide in skills. The most skilled make it look easy and natural. But those are the ones who have made more effort off the court (or in the lab or the classroom) than anyone else. This is no different in the DFIR field or any field.

Effort = physical energy + mental focus + resources (money, time)

You need all three.  You will never have an equal balance of these. Something will always be lacking.  But you must do the best with what you got and what you can get. Everyone else does too.

Our Own Effort

Our perception of effort spent might not be accurate….we sometimes tend to think we are putting out more effort than necessary (without getting results!) but in reality, we are putting out less and don’t need as much as we think. Athletes and musicians have coaches to help them put this into better perspective.

Our Perceptions

It is so easy to believe that we have it harder than others, and that others don’t need to put forth as much effort to be “x” (where x = competent, or highly skilled, etc…).  Rule #1 – don’t worry about what someone else is doing because you’ll never really know what they are doing outside of what you see in public and online.

Quitting and giving up

If you quit early on, you are most likely far from your goals. If you have been doing the work and putting in the effort, you might be a lot closer to your goals than you think. It would be nice to know how close we are, but we won’t know until we get there. It is easy in college to know how close you are to your degree because everything is by a checkbox.  Math course required? Check the box. Next until done. This is easy because you have a known path to your goal.

In DFIR, when we aspire to do something specific or reach a certain skill level, we don’t have a known path or gauge of where we are.  You don’t know where you are until you get where you are going.  You will never know how close you were when you quit. Frustrating!

Changed goals

When your goal is “x” (forensic examiner, incident responder, etc…), and you work toward that goal, your goal post might change.  Maybe during your journey, you find a more suitable goal. Many people stick with their initial goal and fight themselves all the way to achieve it. Then they are unhappy with the goal they achieved because they choose to ignore the goal that they truly wanted. Rather than see this as giving up on a goal, recognize this as an inspiration derived from your initial path that opened your eyes to a truer path.

How do I know this?

As embarrassing as it is to admit, I have tried things and quit. I have tried things, failed, and quit. I have tried things, failed, tried again, failed again, and quit.  I have tried things, failed, tried again, failed again, tried again, and quit.

I have also tried things without putting out the effort that I KNEW that I needed to put out.  None of those ever worked out.

I have also worked to obtain something that I later realized I didn’t want, only to keep going to get what I didn’t want…

The only time that I made my goals that I set was putting in more effort that I thought was needed and each time, barely made the goals.

The “How To” get where you want to be in DFIR (aka ‘harsh realities’)

*  You must put forth the effort.

*  If you quit, you won’t get anywhere.

*  Goals change for the better.

*  Don’t ignore inspirations.

*  Find a coach (ie: a brutally honest friend or a coach you pay to be brutally honest).

*  Realize that you are closer than you think, but won’t know how close until you make it.

*  Focus or the effort is wasted.

*  When you are short on one thing, use more of the other (ie: less funds available means more time spent to find free or less expensive resources).

*  Stop complaining.

*  Stop whining.

*  Stop making excuses.

*  Stop blaming others.

*  You demean yourself and your reputation by putting others down.

*  It doesn’t matter if you were unfairly criticized, unjustly accused, wrongfully discriminated against, or inaccurately judged.  No one cares and neither should you.

*  No one has unlimited resources.

More realities in DFIR

*  Few people are as good as you think they are.

*  Anyone can learn more about something than anyone else.

*  Credentials are meaningless if you can’t do the job.

*  If you can do the job while uncredentialed, you are more valuable than a credentialed and incompetent competitor.

*  You are better than you think you are.

*  You will never know everything. No one does and no one ever will.

*  You can’t control the “system,” but you can control your effort and path.

*  You have the potential to discover something today that no one ever will.

*  Put your words on paper or someone else will. They will deserve the credit, not you.

*  Talk is cheap. Action is what matters.  Want to write a book? Then do it and stop talking. Want to develop an application? Get to work on it!

*  Haters will hate.  Accusers will accuse. But they only do that to bring people down, not to those who are already down. Don’t feed the trolls.

Do this one thing right now. Do it again tomorrow. Do it again the next day. Keep doing it.

