I believe that most every book begins by seizing upon the spark of an idea before the idea fades.  This book, the one that Mark Spencer and I are writing, is no different.

But first, let me give credit where credit is due, for I will never take the spotlight from another who deserves it.  Mark is an extraordinary forensicator (I actually do not like that word, but what else is there?).  His casework has been featured internationally.  He has presented on some of it and the little that he can share has always been impressive.  This book revolves around his casework. I will merely validate what has already been validated many times over.

What is this new forensic book about?

The story in our upcoming book, which won’t be out until 2023 is Mark’s baby.  Mark and his team did incredible work, and this book will highlight some aspects of a case. Although we are writing as one, my intention is to help get the story out, in both a manner that every forensic analyst must read to reduce making mistakes and for the public to read to grasp a sliver of how important DFIR work is to countries and individuals. You will see forensics with a entirely different perspective after reading this book.

At this point, the actual story won’t be let out until we get closer to the end, nor will the forensic feats be detailed until then as well.

I am humbled to see this book from the beginning and can’t wait to read the finished product.  I have another book in progress, which will also be released near the same time or sooner, but this book is different.

This book won’t be like any forensic book that you’ve read before because of the manner of the way that it is being written.

That spark for a book

This is the one-thing that I want to get across in this blog post (if you ever listened to any of my presentations, you know how I feel about “one thing”): 

The spark for a book can and will come anytime and be unexpected. And it will die out faster than Windows ME if you don’t act on it.

In this case, I met Mark for the first time at a conference, where I introduced myself and told him how much I enjoyed his presentation. No need to go into details about Mark, other than it is easy to figure out that he is a cool guy, knows what he is doing, and is also a humble human.

This is another “one-thing” by the way:

Go say ‘hello’ or ‘great presentation’ or whatever when you have a chance to whomever you wanted to speak with, because that opportunity will disappear the longer you wait.

That one conversation was the spark of this book.  It didn’t happen at that very moment, but that seed grew in a few years to when the decision to put a forensic story on paper was made.  Maybe the book would have happened at another point in time, but certainly it is happening faster than ever now.

It is so easy to write a book!!

That’s a lie.  Show me someone who says that it is easy to write a book and I’ll show you someone who never written a book.  For me, I think that I have a harder time writing books than anyone else.  But I also bet that everyone else thinks that they have a harder time writing than me.  The point is that it is not easy to write a book.

I’ve written a few books, tech edited a few others, and ghost-written partial books and chapters. None have been easy.  I expect this current book to be the most difficult and at the same time, have the highest expectations that this will be one of the best books written in this field.  We shall see when it comes out.  If it turns out to be a flop, it will not be due to a lack of effort and research.

Don’t do this

If you are thinking of writing a book, my advice is to not force it. I spoke with someone who wanted to write a book and he wanted to write any book on practically any topic.  The end result was no book. That was years ago and still...no book.  If I spoke to you about writing your book, and you didn't write it, this isn't about you. I was talking about a different guy....

If you are not damned determined to write a book, don’t even start because you certainly won’t finish it.

If you are damned determined to write a book, but don’t have any idea of what to write about, wait for the idea.  You can’t beat an idea out of yourself.  The idea has to be burning to get out of yourself.

If you are planning to write something that you wouldn’t pay to read, neither will anyone else.

Don't assume that everyone already knows what you are going to write about, because everyone doesn't know.

For those who have written DFIR books, kudos to each of you because I most probably read your book and might still have it on myself, even after a decade of being published. For those who will write forensic books, if you get only one sale, that one sale will probably be me.

More (potentially) big news

At a recent conference (TechnoSecurity), I sat down with the author of one of the most popular and useful forensic books ever written, and written by one of the most influential people in the DFIR field.  The book has been in print for over a decade and the topic of a second edition came up...for all you reading this, believe you me when I say that I hoped that I talked him into a second edition.  I really really want an updated version of this book, but I won't give any more pressure than I already did, until the next time I see him...

TL:DR

The difference in skill and knowledge between the very best and everyone else is small but requires so much effort to obtain that most people don’t even try or quit trying.

This post is intended to kick you in your butt.

