I recently posted a webinar on the DFIR Investigative Mindset, which is a snippet of a program I’ve occasionally taught internally over the past years. 

I distilled a major component of the DFIR Investigative Mindset for this post into seven words:

DFIR is a mindset, not a skillset.

That is pretty much all you need to know about getting into DFIR, excelling in DFIR, getting promoted in DFIR, achieving your highest potential in DFIR, and hiring people in DFIR. It fairly well sums up what I teach.

There are so many courses that I’ve taken that focused solely on a tool or a set-in-stone process without ever touching on problem-solving. The practical exercises are almost always perfected by the trainers beforehand, and everything works perfectly. Students walk out of classes thinking they know the buttons to push and all cases are solved.

Students then learn afterward that they must be doing DFIR work wrong because of the problems that continually pop up, totally unlike the training!  What they fail to recognize is that DFIR is a problem-solving field. Obstacles are expected to exist in every engagement, to the point where if you don’t have any obstacles, you probably missed them! This is a training failure point. 

I screwed up, a lot

In terms of the number of hours of professional training that I have taken, I stopped counting at 2,000 hours. In none of the courses has any instructor outright said that they made mistakes, make mistakes, or that mistakes are allowed in order to learn. This should be the opposite! 

Side note: I do not advocate making mistakes intentionally so that you will improve! I advocate to try not to make mistakes.  You will make mistakes and errors anyway no matter how hard you try!

Anyone competent enough to teach a skill should be confident enough to talk about mistakes and errors that they have personally made in that skill. Any person who claims to be free from errors and mistakes is not credible to teach, because they have not learned or not tried to do what they are teaching, or not being honest.

At the Magnet Forensics' summit in Nashville, I crammed two decades of my mistakes into an hour. I could have rambled on for another 2 weeks straight without breaks, but an hour was more than enough to prove a point.

Note: making mistakes and not learning from them means making the same mistakes over and over again. 

.@Brett_Shavers is starting the day off with a story time keynote #MUS2023 pic.twitter.com/ZbqDR7o9k4

— Kevin 🤖🕵️🍺 (@KevinPagano3) April 19, 2023

My objective in this keynote was to have everyone breathe a sigh of relief that their mistakes are okay, expected, and are needed to improve, but only if they learn from the mistakes each time that they will happen.

Kudos to Magnet for allowing such a keynote of errors and mistakes!

If you shy away from talking about or admitting to your mistakes because of embarrassment, I give you permission to use me as the example of having made that mistake already for you. I’ve already copped to it, paid for it, and moved on.  You just need to hop onto my errors and you can move forward too.

Figure it out

I wrote about figuring out problems a few years ago (https://brettshavers.com/brett-s-blog/entry/i-don-t-need-to-learn-just-give-me-the-answer) and I still believe this is the most important skill to have over absolutely anything. If you cannot solve problems, you are worth only as much as you can follow a checklist in a process that never has problems.  But if you can “figure anything out”, you value is near priceless.

Practice until you get it right and then practice until you can't get it wrong

Practice does not make perfect. Perfect practice does. With every key that you press on the keyboard, be mindful of what you are doing. Do it better each time. Be aware of what you are doing. You should not be on autopilot when dealing with data in a DFIR case!  Just like driving, you have to be aware of obstacles, distractions, and unexpected disasters just waiting to happen.

When your perfect practice makes perfect, your errors will be minimal, the impact on the cases will be minimal, and you will have good learning experiences. When you are lazy, apathetic, or complacent, your errors will be mistakes and the learning will be painful. That is if you choose to learn from them.  Otherwise, this is a career of constant pain and stress.

The DFIR Investigative Mindset

Through plenty of failures with investigations that I have had, the one thing that makes successful conclusions is being able to figure out solutions to obstacles using whatever means is at hand. That is also how I teach a DFIR investigative mindset, and how I prefer to be taught. Teach me the why and I’ll be able to figure out the how in any given situation.

It is true that the more tools that you have in your toolbox, the more problems you can solve, and more that you can solve difficult problems. But you need to have an investigative mindset first, otherwise, your tools are as useful as a fish using a hammer.