Find ONE THING a day. That one thing must be something that (1) is newly learned, (2) refreshes what you previously learned but forgot), (3) saves you time in your work, (4) makes your work more efficient/productive/effective, or (4) inspires you.

This can be related to work, a class, a YouTube video, playing around, relationships, or a hobby. Anything! Every one of these items affect all the others.  A hobby can create an incredible inspiration at work. Play can create a solid relationship. A great relationship can support amazing ability to work. It is all related to each other and affects one another.

Now: Write it down. Email it to yourself. Tweet it. Tell someone about it.  Do something that will burn it into your mind.  If you don’t do one of these, this ‘one thing’ will be a fleeting moment in time and wasted when it could have saved you hours of work, led to an amazing discovery, or opened an opportunity that you would never have otherwise.

Don't do this for more than one thing a day. Just one. That is all that you need and the most effective. Otherwise, it because unduly burdensome and less effective. PICK ONE ONLY!

Don’t be lazy about this.  This is 100% on you.

Backstory to a book

My most recent book (X-Ways Forensics Practitioner's Guide/Second Edition) is an example of all of this, and is also a reminder to me of what I just wrote. First off, writing a book is not easy. The mere effort to write requires effort (as described above). Then there are detractors, imposter syndrome, and personal matters and work to attend. That is on top of research, writing, editing, re-writing, more research, cooridinating and organizing information and people, and finally putting the final period on the page.

This X-Ways book took way more time than I had planned, I wanted to quit many times, spent more resources than expected, tested more than ever, and simply had to create the words out of thin air, which I believe led to my thinned hair...  There is no need to get into every little thing that was an obstacle to this book, but suffice to say there were many.  The more that I think about it, there were a thousand reasons to quit writing this book and only ONE reason to finish it.  And that is all you need to have, because ONE thing can outweight a thousand others.

Consider your butt kicked, but with much love and respect.

I just published the second edition of the X-Ways Forensics Practitioner’s Guide. If you use X-Ways Forensics in any sense of running the application, you should get this book.  I can’t say that any stronger than that.  But this post is not about the X-Ways book, at least not completely.

If you want to see the book or buy it, here it is:

In this second edition book, I asked and received contributions from forensic examiners who are X-Ways Forensics users. These contributions were tested and evaluated, and published as a complete section of forensic processes (and war stories) with X-Ways Forensics. This serves several levels of awesomeness.

For one, readers get more perspectives on how to use X-Ways Forensics than just me.  I know some things, but not all things.  Second, these contributors, if they were in a shell, jumped right out front and put their work on the scale to be weighed.  This is a major thing to do, because if you are wrong, you gotta take the hit and then move forward to improve.  But if you were right, that will have validated your previous work as being logically correct.  All contributions were awesome, and now, each contributor has a formally published forensic process using a tool that they know well.  Few things are greater than that in a case when you have published works.  For that, I am grateful, and the readers will benefit.  The contributors also have the right to use their contributions as they wish, whether that be as an attachment to a case report, affidavit, or in their CV.

This brings me to another work in progress (two new book projects that will be ramping up soon).  For one of my next books, I will be asking for contributors in the same manner, for a similar sort of content. My intention is to pull some great forensicators out of their cubicle and into the DFIR community's eye to display their work, their processes, their wins, and their perspectives to share with the community at large.

This takes a lot of guts, but there is such a huge personal, professional, and community benefit when you can help someone else do better and be better by simply sharing.

With that, this next book will be the most comprehensive writings in forensics that I will have ever done, and quite unique is scope and scale.  It will certainly take me a year+ to finish it, but it will be so well worth it.

The short story:

The book is done!

Get it at $20 off during the 100-hour book launch coming up in a few days (but only a limited number of books will be sold in the 100-hour book launch). Free shipping in the USA. International is available to ship, but not free..sorry…

The book will afterward be available for purchase on Amazon (and elsewhere) at the retail price of $69.99 plus shipping.

Get on the notification list here so you don’t miss it:  https://order-dfir.com/optintfu71ito

The longer story:

I used X-Ways Forensics (XWF) a lot, starting from the first version. And somehow, the experience of over 15 years of being an XWF user fit into one book. The neat thing about this book is that any XWF user can go read it and learn from that experience in a much shorter time than 15 years! That doesn’t even count the experience laid out by nearly a dozen contributors* in the book which probably gives this book a century of XWF experience wrapped up in a tad bit over 400 pages.

