We use cutting-edge tools to uncover the story of what happened on computing systems. This is awesome! But we often ignore attribution, which is difficult. I understand. Digital forensics alone can hardly identify the suspect (sometimes it does!). Forensics gives us the clues, but it's the DFIR investigative mindset that unlocks the answers.  So, why is this not trained in DFIR?

An unexpected revelation

    In 2005, I was invited along with a few FBI agents to give a workshop to academia in Seattle on teaching digital forensics.  An hour into the workshop, one professor stopped me mid-sentence and said;

“It sounds like you expect all forensic examiners to be investigators.”

    I didn’t mean to imply that, but when she said that, I realized she had a good point.  Forensic examiners are investigators.  DFIR work implicitly describes that of an investigator. And then another professor asked a much more difficult question:

“How are we to teach students to be investigators if we don’t know how to do investigations?”

        I didn’t have a good answer but have thought about it ever since and it took me the better part of a decade after that day to put some of my thoughts of a DFIR investigative mindset in my first book. I didn’t have this concept fleshed out much at the time, and my intention for that book was in a large part for that purpose. Placing the Suspect Behind the Keyboard was intended to be a book for DFIR pros to investigate their cases. The second edition of this book is turning out to be much more intense.

        Now, a decade more has passed, and during that time in every forensic training course and college-level program, and every YouTube video, and every book, I have looked for anyone teaching or writing about a DFIR Investigative Mindset. The closest that I have seen are describing the steps of an investigation (as checklists at best), such as securing the scene or dusting for fingerprints. Nothing about the ‘how to think’ and ‘why to think.’  Outside of law enforcement investigations, very little has been written about it.  The few things written around the topic are very high level, academic theories; nothing practical in just how to do it!

I hosted a limited webinar on the topic and the roundtable discussion came to the conclusion that the DFIR Investigative Mindset should be an integral part of DFIR training and education.

Fight me

    Some argue that DFIR is not investigative because we “analyze” (not “investigate) data. Rather than diving into a semantic debate, let's consider this: The distinction between a data recovery expert and someone who can conclude a case often hinges on one's DFIR investigative mindset, regardless of job title.

    Being labeled as an investigator, detective, or special agent isn't required to adopt their investigative skills. Similarly, you don’t need to be a criminal hacker to catch one. You need thinking skills.

This brings me back to the question of how to teach such a thing..

    For those in law enforcement, access to training and on-the-job investigative experience is automatically provided to you. But like anything, it is up to the person to take advantage of opportunities and either learn or not. I’ve seen great LE investigators working alongside absolutely terrible investigators, both being what they were because of what they chose to be.

    Outside of LE, private investigators and corporate investigators have access to non-LE investigative training and have experiences on the private side. Some have experience in the public and private sectors as an investigator.

    That leaves everyone else out!  You cannot get experience investigating a murder without actually investigating a murder. You can’t mirror a great burglary detective without being able to work alongside one. You can’t be taught these skills if those with the skills aren’t teaching them. And available training on how to investigate is not that common, especially when it comes to the DFIR field.

    On top of that, few in DFIR want to even use the word “investigate” in the same sentence as DFIR because it creates a fear of regulation in DFIR by private investigation state rules!  I have seen testimony where an “examiner” flat out stated that he does not investigate; he analyzes data.  This was in a case where he was testifying as a forensic examiner who discovered evidence.

    The DFIR investigative mindset is not just about finding the suspect. It is also about understanding the motivation behind the attack and how it was carried out. This information can be used to prevent future attacks. The DFIR investigative mindset is not limited to law enforcement investigations. It can also be used by businesses and organizations to investigate internal incidents, such as data breaches. The DFIR investigative mindset is a continuous learning process. As new technologies and techniques are developed, you need to stay up-to-date in order to be effective.

Sharing insights and moving forward

    You can learn and you can teach an investigative mindset.  Specifically, you can learn and teach the DFIR Investigative Mindset.  Most importantly, this skill needs to be part of your toolbox of tools. Some are fooled that it is tool competence that solves DFIR cases/incidents. If your DFIR work solely presents data without a story, without a path of how you found that story, then you are only culling data for someone else to investigate.

    Perhaps the most important aspect of a DFIR Investigative Mindset is that of attribution. Yes, I know that a forensic exam most likely will not place a person at the device.  But I also know that a forensic exam can give enough circumstantial evidence to a case that when combined with other evidence, will do just that.

    If attribution is not your objective, then you are just fixing the system.  There is nothing wrong with that and sometimes this is all that is needed for most incidents.  Find the crack, patch it, and prevent the next crack.  For criminal cases, where a victim is due justice, DFIR should take the other path of attribution instead of patching a hole. Otherwise, what is the point?

Keynote of The DFIR Investigative Mindset

    Catch me at TechnoSecurity’s keynote where I talk about this for an hour.  I’m giving actionable steps that you can take immediately and use in your cases. My intention is to shift your brain in the direction of being a forensic investigator and not just a data collector.

