Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded on a deserted island with a group of people and only one knows how to fish. That person just became an expert on fishing.

The legal expert

There are legal definitions of an expert geared specifically toward testimony. In short, experts can give their opinions (interpretations) of facts in testimony, while every other witness can only testify to the facts obtained by first-hand knowledge. There is an exception of a lay opinion, but let’s stick to the high level for now.

Without getting deeper into the legal aspects of a court expert witness, everything below directly benefits becoming a court expert if you ever choose the path of the expert witness.

The community expert

The community expert is the person who knows more than most of their community. In DFIR, this would be the person that could probably be a legal expert, but not necessarily so. It may be someone who writes amazing forensic software, teaches at conferences or courses, writes and shares their work, and all the while, never going to court to testify as a court expert witness.

We have a lot of these experts in the DFIR community, whether they know it (or like it!) or not. We look up to them and glean as much information as we can to improve.

Who knows what

All of us in DFIR know something that all of us know. Things like, ‘what is a hard drive’ is something that everyone in this field knows. Don’t be surprised to hear that many people outside of the computer field do not really know anything about hard drives.  Within this example, there are those who are experts in hard drives, but as a high-level topic, we all know something about hard drives.

Then there are those in DFIR who know something that we don’t know. There are absolutely more people that know about reverse engineering malware at an expert level than me!  If your level of knowledge and skill of reverse engineering malware is not at the expert level, that does not mean you cannot be an expert at anything else, or that you even need to know anything about reverse engineering malware. We have our niches and thankfully, we mostly have different likes and dislikes!

And there are the things that you know more about than the rest of us in the community. This is where your expertise in a topic can shine.  Focus on this one.

Brett’s tip

Work on becoming a community expert from this moment for two reasons. One, you will grow professionally and personally from the effort, and two, the community will benefit from your efforts. This becomes a cycle of the more you work on your expertise, the more the community benefits, resulting in you having more data to become more of an expert.

What should you focus on? Any topic that interests you!  One recommendation would be to pick an artifact and learn all about it. Learn more than anyone else.  Test your assumptions. Validate your findings. And write about it. Talk about. Share it. Congrats. You’re on the way to becoming an expert in that artifact!  Maybe even the only expert in that artifact.

Another idea could be to pick a FOSS (free and open-source software) and master that tool! Help with its development and testing. Make that tool into a widely used community forensic app and BOOM! You’re an expert in it.

Why do you want to be an expert?

• *  Professional recognition (within your community)
• *  Career (get hired or promoted)
• *  Challenge (self-improvement without concern of others)
• *  Fame (media, publishing, teaching)
• *  Fortune (selling yourself but not literally)
• *  ___________ (your personal reason!)

How long does it take?

Some studies show it takes 10,000 hours to become an expert. Other studies 'debunk' the 10,000 hour studies, and still others write that in 2 hours, you can be an expert.  The thing that is left out in many of these studies is the subject of expertise. A world-class tennis player surely will need thousands of hours of practice to reach near perfection in tennis. As would a musician. Conversely, an information technology professional would need far fewer hours of practical application and testing to master a topic such as building a computer.

There is plenty of research online that you can read on the number of hours that research shows results in expertise. I believe that time is an important aspect of expertise, but absolutely not the only or most important aspect.

How to become an expert

Becoming an expert is simple, but that does not mean it is easy. Simple, as in, all you need to do is study, put into practical use, and know well enough to teach it.  This is not easy because it is work!

• *  Focused study (the learning of foundations)
• *  Diligent practice (the practical application)
• *  Teach others (writing and/or speaking)

Study is the foundation, as you can’t teach what you don’t know. Or more accurately, if you try to teach something that you don’t know, it will be painfully obvious to your audience. Diligent practice is completely different than practice. Taking piano lessons and throwing your fingers around for an hour just to fill an hour of practice is not just useless practice, it is detrimental in learning bad habits. Don’t just “read” a book on your topic: engage in the content!  Do not just test a theory, but deep dive into every aspect of it.