The intention of this book is that there will be at least one thing that you learn that when you see it, you will forever end an XWF frustration point, and prevent many hours of wasted time for years to come.  That makes any book worthwhile.

I’ll say this as strong as I can: I use all sorts of software.  I don’t have a ‘favorite’ tool, but I do have a favorite collection of tools. XWF happens to be in that collection. For the most part, any of the top forensic tools do a fantastic job and I use them all at different times and on different cases. I use good tools, support good tools, and advocate for good tools, because good tools allow good examiners to do good work.  At best, I am okay at forensics simply because I do not know so much, but the tools help me learn and work.

The only reason that I wrote a book on how to use XWF is because the manual didn’t show me how to use XWF.  This is not a problem with most other tools because many other tools are very intuitive; but not XWF.  Only after learning how to use it does it become intuitive…

For me, I need something or someone to show me how to use XWF (and most other things, too), otherwise I am spending hours trying to figure it out and may end up doing it wrong anyway or never learn the right way. I teach the same way as well...mostly I teach the way that I would like to have learned what I am teaching, not how an engineer thinks the way I should learn.

Books, books, books

This is my seventh book authored with my name, plus one fully ghost-written** book, several ghost-written chapters in other books, plus tech editing a half dozen other books. Three of my seven authored books were published under a publishing house, four with self-publishing, one in the second edition, another to be in a second edition in 2023/2024, and another due out in 2023 with a fantastic forensic expert and co-author.

For this edition, the book is more than 150 pages longer than the first edition, includes content not in the first edition, and has a dozen contributors who gave either an XWF war story, told one of their processes in how they use XWF, or contributed information on their X-Tensions or third party tools. The tech editors, Troy Larson and Michael Yasumoto are awesome.  For those who get a copy of the book, you won’t want to miss Troy Larson’s bio. If you know Troy or of Troy, the bio will make perfect sense and is only missing a shark laser pointer.

The XWF/2E started in 2005 when I was struggling with X-Ways Forensics. I struggled enough that my partner-in-crime (so to speak) and I arranged for the first ever X-Ways Forensics course to be hosted in Seattle, Washington. I will go as far to say that since X-Ways wasn’t giving training up to that point, our frustration with XWF ended up with convincing X-Ways that we’d go so far as host a class, market it, fill the seats, and even cater it if that would make it happen.

I’ve used X-Ways Forensics ever since, taking lots of notes, auditing more training, teaching what I learned at various places, and banging my head along the way. That was the impetus of the first edition: take my pain of learning XWF and write it down so others can learn faster. 

The first edition eventually became outdated

Emails started rolling in asking for a second edition. Lots of emails. This was bound to happen because the first edition was outdated to the point that functions moved around or were removed or added to the point that the book didn’t work.

Unfortunately, the publisher didn’t want to approve a second edition as the first edition was still selling well enough to not justify replacing it, even though it was outdated. Writing a book through a publishing house means the author is simply a contract employee writing for the publisher and has no ownership of the book or content other than a commission of sales (royalties).

I then had a 2-year process with the publishing house and my attorney to regain the copyright from the publisher so that a second edition could be (self-) published. This is probably a story to tell in more detail another time in how to get your copyright back from the words you wrote that the publisher owns.

And now you have the second edition, with more content, better organization, and with contributions from a dozen XWF users.  This gives you a dozen different perspectives of how XWF is and can be employed, all from one book.

You most likely have the same reference books on your desk that I have on mine, with dog-eared pages, highlights, notes, and worn out spines.  This is one of those kinds of books.

*Amazing contributors include Michael Yasumoto, Mark Burns, Derek Eiri, Yuya Hashimoto, Alexander Kuiper, Chad Gough, Craig Bowling, Jeffrey Meissner, Erinn Soulse, and a few others wishing to be unnamed.

**Ghost-written, as in, I wrote it for someone else’s book, but in their name, under contract to not give my name.

I lived a double life for a decade. I have now been away from that life for more than a decade and feel (a little) more comfortable talking about it.

