In 2013, I wrote a book and throughout the book, wrote of telling the truth as it relates to your investigations. One area of telling the truth that I should have covered more, was ensuring that your team also tells the truth.

The only statement in this book that skims this advice is that of not letting someone else make mistakes IF YOU KNOW of the mistakes being made or will be made.

Placing the Suspect Behind the Keyboard, 2013

I have felt this pain before and was fortunate that no one was killed the one time that I didn’t act. I’ll give the story at the end of this post of how this lesson was scarred into my brain.

Testify

https://www.merriam-webster.com/dictionary/testify

In a previous chat session, I gave a few personal examples of “inaccurate/conflicting” testimony in two separate trials. I’ll be talking details about these two cases more in another chat or webinar. Both instances miffed me quite a bit because I don’t like seeing untruthfulness in what absolute truth should be, especially in a courtroom, under oath.

I might also talk about two clients strongly pushing me to embellish forensic analysis findings and how I fired them instead.

Inaction and errors

For me, taking action to prevent mistakes has been ingrained in all of my professional careers.  In most jobs that I’ve had, the accomplishment of any task was usually a planned team effort.  From military to law enforcement to collecting evidence in the private sector, there has been multiple planning steps prior to taking any action.

In any of these planning steps or stages, every involved person has the ability, if not the outright obligation, to call out errors and potential errors in the plan. By the time action is taken, most of the known issues are settled which allows for the unknowns being more effectively handled in real-time. Plan for the worst, hope for the best, and handle everything else in between as it pops up.

One aspect is tactical planning. Be tactically sound in what you are going to do.  I don’t mean “tactical” as wearing battle gear, but rather being methodical and engaged in your actions to mitigate risk.

Another aspect is honesty. Anything that we touch, seize, write, say, hear, or see in the DFIR world has a potential, no matter how slight, of being offered and accepted into a legal case. If you had any part of the operation, you are potentially a key witness in some aspect of it for good or bad.

The truth can hurt. The truth can be embarrassing. The truth can be career ending. But no matter how difficult the truth may be, a lie or embellishment is 10x that, even if you had no part in other than watch it unfold without saying a thing.

Your input (or lack thereof) in planning, your reporting, your witnessing or others' actions and reporting, and the willful inaction of those involved must be looked through these lenses.

When you don’t speak up to prevent a problem, you are part of the problem

Here is one incident where someone could have been killed and I would have been part of the cause. I reflect on this one day as a constant reminder.

While assigned as a Task Force Officer, a fellow detective asked for my opinion on the plan of a drug operation takedown.  The operation was for my fellow detective to assume an undercover role, meet a drug trafficker, and subsequently end in a takedown of the drug trafficker.  Simple and common operation. I have participated in every aspect of this type of operation in more operations that I can remember. But....

After he gave the basics of the op plan, the first thing that I said to him was, “You are going to be robbed.”  He agreed, which is why he asked for another opinion. He then invites me into the briefing for this operation that consisted of maybe 5 or more police agencies, including an administrator overseeing the operation.

They go over the plan again for my benefit and I said bluntly said, “You guys are going to get robbed.”  From there, it didn’t go well for me. Every person in the room was for the plan, and I started to give my reasons of why their plan sucked.  My verbal skills have improved, but I believe my exact words were something like, "You plan sucks and you are going to get robbed 100%."

I won’t go into the reason that I felt this way, other to say that in the world of takedown operations (buy busts and the such), there are a few rules that must never be broken. I won’t say any of those rules publicly either, but if you have done this type of work, you know them already.  In this operation, they already broke two of the rules and were going to break a third.

I gave my suggestion of preventing a robbery. My suggestion was ignored, and this group of experienced detectives decided to go forth specifically against my advice. I didn’t push it.  This is where I should have strongly demanded action. But I let it go forward.

Since I was too chicken to stand up in front of a bunch of police agencies that were putting my officer at risk from my own agency, I asked, “Who is on the officer rescue team?”

The answer was condescending with a “We don’t need a rescue team for this.”

This was another opportunity for me to argue against the op. But again, I did not. This was my inaction again, where I knew the risk was unreasonable to go forward, but I didn’t push it.

At the time, I was tasked for support of another operation for a different agency, but since I was not a pivotal part of that operation, I was able to withdraw and I offered to be this detective’s rescue “team”.   They let me drive a family van as the “rescue team” to keep me quiet.