When you think you are ready to teach, then prepare to teach by checking everything you know. You will end up learning more, solidifying what you thought you knew, and now almost ready to teach. I say “almost” because teaching in itself requires practice and time to get it right! The mere act of teaching others does not mean you automatically are an expert. You have to be good at it too!

The road to being an expert

There are checkboxes to keep track of your path to expertise. Here are a few, and within each item there are dozens of DFIR related sub-items to fill the checkboxes.

• *  Publish works in trade publications, peer reviewed works, journals, books
• *  Speak at trade conferences, universities
• *  Research, test, and validate your works
• *  Get interviewed by media
• *  Be awarded grants, awards, fellowships
• *  Spend time in academic study
• *  Spend time with practical applications of your work
• *  Discover, invent, develop processes
• *  Peer review the work of others
• *  Have your work peer-reviewed by others
•  

Factors that affect time to reach expertise

Mentor/trainer/coach/formal education

Figuring out how to ‘do it’ takes much longer than someone showing you how it is done.  Finding your errors is difficult, but easy when someone is evaluating, critiquing, and mentoring you.

Both of my kids grew up with classical piano and violin lessons. They practiced every morning at 5AM. They practiced after school. They practiced a lot. The biggest lesson that I pushed was that it is better to have perfect practice for an hour than a thousand hours of bad practice. Practice makes permanent, and that is a difficult task to undo. Mentors can check your work, critique it, and enforce the drive for perfection over the drive to compile hours of useless work.  Practice does not make perfect! Perfect practice makes perfect.

Hands-on versus academic research

An expert can solely be a pure academic without much (or any) practical application. An expert can also be a practitioner with virtually no academia.  A mix of both absolutely will reduce the length of the path to expertise.

Trying to master everything or one thing

The bigger the pie you want to be in expert in, the longer it will take to become an expert in it. If you want to be an expert in all-things “Digital Forensics and Incident Response”, you may need more than two lifetimes!  However, if you want to be an expert in “Internet forensics” or “prefetch artifacts”, then you can do that in shorter order, certainly within your lifetime and probably within the next 12 months.

Pick your target. Make sure that it is a reasonable goal. Focus on it and work towards it.

Reaching the plateau

There is a plateau, but you don’t want to get there. As soon as you stop learning and growing, you will have plateaued. Any expertise that you gained fades exponentially as time goes by. Choose to plateau when you no longer need the skill that you mastered.  The DFIR field is an ever-growing and dynamically changing field that needs constant upkeep to keep up, let alone excel in.

Sharing is a big part of improvement

The more that you share your work, along with being open to critical responses, the faster you will reach the expertise you are working toward. If you ignore or do not want to accept critiques, go ahead and put that lawn chair out on your plateau, because that is the result of not evaluating the community evaluation of your work. The more open to suggestions of improvement, the more you will improve.

Who is eligible to be a DFIR expert?

This is an easy one. Anyone. Literally anyone with the drive and determination regardless of background or any individual characteristics can be expert in their youth or old(er) age.  It is never too early and never too late. Whew!

You might be an expert already

You might have read through this post and realized that you have already done everything, but never considered yourself an expert. When you realize this, there one suggestion that I have for you.

Know when it is the time to be humble, and when it is time to bring out the expertise credentials, and know when you are an expert.

Your expertise can (is!) the key to someone else learning, growing, inventing, and discovering amazing DFIR things that are waiting to be found. Your expertise can bring the truth into a legal case based on your opinion and interpretation of facts and evidence. Experts carry an enormous responsibility.

There is no shame in being an expert. If for no other reason, become an expert to be more than competent in your job. I don't recommend shouting from the rooftops that you are an expert, but I do recommend acting as an expert when needed. Everyone will benefit, appreciate, and grow from it.

PS. There is no magic formula, cheats, or vitamin that exists to make you an expert. It is all up to you to make it happen!

Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at the time and if you haven’t read the post, take a read of it to maybe get a tip or two that could be helpful for you or someone you know.