Not long after I left military service, I went to work as a patrol officer in a suburb of Seattle. When I thought the best years of my life were the years in the Marines with the best group of people that I ever met doing amazing things, I entered a different sort of life with more great people doing amazing things in police work.

Side note: I worked with idiots too, both in the military and police world, and in both cases, they were the ones who put my life in danger more than any criminal or enemy ever could.

Here’s my police career in a nutshell. I was in patrol for a few short years, which included riding a bicycle. Don’t laugh. Bike Patrol was AWESOME!  Not being responsive to a radio allowed me to run amuk around town and find some dangerous criminals, some of the worst sort. I did other things too on a part time basis, like SWAT, use-of-force instructor, and things like that.

Then I applied to be a narcotics detective!

I didn’t get selected.  Someone else got it.

So, I waited until for the next opening and applied again. This time, I got it.

That is when shit started going south, as they say.  In less than 2 years, my partner and I seized more dope than the entirety of my drug unit seized in the past 20 years.  We seized that much more cash too. And that many more cars too.  Later seizures included a semi. And a plane. And boats. All with the arrests and cases to back it up. I was doing undercover buy busts, buy walks, meet and greets, surveillance, and everything else you can imagine with “crack heads”, “cranksters”, and all sorts of dealers. I was buying kilos of cocaine, working the DEA, FBI, USSS, ATF, and other alphabet soup agencies, all while being a little city PD detective…

In two years, I was in a state task force and working bigger cases. For those who understand how teams work, this task force was in a perpetual state of “storming”, so that sucked in more ways than you can imagine. Incompetence was the norm and on no less than a dozen occasions I was in more fear of being killed by incompetence of police than the criminal organizations that I infiltrated.

Two years later, I was drafted to a federal task force that virtually took the types of cases that I had started in my state task force and turned it into a laser-focused-federal objective. I’ll get into that with more detail sooner or later. During the next years, which turned out to be my final years in law enforcement, I traveled nationally and internationally doing undercover work with outlaw motorcycle gangs, Asian organized crime, and Mexican cartels. I was running informants across the country, initiated a dozen OCDETF cases on my own that were eventually managed by DHS, ICE, FBI, DEA, and the IRS.

I worked undercover for foreign agencies, one of which, again, had not only incompetence, but corruption with the very international criminal organization that I was undercover in….

Dozens of stories of having a gun stuck in my gut, followed home, investigating high level organizations where the children of my targets were in the same classroom as my kids, nearly being shot mistakenly by police, and getting the “once you are in, you are never getting out” talk by those that I was investigating while undercover all led me to getting into digital forensics.  I figured a computer would never kill me...

My double life involved my wife and kids. Now, my wife is amazing. She was a Marine wife. An army wife. And a cop’s wife. Growing up, my kids were amazing (they are even more amazing now!). My double life had me a husband and father at home, while at “work”, a drug dealer, and an arms dealer, and a human trafficker, and a hitman, and a money launderer, and a trafficker in stolen cars, and a smuggler, and eventually, involvement in “national security-type” investigations, that involved other types of assoCIAtions.   I trained my wife and kids in reacting to danger, reacting to me being confronted in public by criminals, and other reactions that families shouldn't have to be exposed to learning.

The point of this story

After being asked more times than I remember to write these stories down, I finally decided to podcast them. I am starting with some cases a little distant to me, and only the ones where someone was convicted. There are plenty of non-convicted criminals that I investigated but never filed the cases for one reason or ten others. For them, I hope they all turned a corner and are living an honest life. Some however, I know never will.

My podcast is behind a paywall because I’m a bit of a paranoid person, and if someone wants to hear these stories…well…I’d rather keep the audience a little smaller than the entire planet..

If you are interested, I'll be on Patreon.  I'm even going to do some live video chatting to talk about things that I don't want to put down on paper or in a podcast...the cool thing about these stories is that only one is under an NDA :)

The really funny thing is that you won't be the only ones hearing these stories for the first time, because my wife and kids will be hearing them for the first time too.  Little did they know that not only could daddy help mommy with housework, but he was flying armed and partying with people who killed people for a living.