Peer-reviewed paper

    Then, catch a peer-reviewed paper on the DFIR Investigative Mindset being written by Dr. Graeme Horsman and me (mostly him….actually, chiefly by him….). This paper will hit on the academic aspects of teaching this mindset.

A training program that covers all

    I’ll have a book out on this specific topic in a few months (alongside 2 other books……….).  But this book most likely will be done first, tech edited by an experienced detective (Lee Harris), and reviewed by several experienced forensic experts. The book isn’t an exercise in academics or theories, but rather dozens of techniques that you can use right now to develop or enhance a DFIR Investigative Mindset.  Even if you have been investigating for some time, I promise you that one or many of the exercises and practices will be key in closing one of your next cases or even a current case.

*The little that I wrote about a DFIR Investigative Mindset in 2013 in the first edition of Placing the Suspect Behind the Keyboard (excerpt is below) didn't talk about the "how" in developing critical thinking, although that was the intention of the entire book. Still, it took a decade of reflection and many discussions with many people to flesh it out to distill into the topic as I see it.

My investigative background may be important to know to get the perspective of where I am coming from with this DFIR Investigative Mindset.  Here goes 35 years worth in a broad stroke: 

* Municipal police officer (city cop!) for 15 years, 10 of which were as a detective (local and state task forces), and task force officer (federal task forces). Attended more investigative training courses than I can recall, from basic to 'advanced'. Worked all sorts of cases from theft to national security matters.  I was a part-time forensic examiner for both my agency, ICE, and ICAC.  Part-time as in the only forensic examiner for my agency. I worked internationally as case agent, co-case agent, undercover officer, wire room, covert A/V installation, informant handler. 

* Managing principal, consultant, expert witness in ediscovery and forensic cases as a corporate employee and private consultant for 20 years.  Cases ranged from petty cash theft (no kidding), employee investigations, and class action litigation.

My perspective comes from the training, cases, and whatever I could gleen from the great detectives and agents that I had the opportunity to work with, one of which had a move made from one of his cases.

I recently posted a webinar on the DFIR Investigative Mindset, which is a snippet of a program I’ve occasionally taught internally over the past years. 

I distilled a major component of the DFIR Investigative Mindset for this post into seven words:

DFIR is a mindset, not a skillset.

That is pretty much all you need to know about getting into DFIR, excelling in DFIR, getting promoted in DFIR, achieving your highest potential in DFIR, and hiring people in DFIR. It fairly well sums up what I teach.

There are so many courses that I’ve taken that focused solely on a tool or a set-in-stone process without ever touching on problem-solving. The practical exercises are almost always perfected by the trainers beforehand, and everything works perfectly. Students walk out of classes thinking they know the buttons to push and all cases are solved.

Students then learn afterward that they must be doing DFIR work wrong because of the problems that continually pop up, totally unlike the training!  What they fail to recognize is that DFIR is a problem-solving field. Obstacles are expected to exist in every engagement, to the point where if you don’t have any obstacles, you probably missed them! This is a training failure point. 

I screwed up, a lot

In terms of the number of hours of professional training that I have taken, I stopped counting at 2,000 hours. In none of the courses has any instructor outright said that they made mistakes, make mistakes, or that mistakes are allowed in order to learn. This should be the opposite! 

Side note: I do not advocate making mistakes intentionally so that you will improve! I advocate to try not to make mistakes.  You will make mistakes and errors anyway no matter how hard you try!

Anyone competent enough to teach a skill should be confident enough to talk about mistakes and errors that they have personally made in that skill. Any person who claims to be free from errors and mistakes is not credible to teach, because they have not learned or not tried to do what they are teaching, or not being honest.

At the Magnet Forensics' summit in Nashville, I crammed two decades of my mistakes into an hour. I could have rambled on for another 2 weeks straight without breaks, but an hour was more than enough to prove a point.

Note: making mistakes and not learning from them means making the same mistakes over and over again. 

.@Brett_Shavers is starting the day off with a story time keynote #MUS2023 pic.twitter.com/ZbqDR7o9k4

— Kevin 🤖🕵️🍺 (@KevinPagano3) April 19, 2023

My objective in this keynote was to have everyone breathe a sigh of relief that their mistakes are okay, expected, and are needed to improve, but only if they learn from the mistakes each time that they will happen.

Kudos to Magnet for allowing such a keynote of errors and mistakes!

If you shy away from talking about or admitting to your mistakes because of embarrassment, I give you permission to use me as the example of having made that mistake already for you. I’ve already copped to it, paid for it, and moved on.  You just need to hop onto my errors and you can move forward too.

Figure it out

I wrote about figuring out problems a few years ago (https://brettshavers.com/brett-s-blog/entry/i-don-t-need-to-learn-just-give-me-the-answer) and I still believe this is the most important skill to have over absolutely anything. If you cannot solve problems, you are worth only as much as you can follow a checklist in a process that never has problems.  But if you can “figure anything out”, you value is near priceless.