I want to peel back one aspect of preventing burning out that some take too far, which is not doing any DFIR activities on your personal time. There is a fine line between work and personal time, in that keeping both separate from each other is healthy and necessary. However, that line is different for each person and it shifts back and forth during each person’s career. The more skilled that you become, the less time you need to maintain your skills. I find it difficult to have a bright line that no DFIR professional development using some personal time is reasonable.

The short version

The longer version.

What does this have to do with doing DFIR stuff on your own time?

While in the Marines, I married and my new wife made sure that work and home were separate, and that both lives supported each other. Later, in police work (especially when doing undercover work for years), the line between work and home was still solid, and still supportive of each other.  By supportive, I mean that each life (work and home) had focus during each respective shift, in that, when at work I focused on work and when at home I was an active and involved family participant.  I did my best to avoid working at home and also avoid bringing my family life into work. That was my bright line. Your mileage may vary. Understandably, some things are unavoidable no matter what you do.

Working at home (not working from home)

Working from home is not the same as working at home. By working at home, I mean bringing your work into your home when it should be left at work. You know what I mean…working on that exam or report in your off time, away from work because you “need” to get it done, many times without compensation from your employer.  Doing this on a regular basis cracks open the burnout door. This is working at home when you should be working on home. Any employer who overtly or subtly requires this type of unhealthy work ethic will eventually see the destruction of that employee's home and work life.

Back to those tweets and the competition

I have hired and managed people in the field (and let some go) and although I have never implied or required anyone to work at home, I have fully supported their professional development outside of work hours. This is the difference that I feel is imperative to state. If you want to be a competitive hire, advance in your field, or improve your skills, you probably need to spend some of your off-work time on professional development.

For entry-level positions, it is cutthroat. For higher-level positions, it is cutthroat. For promotions, it is cutthroat. Unless other factors are in play, such as favoritism, every single person competes with everyone else to get the job, the promotion, or even be assigned the “best” cases.  Doesn’t this make sense? Shouldn’t the most qualified person be selected? Of course, it does!

Listening to advice is risky, but necessary. It is risky because the advice may not apply to you and only apply to the person giving you the advice. It is necessary because none of us know what all of us know. For example, you might be told to “never improve your skills on your own time unless your work pays for it”, or that “you should only improve yourself at work”. This might be good advice to someone who already has a high skill level but terrible advice for someone without experience or recently learned skills.

Take advice with a grain of salt. Maybe it applies to you. Maybe it does not. Either way, you won’t know for sure until the results are in on whether the advice was good or bad (for you) after it is too late to change your mind. In the end, we are each responsible for the decisions we make. Even fully taking the advice from any person that results in absolute failure is the responsibility of the person making the final decision, not the advice-giver.

Professional development

When I hear DFIR professionals encourage new or not-so-new practitioners to not improve themselves on their personal time, I take a look at who is giving that advice. Have they not taken professional development, continuing education, or college courses on their own time away from work? Have they not read a technical book in their free time, or paid for books with their own money? Have they not ever turned on a computer to test a theory that popped in their head while at home? Or have they held true to their advice of only improving their skills while being paid at work which resulted in their current success? My guess is that most have spent quite a bit of time in their personal life to at least be competitive enough to create opportunities for themselves.

Side story: I was given a comp registration (free!) to a DFIR conference that I was speaking at a few years ago to give away. I offered the seat to someone that I felt could use it since he worked less than 10 miles away from the conference venue. His agency approved his attendance at the conference to attend on his work time (vacation not needed!) but the agency wouldn’t pay for his meals as it was physically a 5-minute drive from his office. What was his response? He turned down the conference! He said that he will not spend any time or money outside of work to learn forensics because he expects his agency to pay for everything. I found someone else that took the offer..and they paid for their meals.

I tell this story as an example that there are some decisions on how much sacrifice you are willing to make to improve your skills. In this example, it was the cost of 2 lunches and 1 dinner, which he paid anyway since he certainly ate during those days of the conference while he was at work instead of attending the conference .  For him, his line was absolutely not a penny spent from his pocket or second used from his personal time to better his skills.

The point

Know the distinction between:

** Working at home

** Working from home

** Improving your skills in your personal time

** Improving your skills on your work time

There is a time and place for everything. Manage the time. Manage the place. If you have the belief that your employer is responsible for improving your skills, I can promise that you will be stunted in your skill growth.