Update: Some former and current narc buddies want to write a book with me about undercover work. With that, no time for a podcast as I'll trade podcast prep time with writing time!

Today, I posted on social media that my posts about not being censored were not censored. Obviously, the posts were not (yet) censored. But if they had been censored, no one would have ever known. That was the point of the posts.

Twitter did not #censor this tweet.

— Brett Shavers 🙄 (@Brett_Shavers) January 29, 2022

There are two major events happening world-wide that affect you directly, personally, professionally, and profoundly: 

1. Your access to information (ie: increased censorship)
2. Other’s access to your information (ie: decreased privacy)

When your access to information is blocked, banned, eliminated, or restricted, you will be uniformed. If the information that you are allowed access has been manipulated, you will be misled. With either scenario, you have no control of what you think, regardless of what you think.

Were you manipulated in 2012?

If you were on Facebook in January 2012, you were probably one of the guinea pigs in Facebook’s experiment in manipulating you to either be happy or sad, without your knowledge or consent.  The bottom line of the experiment was that you can be manipulated through the control of information, by a private company no less….

And of course we know now just how much Facebook has mined not only our personal information, but has algorithms that predict your behavior to the point of knowing when you are going to divorce or go poop.

A little pregnant

Either you are for censorship, or you are not.  When Howard Stern says “I’m against any kind of censorship, really, you know, I really am. I don’t like censorship.  But when you are talking about life and death……,” we have a paradox. It is as if we are saying that we want censorship to prevent censorship. This is no different than banning a book that is disagreeable.

Howard Stern says Neil Young’s threat to pull music from Spotify over Joe Rogan using the platform to spread “fake information about vaccines” is not about censorship because it’s “about life or death.” pic.twitter.com/uBayuzHwaR

— The Recount (@therecount) January 26, 2022

Private is personal

Do you want someone looking through your dresser drawers? You probably have nothing illegal in your socks drawer, but if a stranger were to ask to search your dresser “just in case you have evidence of a crime”, do you want to give consent? 

Your underwear drawers are personal and private, and so should be your emails and everything else that is intimate and personal to you that you don’t want to share with a private company, the government, or your neighbors.

We are ‘a little pregnant’ with this one, too. We waive our privacy in so many ways for a ‘free’ benefit of using a service that eventually there is nothing private anymore.

The future

Imagine if a corporation wanted you to buy their product that you really didn’t want to buy in the first place. With effective and targeted marketing designed to personally manipulate you with information mined from your life, you would most likely be inclined to pay whatever the price for that product, and even stand in line for hours for it. This could be described as “effective marketing” but the more accurate definition would be “manipulated” through invasive, yet covert means, using your private and personal information.

Now imagine if your country wanted to go to war for reasons that were not for true national security. If a corrupt government that controlled all information that you see and given that so much of your personality and behavior is known (like your most intimate and personal belief systems), they could manipulate information to make you feel a certain way. You won’t see censorship. You won’t be aware of your mood being manipulated. You will believe what you are led to believe.

What then would be the odds that your country would go to war with you waving the flag in one hand and carrying a $1200 iPhone in your other hand?

Two things that set you apart from other practitioners are (1) what you know and (2) what you can do. In this litigious world where courts (and corporations regarding internal matters) rule on evidence, the rulings are usually based on a “person.”  By this, I mean that the ruling body, whether the court or corporate makes their decision by trust of a person that what that person said or did was true and relevant to the case at hand.

Disclaimer! 

I have personally witnessed where ruling bodies (legal or corporate) made decisions that were completely unexpected! I’ve seen where an expert opinion would have made a huge difference in a case, but a judge rule that an expert opinion is not necessary. There are cases where a witness will be disallowed because the witnesses simply asked to be excused from testifying because they were “too busy” or “too important” to testify.  I have seen “conflicting testimony” that could otherwise be called boldface lying (perjury under oath!) without any consequence. In other words, you might be the best, but might not be allowed to be the best.

Don’t hinge everything on my disclaimer applying 100% of the time. You can only be sure to keep doing what you should be doing in your preparation of laying down facts and opinions when called upon.  One way to look at this is that DFIR work is a competition.  Your peers will judge your work. Your organization will judge your work. A judicial body will judge your work. And your opposing expert will judge your work. The better you get, the more judgmental people become, and the more you need to be prepared.