The result of the operation was that multiple suspects in a car pulled up, pulled out guns, and attempted to rob the undercover.  The rescue team is usually within rescue distance, so with this chaos, here comes the family rescue van “team”, rushing in, and ramming the suspect’s car while the rest of this highly trained task force made it through a crowded mall parking lot to clean up.   No one was killed. No one was shot. Suspects were arrested.

This could have been much worse, including for me.

Had I pushed in the planning process more, there would have been 90% less risk or 100% no risk by canceling the op.  For that, I cringe every time I think about what could have happened had not the rescue “team” not been there to chase armed suspects pulling out guns on an undercover officer in the middle of a shopping mall parking lot. 

That was not a unique situation unfortunately, but every time after that, I was not a quiet mouse in the room when I was the only person seeing red flags or the only person saying something.

Honor and integrity

For the Marines reading this, you will get it.  Everyone else….well, this kind of integrity reinforcement is constant in boot camp.

On one day in Marine Boot Camp, myself and two other Marine recruits were standing in the quarterdeck talking.  I was “firewatch” while my platoon was being given physical activity by drill instructors. Two Marine recruits, also on firewatch in adjacent squad bays came into my squad bay, and we were only talking and laughing.

One of the DIs from my platoon stormed in like a hurricane, saw us laughing, and in a manner that only a Marine DI could ask, “Are all of you having a party?”

Two of us said that we were not having a party. I confessed and said that we were having a party. I am using the word ‘party’ in a professional manner. There were other words used.

Anyway, that DI spent an entire training session teaching those two recruits the value of integrity and the consequences of dishonesty. I was advised to go back to doing my duty.  But, I learned that integrity will save you, because it is all that we have. I believe the other two recruits learned the same lesson, but lost a lot of water weight learning.

Courts get this. People get this. I get this.

Because of that, when you see or hear something that is not right, that you are part of, that you know is going to cause harm to someone, speak out and prevent damage from happening or getting worse. 

Sometimes people can get killed. Sometimes people can lose their careers. In this DFIR field of ours, you never have a worry if you are always truthful and candid in all that you do.

There is a saying of "Tell it to the Marines."  You may have heard of this but not know what it means. It simply means that if a Marine said it, it must be true, because they have seen everything.

Use that example to build your reputation, that clients, courts, employers, employees, friends, and family will be able to say about you, "That if s/he said it, then it must be true."

I recently finished a lawsuit, and it was the most time consuming process I’ve ever experienced.  I have been involved in lawsuits for about 30 years as a defendant, lay witness, expert witness, and now as plaintiff.  Let me break each of these down for you first:

As defendant:  I have been named in several lawsuits as a police officer. In every instance, my name was withdrawn because I was never involved in the allegations.  I was named sometimes just because I was on duty at the time. I’ve never done anything in my law enforcement career to justify being sued.  Still, the experience of having a process server serve me at home is unpleasant. 

As a lay witness and expert witness: I’ve testified plenty as a police officer, detective, task force officer, swat officer in law enforcement and in the public sector as a consultant. Looking back on this aspect, this is the absolute easiest of the entire legal process.

As a plaintiff: One time, and hopefully the only time. 

More than just a lawsuit

I once thought that I knew the justice system, after all, I have been working within it for three decades in both the public and private sector. I have spoken with hundreds of attorneys, hired by many of these, spoken to judges, have had judges sign my affidavits in their living rooms at 2am, testified in front of Grand Juries, courtroom juries, and in front of judges at bench trials and administrative hearings.  I have worked cases from initiating the case, filing it with a prosecutor, prepping for trial, and testifying. Still, this did not prepare me for a lawsuit as a plaintiff.

I thought I knew a lot, but I was wrong.

This lawsuit was a simple public records dispute, and through it, I learned more about the justice system that has completely changed my past perspectives of attorneys, judges, and the legal process.

So, you think you know the justice system?  Think again.

Here is where this learning came from: I was acting Pro se, in that I was my own attorney.  I know, I know. The Pro se has an idiot for a client.  But in my defense, my attorney was guiding me along the process, even though I was doing everything (he was checking to make sure that I did it right).  And this was just a public records violation.

