I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). 

Here is my white paper analysis.

#1 - If a device has connectivity with at least one other device, it can be,  has been, or will be compromised.

#2 - If a device has the ability for connectivity with at least one other device but isn't connected yet, see #1.

#3 - If a device is airgapped from any other device, it can still be compromised.

#4 - If a device has a speaker, someone you don't know can hear you.

#5 - If a device has a camera, someone you don't know can see you.

#6 - If one nation-state is monitoring your device, probably another one is too (maybe your own government!).

The good news is that criminals are more easily identified, tracked, arrested, charged, convicted, and incarcerated.

The bad news is that every bit of your life is logged somewhere, by multiple entities without your consent or knowledge.

Question I received: How long does it take before I can expect to get into a DFIR career?

Answer: It depends!

It depends on your available resources + available time + motivation to learn.

Meaning

The more of each of these that you have, the faster it will be. A lack of resources (software/hardware) means scraping together machines and free/open-source tools. A lack of time means squeezing in minutes here and there over a longer period of time.

A lack of motivation is the most important factor because, without motivation, you will never make it regardless of your available resources. Period.

Motivation

By the same token, motivation is the biggest factor to make up for a lack of resources.  Do not ever underestimate the power of motivation.  The sheer force of drive. The unstoppable energy of determination.  If you are driven to succeed in face of anything, then you will make it. It does not matter where you start from, age is irrelevant. Education level meaningless. Socio-economic background means nothing.

I say this full well knowing that someone with a high education or "elite" status in society with unlimited sources starts farther ahead than you or I. I say this because without motivation, resources are useless and any success is limited and a dead end. With motivation, there is no limit. You will have to work harder.  Study more.  Endure stress and keep moving forward against friends or family advice to quit. Others will appear to effortlessly pass you by. Everything will seem more difficult. And it will be.

Keep the pace

It is one foot in front of the other. That should be your focus. Your goal is not to master the entire registry at the same time that you have a goal to master Linux logfiles.  Learn a registry concept. Then a registry hive. And a key. One step at a time.  As long as you keep moving forward, you will move forward.

Mentor

Find one. Follow your mentor. Know that your mentor, whether you ever met or communicate, has gone through exactly what you are going through. Maybe they had an even more difficult time with circumstances you'll never know. The best mentor is the one that motivates you. It is the person that you know will pull you forward as long as you make the effort to make the effort.

An example of making the effort

When I was a much younger Marine, I had an aptitude for humping a pack (ie; long, forced marches carrying a heavy backpack).  I had the same pains as everyone else, blistered feet, sore back, muscle cramps, and lots of sweat! But I would never quit and never quit putting one foot in front of the other.  A new Marine behind me on one of the marches didn't do so well, but he tried.  So on a really long hump, I told him to grab ahold of my backpack straps (the straps that you use for your sleeping bag). I said, "Hold my straps and as long as you keep walking, I'll help."  The secret was, I didn't pull him at all, but he kept going. He learned that as long as he worked and did his part, he'd be able to keep up.  He never really needed to hold my straps that day, and he only needed it for a few minutes that he could do it. He just needed to know everyone goes through the same pains and understands, but if you do your part, everyone is there for you.

You are next

Know now that someone is going to look to you as a mentor, if not already.  You won't know who they are, but they are watching you. They are hanging on your every word.  They are inspired by you. They are motivated by you, all because they know you made the effort and didn't quit. There are more than a few peeps in DFIR that I watch like a hawk because they inspire me every day. On the days when I don't believe that I know enough, I fall back on my mentors and their work. I fall back on those who give a little of themselves by sharing, and speaking, writing, and teaching.  Do not be surprised that if and when we meet, I tell you that you inspired me.  You never know when something that you did or said made a difference to someone else who is also swimming in the ocean of DFIR information, trying to figure it all out. 