It is within your personal time that balance is important to manage. If your personal life fails, your work life will not be far behind. Balance results in the exponential growth of personal and professional, while the imbalance in one or the other will wreck both.

Generally, work time is immovable, and you should only work during work time (minus breaks). You are being paid to work, so this makes sense. Good management ensures that you have a good work workload balance.

Your sleep time should be solid too. Some nights might be shorter than others because of emergencies, but again, generally, you need to maintain good sleep habits. This is your responsibility.

But for your personal time, balance is much more difficult! Family time, hobby time, vacation time, and basic free-to-do-nothing time is bunched together here. This is 100% your responsibility to maintain and balance. You can’t increase it without affecting something else, but you can manage the best use of it. Anything you add to it will decrease some other parts of it.  If you add too much, then sleep gets whittled away. Add more and perhaps work becomes negatively affected.  Or if you stretch out work, your sleep and your personal time gets robbed.

You and I both have 24 hours in a day and cannot change it. It is how we fill that time that matters.

Summed up!

You make your own decisions based on the information you have at your disposal. Balance your personal life with your work life. Maintain balance within your personal life with professional development that benefits your entire timeline and does not detract from it.

You can have a career without any professional development and without ever spending a minute outside of work on your competence building. But you can also choose to spend time, as needed and as reasonable, to develop your skills using some of your personal time.

Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find.  You know that the cheeseburger is unhealthy, but you choose to eat it anyway.

TikTok is worse for you than a cheeseburger

Many of us mis/use the Internet by installing apps that we know collect our data. We tweet, share, post, repost, reshare, retweet, and say little (if anything!) about the dangers of the platforms that we use.  It is a “risk worth taking to connect with friends and family online.” 

We partake in this ocean of data collection platforms because, like the cheeseburger, we are willing to willingly trade our personal data and intimate details of our Internet behavior to strangers for something that we want even though we know it is not good for us.  And like eating a cheeseburger yesterday, a new day begins today, and we are seemingly unharmed from yesterday’s use of these platforms, which encourages us to eat another cheeseburger (I mean, log into TikTok again).  We justify this unbalanced trade so that we can “connect” with friends and family online.

TikTok is like a triple stack, bacon cheeseburger.

Every person working in any aspect of “information security”, from the IT admin to the deep-diving forensicator, knows all about how social media platforms are purposely developed for the collection of data of its users. We know without doubt that the sole purpose of these platforms (ie, the code) is to collect personal data from users to specifically sell it. Yet, here we are using them, to connect to friends and family.  To be honest, we also know that one day, all of the unhealthy cheeseburgers will hit us hard one day. But we ignore that warning.

We are all breached

In defense of using “malicious” social media platforms, I hear the argument often that since the breaches have already happened, we have nothing left to lose.  It is true that our personal data has been breached, leaked, stolen, and sold multiple times. Our DOBs, SSNs, and mother’s maiden names have all been collected by hackers many times over and we used to treat our DOBs and SSNs as practically TOP SECRET information! But now, for less than five bucks, you can get anyone’s DOB and SSN in minutes.  For a little physical effort on a keyboard, you can probably find it for free.

The point that I stress is that our behavior is being collected. Our behavior speaks volumes more than our biological identity, especially when behavior is tied to an identified person.

Sure, when Facebook monitors your website visits, this is collecting your behavior, but even that is not what I am talking about. Facebook wants your browsing history and purchasing history so that it can make money from your Internet behavior. If Facebook informed every user in big, colorful letters that it is providing Facebook free in exchange for users’ Internet history and personally identifiable information, they would lose exactly no users. No one cares because the effect is almost unnoticeable. By the way, I am not defending Facebook in the least bit.

An entirely different level of ‘breached’

I consider every social media platform as malware even as I also use social media. How bad is that!?!  The most devasting impacts of social media platforms is not the selling and reselling of our phone number in order for a company to sell us something. It is not about being sent targeted ads. It is about the type of our information that is not being sold which is the worst kind of breached: our offline behavior.