A little bit more detail

If you watch sports, a common theme is that wins are by thin margins of time or points, sometimes only split seconds or inches make the difference. This applies in everything including the DFIR/infosec field. I have been involved in casework and read cases of others where one person does or finds one small thing that completely changes the direction of the case or even makes the entire case. One thing!  Usually, this one little thing is something that you later look at and say to yourself, “Why didn’t I see that?”

We tend to think that ‘next time, I’ll do that too’ but that next time never comes.  And we keep seeing others do this over and over in different cases and wonder why we keep missing these little things that make big differences too.

The effort needed

In music and sports, perfect practice makes perfect. No practice and sloppy practice is a downward slide in skills. The most skilled make it look easy and natural. But those are the ones who have made more effort off the court (or in the lab or the classroom) than anyone else. This is no different in the DFIR field or any field.

Effort = physical energy + mental focus + resources (money, time)

You need all three.  You will never have an equal balance of these. Something will always be lacking.  But you must do the best with what you got and what you can get. Everyone else does too.

Our Own Effort

Our perception of effort spent might not be accurate….we sometimes tend to think we are putting out more effort than necessary (without getting results!) but in reality, we are putting out less and don’t need as much as we think. Athletes and musicians have coaches to help them put this into better perspective.

Our Perceptions

It is so easy to believe that we have it harder than others, and that others don’t need to put forth as much effort to be “x” (where x = competent, or highly skilled, etc…).  Rule #1 – don’t worry about what someone else is doing because you’ll never really know what they are doing outside of what you see in public and online.

Quitting and giving up

If you quit early on, you are most likely far from your goals. If you have been doing the work and putting in the effort, you might be a lot closer to your goals than you think. It would be nice to know how close we are, but we won’t know until we get there. It is easy in college to know how close you are to your degree because everything is by a checkbox.  Math course required? Check the box. Next until done. This is easy because you have a known path to your goal.

In DFIR, when we aspire to do something specific or reach a certain skill level, we don’t have a known path or gauge of where we are.  You don’t know where you are until you get where you are going.  You will never know how close you were when you quit. Frustrating!

Changed goals

When your goal is “x” (forensic examiner, incident responder, etc…), and you work toward that goal, your goal post might change.  Maybe during your journey, you find a more suitable goal. Many people stick with their initial goal and fight themselves all the way to achieve it. Then they are unhappy with the goal they achieved because they choose to ignore the goal that they truly wanted. Rather than see this as giving up on a goal, recognize this as an inspiration derived from your initial path that opened your eyes to a truer path.

How do I know this?

As embarrassing as it is to admit, I have tried things and quit. I have tried things, failed, and quit. I have tried things, failed, tried again, failed again, and quit.  I have tried things, failed, tried again, failed again, tried again, and quit.

I have also tried things without putting out the effort that I KNEW that I needed to put out.  None of those ever worked out.

I have also worked to obtain something that I later realized I didn’t want, only to keep going to get what I didn’t want…

The only time that I made my goals that I set was putting in more effort that I thought was needed and each time, barely made the goals.

The “How To” get where you want to be in DFIR (aka ‘harsh realities’)

*  You must put forth the effort.

*  If you quit, you won’t get anywhere.

*  Goals change for the better.

*  Don’t ignore inspirations.

*  Find a coach (ie: a brutally honest friend or a coach you pay to be brutally honest).

*  Realize that you are closer than you think, but won’t know how close until you make it.

*  Focus or the effort is wasted.

*  When you are short on one thing, use more of the other (ie: less funds available means more time spent to find free or less expensive resources).

*  Stop complaining.

*  Stop whining.

*  Stop making excuses.

*  Stop blaming others.

*  You demean yourself and your reputation by putting others down.

*  It doesn’t matter if you were unfairly criticized, unjustly accused, wrongfully discriminated against, or inaccurately judged.  No one cares and neither should you.

*  No one has unlimited resources.

More realities in DFIR

*  Few people are as good as you think they are.

*  Anyone can learn more about something than anyone else.

*  Credentials are meaningless if you can’t do the job.

*  If you can do the job while uncredentialed, you are more valuable than a credentialed and incompetent competitor.

*  You are better than you think you are.