This thing we call "DFIR"

DFIR (Digital Forensics Incident Response) is simply one small part of the Information Security world (or cybersecurity). There are many sub-fields, cross-fields, and related fields, but none are DFIR. The people in DFIR are awesome. Infosec is one thing, but DFIR is something all by itself. I look at DFIR as the Green Berets of Infosec (or Navy SEALs, or Marines, or SWAT...take your pick, but you get the point). In those communities, everyone pulls more than their own weight. They work to excel in their respective expertise. They help each other. They work as team players. For this, DFIR has advanced and advances in skill and knowledge beyond practically any other field.If you are new to DFIR, welcome to the family.  If you have been here a while, be sure to hold the door open to the new folks. They bring a whole new world of motivation, innovation, and drive that benefits us all.

Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded on a deserted island with a group of people and only one knows how to fish. That person just became an expert on fishing.

The legal expert

There are legal definitions of an expert geared specifically toward testimony. In short, experts can give their opinions (interpretations) of facts in testimony, while every other witness can only testify to the facts obtained by first-hand knowledge. There is an exception of a lay opinion, but let’s stick to the high level for now.

Without getting deeper into the legal aspects of a court expert witness, everything below directly benefits becoming a court expert if you ever choose the path of the expert witness.

The community expert

The community expert is the person who knows more than most of their community. In DFIR, this would be the person that could probably be a legal expert, but not necessarily so. It may be someone who writes amazing forensic software, teaches at conferences or courses, writes and shares their work, and all the while, never going to court to testify as a court expert witness.

We have a lot of these experts in the DFIR community, whether they know it (or like it!) or not. We look up to them and glean as much information as we can to improve.

Who knows what

All of us in DFIR know something that all of us know. Things like, ‘what is a hard drive’ is something that everyone in this field knows. Don’t be surprised to hear that many people outside of the computer field do not really know anything about hard drives.  Within this example, there are those who are experts in hard drives, but as a high-level topic, we all know something about hard drives.

Then there are those in DFIR who know something that we don’t know. There are absolutely more people that know about reverse engineering malware at an expert level than me!  If your level of knowledge and skill of reverse engineering malware is not at the expert level, that does not mean you cannot be an expert at anything else, or that you even need to know anything about reverse engineering malware. We have our niches and thankfully, we mostly have different likes and dislikes!

And there are the things that you know more about than the rest of us in the community. This is where your expertise in a topic can shine.  Focus on this one.

Brett’s tip

Work on becoming a community expert from this moment for two reasons. One, you will grow professionally and personally from the effort, and two, the community will benefit from your efforts. This becomes a cycle of the more you work on your expertise, the more the community benefits, resulting in you having more data to become more of an expert.

What should you focus on? Any topic that interests you!  One recommendation would be to pick an artifact and learn all about it. Learn more than anyone else.  Test your assumptions. Validate your findings. And write about it. Talk about. Share it. Congrats. You’re on the way to becoming an expert in that artifact!  Maybe even the only expert in that artifact.

Another idea could be to pick a FOSS (free and open-source software) and master that tool! Help with its development and testing. Make that tool into a widely used community forensic app and BOOM! You’re an expert in it.

Why do you want to be an expert?

• *  Professional recognition (within your community)
• *  Career (get hired or promoted)
• *  Challenge (self-improvement without concern of others)
• *  Fame (media, publishing, teaching)
• *  Fortune (selling yourself but not literally)
• *  ___________ (your personal reason!)

How long does it take?

Some studies show it takes 10,000 hours to become an expert. Other studies 'debunk' the 10,000 hour studies, and still others write that in 2 hours, you can be an expert.  The thing that is left out in many of these studies is the subject of expertise. A world-class tennis player surely will need thousands of hours of practice to reach near perfection in tennis. As would a musician. Conversely, an information technology professional would need far fewer hours of practical application and testing to master a topic such as building a computer.

There is plenty of research online that you can read on the number of hours that research shows results in expertise. I believe that time is an important aspect of expertise, but absolutely not the only or most important aspect.

How to become an expert

Becoming an expert is simple, but that does not mean it is easy. Simple, as in, all you need to do is study, put into practical use, and know well enough to teach it.  This is not easy because it is work!