Online dis/mis/information directly modifies our offline behavior, both intentionally and unintentionally by Internet platforms and other users. A person or persons in one country can cause a person in a different country to behave against their best interests or against the interests of their own country through misinformation, disinformation, and even with bullying online behavior. This can happen to corporations and even to governments, or more accurately, by corporations and governments.

We know it, but we ignore it, because we like cheeseburgers

TikTok is clearly malicious. Your PII and offline behavior are both being captured.  TikTok is malicious in the clear definition of being malicious. Data is collected surreptitiously for bad purposes, in the sense of marketing of “TikTok is totally free; we are not taking any personal information <wink wink>.”

A guy on reddit reversed engineered #TikTok

Here’s what he found on the data it collects on you

It’s far worse than just stealing what’s on your clipboard: pic.twitter.com/oqaQyYDXT2

— Dan Okopnyi 🇺🇦 (@d1rtydan) June 28, 2020

This is an unstoppable train

The train has left the station: Offline behavior of geolocation data, smartphone contacts, IP addresses, personal photos, bank account information, connected apps, the places you regularly visit, the routes that you regularly use, and the dates and times of your travels and destinations. All of this is in the hands of the developers of the apps on your device.

With the right machine learning, the right artificial intelligence, and the right intuitive design of an effective operation, you could start riots, create race wars, bankrupt corporations, shutdown economies, sway elections, and even start kinetic wars between countries based on this information.

No, I am not overreacting

In 2013, in a book that I wrote, I stated that “…mobile devices are practically an attached GPS device on the user.”  I should have added “…without needing probable cause for a warrant.”  And could have added, “…and can be used as an effective behavior modification device.”

All of this is already happening. It’s not a new method of warfare. Psychological operations have employed for many wars for as long as humans have warred.  The only difference is that with the Internet, PsyOps is more effective, easier, and quicker to see results. Where a few decades ago, a PsyOps campaign may not see results for months or years, we can see results in mere days and hours. Push the right buttons on the right person and a riot is sparked.  Our devices not only give our location but also collecting the identity of those near us who also have connected devices. Think about it: a gathering of any social group can be completely identified in minutes by date, time, location, and the personal contacts between people based on the physical distances of each person's mobile device.  What could you do with that information if you wanted to modify the behavior of a group?

I am past preventing the misuse of PII or collection of offline behavior. I think all of us should move past that, including our government. For as long as people use the Internet, this information will be collected maliciously or with consent. The more effective measure is what to do about the effects of what we cannot control. How do we correct our misdirected behavior created by trolls and enemies? How do we separate what is fake from what is real? What is our countermeasure?

We can ban malicious apps today, but without question, others will come tomorrow. Apps that we assume to be non-malicious today can easily turn malicious with the change of a few lines of code at any time of use. If not the app itself, malicious insiders will always, and have always, stolen and sold information to adversaries. We can't blot out the sun but we can put on sunscreen.

A forensics-thinking approach

One thing about the digital forensics mindset is that everything in the electronic data world is questioned during an analysis. No competent forensic analyst will blindly accept the date of a file as being the actual date of the file without some corroborating data. One point of circumstantial evidence is just an opinion.  We need more than a single point of data to separate a fact from opinion.

The same holds true for every social media platform. We cannot blindly accept that our use of any platform is free from being used to harm others or ourselves by malicious actors or even the platform provider (sometimes they are the same!).  Bots, puppet accounts, and hijacked accounts are most always trusted at first glance, and many times, continue to be trusted until it is too late.

Question everything that makes you question questions

One of the traits that makes a good investigator is listening that little voice in your head that asks, “Why…”.  You have an ability that raises red flags and gives doubt, but you have to act upon that ability. Humans are too quick to accept what they see or hear, and thereby not question it.  Have you ever walked into a new restaurant, got a bad feeling, ate there anyway, and ended up regretting it? That's what I mean. Find the answers to the questions of the little voices* that you hear.