What I thought would be a simple public records act violation turned into a full-blown litigation. I was threatened with hundreds of thousands of legal fees and sanctions, I was disparaged, defamed, deposed, and cross examined. I wrote a book’s length of paper in complaints, motions, replies and responses to motions, appeals, reports, opening statements, closing statements, and legal forms.  I sent and answered interrogatories. I demanded discovery and was demanded to provide my personal emails in discovery. I deposed witnesses and was deposed. I conducted direct testimony, was directed in testimony. I cross examined and was cross examined.  I offered evidence. Some was admitted and others not. I argued in trial and in filings. I did practically all legal research in state and federal case law online, in databases, and in a phyiscal, legal library.

Some of the most incredible lessons learned was that the legal process is not about the truth as much as it is which side does better in trial.  Even then, considering that most cases do not go to trial, the truth doesn’t matter if trial can be avoided with a settlement or dismissal.  You might think that you already knew this, but it is worse than you thought. I promise you it is much worse.

Oh yeah, opposing counsel tried to dismiss this lawsuit with multiple motions. When the court denied the motions on the basis of my claims, they made multiple and increasing offers to settle. I rejected every offer to settle.

The evidence

Without getting into the deep aspects of evidence in this case, just know that there were public records that were destroyed, records that withheld, “misleading” and “conflicting” testimony in trial, and every effort by opposing counsel to prevent any of my evidence from being admitted.

On top of that, in some evidence where I proved intentional manipulation of dates, and the court agreed with my findings, the court didn’t seem to care and didn’t use this manipulated evidence.

Considering that the “conflicting testimony” came from the #2 person in the organization but didn’t result in perjury blows my mind, when it was clearly more than just “conflicting”.  Conflicting is the word used by the judge….this, after the judge warned the witness that she was under oath, yet the conflicting testimony continued.

Another witness wrote an affidavit to be excused from being a witness, where the affidavit was factually incorrect. It was more than just “incorrect.”   I provided documentation that this witness’s statement was false, but rather than force the witness to be forthcoming with the truth, the judge excused the witness. This witness was the #1 of a government agency and “too busy” to testify.

Lawyers are (not?) under obligation to be truthful

In court filings, the opposing attorney misled the court in such a manner that I replied with documented facts in a filed reply that directly countered the misleading declarations and filings. The result by the judge was that the misleading information was not material, therefore, not a biggie.  As if this is normal. Apparently, it must be.

It was not just one lawyer

Against me, there were at least two attorneys (both Harvard law grads), from a major Seattle law firm, with several paralegals, and a government organization with 20+ C level board members from that many government agencies that spared nothing in the case. In total, over a quarter million dollars was spent on the attorneys in this lawsuit over emails and text messages.  I pleaded publicly for the records to every person represented below, but got nowhere...the only thing I received was that I'd get the records in 17 years...which explains the lawsuit.

Skipping to the end

I won the lawsuit, including attorney’s fees for my attorney who guided me behind the scenes.  There is a story to this ruling and process as well…which I’ll get into via Zoom.

More to the story

I will be doing a Zoom chat session about this escapade within the next two weeks, but I have to limit it only to anyone who ever signed up for a DFIR Training course, or bought a book from me through the DFIR training website.  My Zoom account is good for only 100 at a time, so I am keeping it at that.  If you don't get in, I apologize in advance as there are several thousand people that won't be able to join due to the 100 person Zoom limit.  And it won't be recorded, and I probably will do this once for this topic.

The things that I will talk about will be:

* Some details of the public records request (it was of public and personal importance)

* Why I turned down several offers to settle

* The pitfalls of any lawsuit that you don’t know unless you have been through one on an intimate level

* How I discovered manipulated dates and times

* How evidence, great evidence, can be excluded from trial for literally any reason

* Report writing tips that make an extreme difference in trial as evidence, including illustrative and demonstrative items

* Some details on the trial, misleading statements, misleading affidavits

* What I would have done differently had I known all of this

If you ever took a www.DFIR.Training course from me, or subscribed, or purchased a book directly from me, I have your email and will send out a notice of the Zoom session if you want to join in.  You are not required to participate to join, but I will take questions and give my opinion.  My opinion is my honest opinion, so you’ll hear that anytime you hear me talk on anything.