Practice until you get it right and then practice until you can't get it wrong

Practice does not make perfect. Perfect practice does. With every key that you press on the keyboard, be mindful of what you are doing. Do it better each time. Be aware of what you are doing. You should not be on autopilot when dealing with data in a DFIR case!  Just like driving, you have to be aware of obstacles, distractions, and unexpected disasters just waiting to happen.

When your perfect practice makes perfect, your errors will be minimal, the impact on the cases will be minimal, and you will have good learning experiences. When you are lazy, apathetic, or complacent, your errors will be mistakes and the learning will be painful. That is if you choose to learn from them.  Otherwise, this is a career of constant pain and stress.

The DFIR Investigative Mindset

Through plenty of failures with investigations that I have had, the one thing that makes successful conclusions is being able to figure out solutions to obstacles using whatever means is at hand. That is also how I teach a DFIR investigative mindset, and how I prefer to be taught. Teach me the why and I’ll be able to figure out the how in any given situation.

It is true that the more tools that you have in your toolbox, the more problems you can solve, and more that you can solve difficult problems. But you need to have an investigative mindset first, otherwise, your tools are as useful as a fish using a hammer.

When your brain is turned into an investigative mindset, you see everything differently. Distractions are blocked, attention is focused on seeing (and observing!) evidence, and inferences scream out to you. To the outsider, this looks like magic when you solve the unsolvable, or solve cases in half the time because you can see the totality of the circumstances and the specifics of an incident.

Practical vs Academic

Everyone who has heard me speak knows that I am not an academic. Although I have taught graduate-level programs, I have never taught the academics of digital forensics (which at times irked schools….). I appreciate academia in giving practitioners incredible information in this field, otherwise, practitioners would not be as incredibly effective as they are today. But as for me, I appreciate practitioners teaching practitioners what they need to do both physically and mentally to do the job and succeed.

Get your brain into a DFIR Investigative Mindset and you can learn anything in this field, do anything in this field, solve any problem in this field, and look like a magician to everyone when you accomplish the impossible.

Mistakes in any career field are inevitable. And much like car accidents, the severity of a mistake can range from a simple ‘oops’ to something more disastrous and permanent.  In the DFIR field, errors and mistakes will usually fall in the more serious of the bad results because a DFIR investigation typically involves life, liberty, or the pursuit of happiness being at stake.

The dilemna is that DFIR work must be accurate and true, but we know there will be errors and mistakes.  

What about this ‘evidence storage device?’

There is not a time where I touch physical or electronic evidence that I do not pause for a split second and remind myself of what I am touching. This instantly puts me in the frame of mind to focus, to evaluate, and to plan what I need to do with that evidence.

This is no different than anytime I touch a firearm. Or drive a car. Or pick up a baby (although, has been a long time since I held a baby…).  Touching anything that can or will have an incredible impact on others or myself is not a simple thing.  Seeing a reckless driver on the freeway shows me a person who doesn’t get it and a wreck is in the future.  Seeing a forensic examiner haphazardly handle drives shows me that mistakes will be happening at some point in that examiner's case.  

There is rarely a training or talk that I do where I do not give the same ol’ advice in the form of a self reminding statement, like, “This is an evidence storage device.”

An evidence storage device, whether it be a flash drive or a server room, stores evidence.  It is a key component to a DFIR investigation.  Recognizing that you can ruin the investigation by altering or destroying evidence should be the most motivating factor in taking care of it.

Stupid basics?

I dare you to say to yourself, every time you touch evidence, “This is an evidence storage device” and not have that one sentence give you some motivation of care that you didn’t have prior.  This is so basic but essential to preventing mistakes.

Vince Lombardi, when training the Green Bay Packers, began training with his statement of “This is a football” to reinforce that mastering the basics is the magic of the advanced skills.  Lombardi went on to win 5 NFL championships and never had a losing season....due to focusing on the basics.

The intention of saying to myself “This is an evidence storage device” is to remind me that no matter how times that I handled evidence correctly before, today could be the day that I mess it up by being complacent, lazy, or overconfident. 

Any DFIR investigation (you might call these “exams” or “analysis”) involves at least one alleged victim. Your duty is to uncover the activity on the devices, which will either prove or disprove the allegations.  When you do this wrong, when you err, and when this happens because of your lack of care, you will be the one victimizing the victim a second time. 

On my desk, no matter where I have worked, I have had a small disk drive sitting on it. On this disk drive is a sentence that I wrote that says, “This is an evidence storage device - Brett Shavers.”   It is a constant reminder to me that any storage device may have evidence on it and I am its care-keeper, its examiner, its interpreter, and its voice.  I am accountable to what happens to it and for accurately telling the story that exists on it.

The next time you touch evidence

Try it.  Say to yourself or say out loud, “This is an evidence storage device.”  See if you feel different.  Question if you look at the device with a more careful and attentive eye than if you simply and robotically picked it up.  If you do, you will have greatly reduced your chances of making an error in that case, because your focus is on the evidence.  Isn’t that where your focus should be?

So, if you are ever asked why you say, “This is an evidence storage device” when you touch evidence, the answer is simply because you want to reduce the risk of making mistakes.