In a digital forensic case, acting on uncorroborated evidence can result in case dismissals, or worse, wrongful convictions. In the offline world, acting on uncorroborated information can result in personal and physical attacks on innocent people or worst, the complete breakdown of a society.

There are no coincidences

I did some time in military intelligence units and one of the things that I learned was that there is no such thing as a coincidence. Anything that happens, happens for a reason and someone was behind it happening. I carried that experience and training into undercover investigations in law enforcement by creating "coincidences' in my cases. It was a simple op to gather intel on criminals and 'coincidently' to bump into them to develop relationships without having to be introduced. These planned coincidences resulted in going from zero in a case to practically being #2 or #3 in an organization.

The Internet is no different. There are no coincidences on the Internet. Everything has a purpose and plan. Whether individuals create dissent, or they are useful idiots in a bigger operation by organizations or nations, consider that there is something behind everything if it is on the Internet. More so with the "free" social media platforms.  You are not the product in these scenarios. You are the pawn.

The hard way of surveillance

At a federal task force, my group needed to come up with a plan to install listening devices in a house. The house was irregularly occupied and of course, always locked. The team that actually installed the devices had a plan. We created a 'power-line down' ruse in the neighborhood to stop all incoming traffic, the install team broke into the house through the garage, cut a hole in the wall to access a room, installed the devices and software, repaired the hole that they cut out, and left undetected. That was a major operation and the occupants didn't have a clue until they read the affidavit...

In another case, I needed to install a hardwired-GPS on a vehicle that was extremely difficult to catch at a place for the installation. The only way feasible was to get a search warrant to steal the car, order a key from the manufacturer, install the GPS after 'stealing' it, and then "report" the stolen car to local PD as a stolen recovery.  Again, lots of work just to install a GPS.

Today, if I were a spy and wanted to do these things, I would walk down the hall to the computer team and request development of a free, social media app. Then I would market it like crazy to the country/countries of choice.  And monitor it and wait until my targets, or the children of my targets, or the friends of my targets installed the app. Then I would be in their home, quite literally in the sense of being able to hear and see anything. And potentially influence them. Or I could influence the populace slightly by pushing a few key users into a pre-planned direction of disruption. Not that this could be happening now.........I wonder if I could get law enforcement officers, political figures, movie stars, and their children to use my app?

A step in the right direction

Be prepared to address what is coming. Be prepared with solutions to the problems when people start complaining. When your government wants to implement an overreaction to a perceived problem, be prepared to have a better-measured response. 

Consider the current encryption debate. The government can’t break encryption, so their solution is banning encryption altogether (a backdoor is an encryption ban, fight me if you want). Any person in information security knows that this is not only an over-reaction, but it will be the biggest detriment to security in the history of security. There are better solutions. One would be for investigators to do better jobs in their investigations rather than outright ban encryption.

We are all smart enough to know what is happening with the breaches, the leaks, and the malicious social media platforms. If the data is not being sold for profit, it is being caressed into a format useful for warfare (cyber or otherwise).

As a side note, every country is doing this to their own countries in the search of potential dissidents and criminals. Remember that what you do today may be illegal or unacceptable tomorrow. Some governments may allow for the past to go unpunished, which other governments may (will) retroactively punish past behavior that was legal at the time but subsequently made illegal.

You Should Already be in Condition Yellow

Anyone working in the infosec field should be in Situational Awareness Condition Yellow. Being aware of threats now decreases the time between identification and action which thereby increases your odds of success to handle threats.

Of course, we are aware of the threats that the Internet holds for society. From cyberbullies pushing victims toward suicide through nation-states creating internal turmoil in their enemy’s countries using online PsyOps. But being aware is only one step. We should be thinking of countermeasures and remedies.

Be ready for when those in Condition White begin to overreact, you can bring them down to Yellow when they go straight to Red without a plan. No one wants to hear from complainers without solutions, and by being ready with something, you will be further ahead and maybe we can get this right the first time.

Until then, cut back on the cheeseburgers because the day to pay up for those burgers will be here soon enough.

*by little voices in your head, I mean "gut feeling", "intuition", "bad feeling", "paranoia", or anything else describing the feeling that something not quite right.