When your brain is turned into an investigative mindset, you see everything differently. Distractions are blocked, attention is focused on seeing (and observing!) evidence, and inferences scream out to you. To the outsider, this looks like magic when you solve the unsolvable, or solve cases in half the time because you can see the totality of the circumstances and the specifics of an incident.

Practical vs Academic

Everyone who has heard me speak knows that I am not an academic. Although I have taught graduate-level programs, I have never taught the academics of digital forensics (which at times irked schools….). I appreciate academia in giving practitioners incredible information in this field, otherwise, practitioners would not be as incredibly effective as they are today. But as for me, I appreciate practitioners teaching practitioners what they need to do both physically and mentally to do the job and succeed.

Get your brain into a DFIR Investigative Mindset and you can learn anything in this field, do anything in this field, solve any problem in this field, and look like a magician to everyone when you accomplish the impossible.

Mistakes in any career field are inevitable. And much like car accidents, the severity of a mistake can range from a simple ‘oops’ to something more disastrous and permanent.  In the DFIR field, errors and mistakes will usually fall in the more serious of the bad results because a DFIR investigation typically involves life, liberty, or the pursuit of happiness being at stake.

The dilemna is that DFIR work must be accurate and true, but we know there will be errors and mistakes.  

What about this ‘evidence storage device?’

There is not a time where I touch physical or electronic evidence that I do not pause for a split second and remind myself of what I am touching. This instantly puts me in the frame of mind to focus, to evaluate, and to plan what I need to do with that evidence.

This is no different than anytime I touch a firearm. Or drive a car. Or pick up a baby (although, has been a long time since I held a baby…).  Touching anything that can or will have an incredible impact on others or myself is not a simple thing.  Seeing a reckless driver on the freeway shows me a person who doesn’t get it and a wreck is in the future.  Seeing a forensic examiner haphazardly handle drives shows me that mistakes will be happening at some point in that examiner's case.  

There is rarely a training or talk that I do where I do not give the same ol’ advice in the form of a self reminding statement, like, “This is an evidence storage device.”

An evidence storage device, whether it be a flash drive or a server room, stores evidence.  It is a key component to a DFIR investigation.  Recognizing that you can ruin the investigation by altering or destroying evidence should be the most motivating factor in taking care of it.

Stupid basics?

I dare you to say to yourself, every time you touch evidence, “This is an evidence storage device” and not have that one sentence give you some motivation of care that you didn’t have prior.  This is so basic but essential to preventing mistakes.

Vince Lombardi, when training the Green Bay Packers, began training with his statement of “This is a football” to reinforce that mastering the basics is the magic of the advanced skills.  Lombardi went on to win 5 NFL championships and never had a losing season....due to focusing on the basics.

The intention of saying to myself “This is an evidence storage device” is to remind me that no matter how times that I handled evidence correctly before, today could be the day that I mess it up by being complacent, lazy, or overconfident. 

Any DFIR investigation (you might call these “exams” or “analysis”) involves at least one alleged victim. Your duty is to uncover the activity on the devices, which will either prove or disprove the allegations.  When you do this wrong, when you err, and when this happens because of your lack of care, you will be the one victimizing the victim a second time. 

On my desk, no matter where I have worked, I have had a small disk drive sitting on it. On this disk drive is a sentence that I wrote that says, “This is an evidence storage device - Brett Shavers.”   It is a constant reminder to me that any storage device may have evidence on it and I am its care-keeper, its examiner, its interpreter, and its voice.  I am accountable to what happens to it and for accurately telling the story that exists on it.

The next time you touch evidence

Try it.  Say to yourself or say out loud, “This is an evidence storage device.”  See if you feel different.  Question if you look at the device with a more careful and attentive eye than if you simply and robotically picked it up.  If you do, you will have greatly reduced your chances of making an error in that case, because your focus is on the evidence.  Isn’t that where your focus should be?

So, if you are ever asked why you say, “This is an evidence storage device” when you touch evidence, the answer is simply because you want to reduce the risk of making mistakes.

In this thing of ours, the world of digital forensics, there is one thread that ties us all together: the truth. All else is malleable.  Processes improve. Technology changes. Laws are added. Training morphs.  But the thing that remains unchanging is the truth.  We must speak it. We must live by it.  We must defend it.