• *  Focused study (the learning of foundations)
• *  Diligent practice (the practical application)
• *  Teach others (writing and/or speaking)

Study is the foundation, as you can’t teach what you don’t know. Or more accurately, if you try to teach something that you don’t know, it will be painfully obvious to your audience. Diligent practice is completely different than practice. Taking piano lessons and throwing your fingers around for an hour just to fill an hour of practice is not just useless practice, it is detrimental in learning bad habits. Don’t just “read” a book on your topic: engage in the content!  Do not just test a theory, but deep dive into every aspect of it.

When you think you are ready to teach, then prepare to teach by checking everything you know. You will end up learning more, solidifying what you thought you knew, and now almost ready to teach. I say “almost” because teaching in itself requires practice and time to get it right! The mere act of teaching others does not mean you automatically are an expert. You have to be good at it too!

The road to being an expert

There are checkboxes to keep track of your path to expertise. Here are a few, and within each item there are dozens of DFIR related sub-items to fill the checkboxes.

• *  Publish works in trade publications, peer reviewed works, journals, books
• *  Speak at trade conferences, universities
• *  Research, test, and validate your works
• *  Get interviewed by media
• *  Be awarded grants, awards, fellowships
• *  Spend time in academic study
• *  Spend time with practical applications of your work
• *  Discover, invent, develop processes
• *  Peer review the work of others
• *  Have your work peer-reviewed by others
•  

Factors that affect time to reach expertise

Mentor/trainer/coach/formal education

Figuring out how to ‘do it’ takes much longer than someone showing you how it is done.  Finding your errors is difficult, but easy when someone is evaluating, critiquing, and mentoring you.

Both of my kids grew up with classical piano and violin lessons. They practiced every morning at 5AM. They practiced after school. They practiced a lot. The biggest lesson that I pushed was that it is better to have perfect practice for an hour than a thousand hours of bad practice. Practice makes permanent, and that is a difficult task to undo. Mentors can check your work, critique it, and enforce the drive for perfection over the drive to compile hours of useless work.  Practice does not make perfect! Perfect practice makes perfect.

Hands-on versus academic research

An expert can solely be a pure academic without much (or any) practical application. An expert can also be a practitioner with virtually no academia.  A mix of both absolutely will reduce the length of the path to expertise.

Trying to master everything or one thing

The bigger the pie you want to be in expert in, the longer it will take to become an expert in it. If you want to be an expert in all-things “Digital Forensics and Incident Response”, you may need more than two lifetimes!  However, if you want to be an expert in “Internet forensics” or “prefetch artifacts”, then you can do that in shorter order, certainly within your lifetime and probably within the next 12 months.

Pick your target. Make sure that it is a reasonable goal. Focus on it and work towards it.

Reaching the plateau

There is a plateau, but you don’t want to get there. As soon as you stop learning and growing, you will have plateaued. Any expertise that you gained fades exponentially as time goes by. Choose to plateau when you no longer need the skill that you mastered.  The DFIR field is an ever-growing and dynamically changing field that needs constant upkeep to keep up, let alone excel in.

Sharing is a big part of improvement

The more that you share your work, along with being open to critical responses, the faster you will reach the expertise you are working toward. If you ignore or do not want to accept critiques, go ahead and put that lawn chair out on your plateau, because that is the result of not evaluating the community evaluation of your work. The more open to suggestions of improvement, the more you will improve.

Who is eligible to be a DFIR expert?

This is an easy one. Anyone. Literally anyone with the drive and determination regardless of background or any individual characteristics can be expert in their youth or old(er) age.  It is never too early and never too late. Whew!

You might be an expert already

You might have read through this post and realized that you have already done everything, but never considered yourself an expert. When you realize this, there one suggestion that I have for you.

Know when it is the time to be humble, and when it is time to bring out the expertise credentials, and know when you are an expert.

Your expertise can (is!) the key to someone else learning, growing, inventing, and discovering amazing DFIR things that are waiting to be found. Your expertise can bring the truth into a legal case based on your opinion and interpretation of facts and evidence. Experts carry an enormous responsibility.

There is no shame in being an expert. If for no other reason, become an expert to be more than competent in your job. I don't recommend shouting from the rooftops that you are an expert, but I do recommend acting as an expert when needed. Everyone will benefit, appreciate, and grow from it.

PS. There is no magic formula, cheats, or vitamin that exists to make you an expert. It is all up to you to make it happen!