To the agency that I sued:

Do not worry, I will not be saying anything that I did not say in trial or in court filings, nor will I say an specific name, even though I could since it is all public record.  The purpose is to share the lessons and that only needs me to generalize the specifics and focus on the process and experience for your benefit for your next (or current) case and court experiences.

My intention to share

You’ll get 2 years of this experience in a short Zoom conversation, so if you have questions beforehand that you want me to cover, send them to me and I’ll have answers.

My goal is that you will have an intimate view into a lawsuit process and what truly matters, because there are things that I wish I knew because these things affect how I should know for forensic reporting and analysis.  Not knowing some of these details means your work may be a waste of time and money because it doesn't matter if you do it 'wrong'.  

Not knowing how the legal process works in detail means that case outcomes are affected. I do not care how a case ends up (win or lose) as long as the truth is admitted and that the ruling reflects the truth.

In order for this to happen, you have to argue against the untruths, otherwise, the ruling will not be based on the truth, but on who did a better job at arguing the case.  You, as a witness, play into this.

I have a good friend who is a natural with people.  He makes you feel like you have known him all your life after having just met minutes prior.  I am totally not like that. Seems like many in this computing industry as a whole are generally not extroverted, and that impedes our personal and professional growth.

Yes, there are plenty of exceptions, but honestly, are you more comfortable looking at a screen or in someone's eyes? 

To be clear, I see nothing wrong with being introverted or shy or just wanting to be left alone.  But we limit our potential by willingly staying within ourselves and not engaging with others.

 Give something to someone, expect nothing in return, and you might receive the world

I have plenty of years of attending conferences and training where I did not engage with anyone. I have sat in the rooms, took notes, and gone about my business to learn from the presentations without even trying to say hello to anyone. It took me a long time to talk to “strangers” at a conference or training event.  It is still not easy for me to speak to someone that I don't know, so when I do speak to someone, it generally means that I so much wanted to talk to his person that I will break all restraints that my brain puts on me to just be the fly on the wall.

So, here is something that I have been wanting to do to help others like me as a way to break the ice at a conference, trade show, training course, or even in a workplace. Have you ever wanted to walk up to a specific person to say hello, to say that you appreciate their presentation, or read their blog, or use their software but had nothing to say and walked away?  Or how about ever wanting to welcome a newbie to the field but unsure of what to say?

Consider that if you give something to this person, you may have an unending wave of goodness coming to you in the future. Maybe you won't, maybe you will, but the point is not an intention of getting anything in return. It is about giving and sharing, and there's nuthin wrong 'bout that.

How about giving that person a book?

And not just a “book”, but a book that has been signed by the author with the author’s personal note, and signed by another with their personal note, and signed by you with your personal note? A book that is unlike any other copy that creates an opportunity to engage across several readers.

This the DFIR Book Challenge that I started some years ago but paused during the lockdowns since no one was meeting anyone anywhere. But now we are free to travel and meet and speak and engage.  I am restarting this challenge with my latest book (X-Ways Forensics Practitioner’s Guide/2E) and will be continuing with as many DFIR books that authors will sign for me to giveaway.  Donated books are awesome, but I’ll buy as many as needed to keep giving away. I have one book readied for next month and will work toward others each month forward.

By the way, if you wrote a DFIR book, regardless of when you wrote it, I want to give it away! My email is open.

There are many blog posts on the Internet about engaging in this amazing field of DFIR and all have great ideas. Engagement with another is more than just exchanging technical processes. The DFIR Book Challenge is just one more way to engage.

Cconnecting with another in this field will inspire you, and you can inspire others. Inspiration is the key to learning, in teaching, in sharing, and in doing.

If you don’t have inspiration in what you are doing now, put the effort to find it now.  Or create it. Or borrow it. Or share it. Or be it.

Personal story

Years ago, I taught use-of-force training at the police agency where I worked. After a decade of teaching, an officer who was involved in a deadly force shooting encounter came up to me after a shooting. He gave me a hug and said that during the encounter, words that I had said repeatedly in training was the only thing going through his mind. And he thanked me for the inspiration in training. 

This happened to me both as a trainer in the military and police work. Each time was years after having shared  to others in training that what I knew and experienced.  Never did I expect or want confirmation or appreciation.

Never underestimate the power of a grain of inspiration as it is inspiration that turns a blank canvas into a masterpiece.