I know that you are thinking that this post is simply reminding you to be truthful, but it’s more than that. Let’s start with this example (keeping politics aside, imagine this being someone in DFIR):

A liar will not be believed even when he speaks the truth.  AESOP

The point of this video is that credibility was lost because lies were uncovered.  I chose it because of the simplicity and public nature of the video. In nearly all other aspects of life, lying can get you promoted, elected, hired, and even married. The ramifications of getting caught lying generally affect nothing more than what you received in return for lying.

In DFIR, lying is different.  Lying, at best, ends your career.  At worst, innocent persons could be convicted or the guilty may go free, and you earn a perjury charge to top it off. Much like staying healthy, being known as truthful is not a box that you can check on Monday and never worry about it again.  Being truthful is a box that you must check every day.  The day that you neglect to check the honesty box and lie in a report or on the stand is the day that all your past truths are now questionable.

Not more than 2 years ago, I peer-reviewed reports where the examiner clearly omitted information in his report to the point that it was (at least to me) written to clear the guilty.  The rebuttal reports and exam showed this intention as blatantly obvious. That is not a good look by intentionally omitting facts.

In another recent case, I observed two (government) witnesses lying under oath. To be honest, I was in complete disbelief in what I heard and read because there was absolute evidence to the contrary. Even the judge was visibly and verbally stunned.

There are cases where I have not been involved in where expert witnesses have lied under oath. This is not uncommon to the point that an attorney client that wanted to retain me believed that all experts are liars. I didn’t accept his retainer simply because he wouldn’t believe a truth from an expert if he heard it since he has heard so many lies.

Tips to save your career

Tell the truth even if it hurts.  Especially if it hurts, tell the truth. Many times, I have had attorneys tell me “I appreciate your candor” in a manner that they didn’t like what I had to say, but they were grateful to hear it.

Distance yourself from liars. This is not always easy, but important.

The essence of a lie is the intention to deceive. - M. Prideaux 

Call out any lie that touches you. If you let a lie that touches you continue undefended, you could be seen as agreeing and supportive of that lie. Some lies may be inconsequential (like a personal matter with someone) that a reply is not warranted. But those lies that affect more than a comment made against you anger needs to be addressed with facts. Imagine knowing that a co-worker intentionally lied to cover up malfeasance or incompetence in a case that you are also working! You will be in the same boat with silence.

I don’t know

On the stand, I cannot count the number of times that my answer was “I don’t know.”  If I did something, I say that I did it. If I didn’t do something, I say that I didn’t do it. If I know it, I say it. If I don’t, I say that I don’t. Filling in the blanks is like filling a hole on a sinking ship with Elmer’s glue.

A strong desire to be right

DFIR seems to draw the same type of folks into the field.  Driven to perfection.  Persistent in gathering facts. Curiosity to the point of breaking apart every bit of data. And a strong desire to be right. These are all great personality traits to have.

But there is a line between “strong desire to be right” and “will do anything to be proven right.” Being right in your analysis is supposed to mean that you did everything possible to corroborate and verify the information you recovered.   “Doing anything to be proven right” means that you did everything necessary to be right even if you are wrong.  One of these makes a great examiner and the other should not be working in DFIR.

Tips to stay truthful against pressures to ‘stretch the truth’

When asked by a client, attorney, or boss if you can simply omit the bad information, your immediate response must be ‘nope.’  When asked if you can stretch the truth, you may want to consider being even more forceful, that you won’t lie, even a little.  This has happened to me on three occasions with three different attorneys.  I fired all three attorneys as clients in each of these cases.

Cutting ties from those who pressure you to lie makes work so much easier. The pressures of any case is more than enough to handle without being pressured to embellish, omit, or outright lie.

If offered any amount of money, consider that this one payment may be your last and that your reputation is eventually going to be mud when the truth eventually comes out.  This kind of offer happened to me once.  I turned it down, of course.

Encourage everyone around you to be truthful. Compliment candor as if it was not common.  Good managers know this. In an environment where mistakes are openly discussed without condemnation, people will (1) more likely admit their mistakes, (2) feel comfortable to talk about mistakes, and (3) will help the remediation of mistakes.

If you can’t help but lie

Find a new career. Some career fields seem to require it.  Otherwise, there is no such acceptance of untruths in DFIR. Zero.