The most important thing to know

Only you will document you the way you need to be documented because only you will be putting words that you say and write on the record.

Document what, exactly?

This is not about your resume, and this is not about your CV.  This is about creating and maintaining your record of what you know.  Here are 10 tips to get it right, save you time, prevent unnecessary stress, and stand apart from other DFIR practitioners.

Write it down

If you don’t write it down, it didn’t happen. This simply means that if there is no evidence to support that it ever happened, then for practical purposes, it never happened.  That includes documenting the course you completed last week and the one you complete five years ago. Many courses do not provide a certificate of training, for reasons that are beyond me. At least with a certificate of completion, you have a record of the training you completed.

What can you do if you are not provided a record?  First off, consider that there is a record, whether that be an email confirmation, enrollment sheet, or canceled check. Something exists to document that training.  Use the information from that documentation to ‘write down’ your course.

Corroborate it

If you have a cert, keep it!  No cert? How about an email confirmation?  Maybe send an email to the vendor and ask for an email that states the course was successfully completed.  Consider that if you can’t prove it, who will believe it when challenged?

Update it

Keep adding everything relevant to your training record. Everything.  Make it a habit to update. It is far to easy to go through a lot of training, education, and experience and plan to later, only to forget the details.

Validate it

If you were taught something, keep the practice, at least some of it. Keep your notes and practice. You can easily scan to PDF entire student manuals for archival purposes. If you take great notes and ever challenged, those notes will validate that you were exposed to information and validated it with practice, exams, tests, and notes.

Make it Detailed

It is one thing to say you attended Course 123 sometime in the year 2018 and quite another to say Course 123, 32 hours in length, in Washington D.C., with dates of 3/3/2018 through 3/6/2018, presented by Vendor A, instructed by Instructors B and C and the course covered topics 1-9.

Make it Accurate

The last thing you need to do is embellish. There is rarely any DFIR course that by itself doesn't speaks volumes more than embellishing could.  If the course was 5 days and listed at 40 hours, then that is what to document.  40 hours, not 60 hours unless it was 60 and you can show it.

Don’t treat it like a resume

Your training documentation is for you to see.  It is not a resume or CV.  This is your record as a source for your resume, CV, or statement of qualifications. Sure, you can offer it as your training record to support expert qualifications or when asked by a client, but typically, this is your official training record.  Treat it as such.

Don’t rely on your organization to do it (correctly)

Your organization might keep decent training and education records, but if you are going to rely on someone else keeping track, you are doing it wrong.  It is actually the other way around. You use your records to make sure that your organization is keeping track accurately and appropriately. Plus, there will be items in your personal record that won’t need to be in your organization's records.

Use it as a reference

When you write a report and have already documented research on what you are reporting on, refer to your training/education record.  You will have the dates and details of what you’ve done for easy reference.

Include your research (workflows, innovative processes, software, scripts, blog posts, presentations given, courses, workshops, conferences, books read, books written)

Your practice counts.  Your study counts. Your homework counts. If you read a DFIR book, document it.  All of them.  If you take a course online, document it. Almost as important as taking a course is noting who taught it. The perceived value (quality?) of a course is directly related to the vendor and/or the named instructor of that course.  An anonymous presenter of a DFIR subject on YouTube will have a much lower perceived quality view than a topic presented by a well-known vendor or well-known named expert.

Something as simple as a spreadsheet to keep track of your training will save you grief in putting together a CV for court, or a resume for a job, or listing qualifications on a report.  Keep in mind that the important points to track are:

• Name of course/book/class/conference/etc…
• Presenter/author name
• Vendor/company/organization sponsoring or presenting
• Date(s) attended or date published
• Hours completed
• Cert received if applicable
• URL if a YouTube video or video series
• Brief of topic/s
• Anything else of relevance that could be useful to remember later

Of the two things that will differentiate you from another practitioner, this one is the easiest because you just have to document everything to show what you (should) know. For the other thing…you have to show what you are doing based on your actual work.

These are the two things to get you that .5% edge that will set you apart from everyone else.