*  You will never know everything. No one does and no one ever will.

*  You can’t control the “system,” but you can control your effort and path.

*  You have the potential to discover something today that no one ever will.

*  Put your words on paper or someone else will. They will deserve the credit, not you.

*  Talk is cheap. Action is what matters.  Want to write a book? Then do it and stop talking. Want to develop an application? Get to work on it!

*  Haters will hate.  Accusers will accuse. But they only do that to bring people down, not to those who are already down. Don’t feed the trolls.

Do this one thing right now. Do it again tomorrow. Do it again the next day. Keep doing it.

Find ONE THING a day. That one thing must be something that (1) is newly learned, (2) refreshes what you previously learned but forgot), (3) saves you time in your work, (4) makes your work more efficient/productive/effective, or (4) inspires you.

This can be related to work, a class, a YouTube video, playing around, relationships, or a hobby. Anything! Every one of these items affect all the others.  A hobby can create an incredible inspiration at work. Play can create a solid relationship. A great relationship can support amazing ability to work. It is all related to each other and affects one another.

Now: Write it down. Email it to yourself. Tweet it. Tell someone about it.  Do something that will burn it into your mind.  If you don’t do one of these, this ‘one thing’ will be a fleeting moment in time and wasted when it could have saved you hours of work, led to an amazing discovery, or opened an opportunity that you would never have otherwise.

Don't do this for more than one thing a day. Just one. That is all that you need and the most effective. Otherwise, it because unduly burdensome and less effective. PICK ONE ONLY!

Don’t be lazy about this.  This is 100% on you.

Backstory to a book

My most recent book (X-Ways Forensics Practitioner's Guide/Second Edition) is an example of all of this, and is also a reminder to me of what I just wrote. First off, writing a book is not easy. The mere effort to write requires effort (as described above). Then there are detractors, imposter syndrome, and personal matters and work to attend. That is on top of research, writing, editing, re-writing, more research, cooridinating and organizing information and people, and finally putting the final period on the page.

This X-Ways book took way more time than I had planned, I wanted to quit many times, spent more resources than expected, tested more than ever, and simply had to create the words out of thin air, which I believe led to my thinned hair...  There is no need to get into every little thing that was an obstacle to this book, but suffice to say there were many.  The more that I think about it, there were a thousand reasons to quit writing this book and only ONE reason to finish it.  And that is all you need to have, because ONE thing can outweight a thousand others.

Consider your butt kicked, but with much love and respect.

I just published the second edition of the X-Ways Forensics Practitioner’s Guide. If you use X-Ways Forensics in any sense of running the application, you should get this book.  I can’t say that any stronger than that.  But this post is not about the X-Ways book, at least not completely.

If you want to see the book or buy it, here it is:

In this second edition book, I asked and received contributions from forensic examiners who are X-Ways Forensics users. These contributions were tested and evaluated, and published as a complete section of forensic processes (and war stories) with X-Ways Forensics. This serves several levels of awesomeness.

For one, readers get more perspectives on how to use X-Ways Forensics than just me.  I know some things, but not all things.  Second, these contributors, if they were in a shell, jumped right out front and put their work on the scale to be weighed.  This is a major thing to do, because if you are wrong, you gotta take the hit and then move forward to improve.  But if you were right, that will have validated your previous work as being logically correct.  All contributions were awesome, and now, each contributor has a formally published forensic process using a tool that they know well.  Few things are greater than that in a case when you have published works.  For that, I am grateful, and the readers will benefit.  The contributors also have the right to use their contributions as they wish, whether that be as an attachment to a case report, affidavit, or in their CV.

This brings me to another work in progress (two new book projects that will be ramping up soon).  For one of my next books, I will be asking for contributors in the same manner, for a similar sort of content. My intention is to pull some great forensicators out of their cubicle and into the DFIR community's eye to display their work, their processes, their wins, and their perspectives to share with the community at large.

This takes a lot of guts, but there is such a huge personal, professional, and community benefit when you can help someone else do better and be better by simply sharing.

With that, this next book will be the most comprehensive writings in forensics that I will have ever done, and quite unique is scope and scale.  It will certainly take me a year+ to finish it, but it will be so well worth it.