TL:DR

The difference in skill and knowledge between the very best and everyone else is small but requires so much effort to obtain that most people don’t even try or quit trying.

This post is intended to kick you in your butt.

A little bit more detail

If you watch sports, a common theme is that wins are by thin margins of time or points, sometimes only split seconds or inches make the difference. This applies in everything including the DFIR/infosec field. I have been involved in casework and read cases of others where one person does or finds one small thing that completely changes the direction of the case or even makes the entire case. One thing!  Usually, this one little thing is something that you later look at and say to yourself, “Why didn’t I see that?”

We tend to think that ‘next time, I’ll do that too’ but that next time never comes.  And we keep seeing others do this over and over in different cases and wonder why we keep missing these little things that make big differences too.

The effort needed

In music and sports, perfect practice makes perfect. No practice and sloppy practice is a downward slide in skills. The most skilled make it look easy and natural. But those are the ones who have made more effort off the court (or in the lab or the classroom) than anyone else. This is no different in the DFIR field or any field.

Effort = physical energy + mental focus + resources (money, time)

You need all three.  You will never have an equal balance of these. Something will always be lacking.  But you must do the best with what you got and what you can get. Everyone else does too.

Our Own Effort

Our perception of effort spent might not be accurate….we sometimes tend to think we are putting out more effort than necessary (without getting results!) but in reality, we are putting out less and don’t need as much as we think. Athletes and musicians have coaches to help them put this into better perspective.

Our Perceptions

It is so easy to believe that we have it harder than others, and that others don’t need to put forth as much effort to be “x” (where x = competent, or highly skilled, etc…).  Rule #1 – don’t worry about what someone else is doing because you’ll never really know what they are doing outside of what you see in public and online.

Quitting and giving up

If you quit early on, you are most likely far from your goals. If you have been doing the work and putting in the effort, you might be a lot closer to your goals than you think. It would be nice to know how close we are, but we won’t know until we get there. It is easy in college to know how close you are to your degree because everything is by a checkbox.  Math course required? Check the box. Next until done. This is easy because you have a known path to your goal.

In DFIR, when we aspire to do something specific or reach a certain skill level, we don’t have a known path or gauge of where we are.  You don’t know where you are until you get where you are going.  You will never know how close you were when you quit. Frustrating!

Changed goals

When your goal is “x” (forensic examiner, incident responder, etc…), and you work toward that goal, your goal post might change.  Maybe during your journey, you find a more suitable goal. Many people stick with their initial goal and fight themselves all the way to achieve it. Then they are unhappy with the goal they achieved because they choose to ignore the goal that they truly wanted. Rather than see this as giving up on a goal, recognize this as an inspiration derived from your initial path that opened your eyes to a truer path.

How do I know this?

As embarrassing as it is to admit, I have tried things and quit. I have tried things, failed, and quit. I have tried things, failed, tried again, failed again, and quit.  I have tried things, failed, tried again, failed again, tried again, and quit.

I have also tried things without putting out the effort that I KNEW that I needed to put out.  None of those ever worked out.

I have also worked to obtain something that I later realized I didn’t want, only to keep going to get what I didn’t want…

The only time that I made my goals that I set was putting in more effort that I thought was needed and each time, barely made the goals.

The “How To” get where you want to be in DFIR (aka ‘harsh realities’)

*  You must put forth the effort.

*  If you quit, you won’t get anywhere.

*  Goals change for the better.

*  Don’t ignore inspirations.

*  Find a coach (ie: a brutally honest friend or a coach you pay to be brutally honest).

*  Realize that you are closer than you think, but won’t know how close until you make it.

*  Focus or the effort is wasted.

*  When you are short on one thing, use more of the other (ie: less funds available means more time spent to find free or less expensive resources).

*  Stop complaining.

*  Stop whining.

*  Stop making excuses.

*  Stop blaming others.

*  You demean yourself and your reputation by putting others down.

*  It doesn’t matter if you were unfairly criticized, unjustly accused, wrongfully discriminated against, or inaccurately judged.  No one cares and neither should you.

*  No one has unlimited resources.

More realities in DFIR

*  Few people are as good as you think they are.

*  Anyone can learn more about something than anyone else.

*  Credentials are meaningless if you can’t do the job.

*  If you can do the job while uncredentialed, you are more valuable than a credentialed and incompetent competitor.

*  You are better than you think you are.

*  You will never know everything. No one does and no one ever will.

*  You can’t control the “system,” but you can control your effort and path.

*  You have the potential to discover something today that no one ever will.

*  Put your words on paper or someone else will. They will deserve the credit, not you.

*  Talk is cheap. Action is what matters.  Want to write a book? Then do it and stop talking. Want to develop an application? Get to work on it!

*  Haters will hate.  Accusers will accuse. But they only do that to bring people down, not to those who are already down. Don’t feed the trolls.

Do this one thing right now. Do it again tomorrow. Do it again the next day. Keep doing it.

Find ONE THING a day. That one thing must be something that (1) is newly learned, (2) refreshes what you previously learned but forgot), (3) saves you time in your work, (4) makes your work more efficient/productive/effective, or (4) inspires you.

This can be related to work, a class, a YouTube video, playing around, relationships, or a hobby. Anything! Every one of these items affect all the others.  A hobby can create an incredible inspiration at work. Play can create a solid relationship. A great relationship can support amazing ability to work. It is all related to each other and affects one another.

Now: Write it down. Email it to yourself. Tweet it. Tell someone about it.  Do something that will burn it into your mind.  If you don’t do one of these, this ‘one thing’ will be a fleeting moment in time and wasted when it could have saved you hours of work, led to an amazing discovery, or opened an opportunity that you would never have otherwise.

Don't do this for more than one thing a day. Just one. That is all that you need and the most effective. Otherwise, it because unduly burdensome and less effective. PICK ONE ONLY!

Don’t be lazy about this.  This is 100% on you.

Backstory to a book

My most recent book (X-Ways Forensics Practitioner's Guide/Second Edition) is an example of all of this, and is also a reminder to me of what I just wrote. First off, writing a book is not easy. The mere effort to write requires effort (as described above). Then there are detractors, imposter syndrome, and personal matters and work to attend. That is on top of research, writing, editing, re-writing, more research, cooridinating and organizing information and people, and finally putting the final period on the page.

This X-Ways book took way more time than I had planned, I wanted to quit many times, spent more resources than expected, tested more than ever, and simply had to create the words out of thin air, which I believe led to my thinned hair...  There is no need to get into every little thing that was an obstacle to this book, but suffice to say there were many.  The more that I think about it, there were a thousand reasons to quit writing this book and only ONE reason to finish it.  And that is all you need to have, because ONE thing can outweight a thousand others.

Consider your butt kicked, but with much love and respect.

I just published the second edition of the X-Ways Forensics Practitioner’s Guide. If you use X-Ways Forensics in any sense of running the application, you should get this book.  I can’t say that any stronger than that.  But this post is not about the X-Ways book, at least not completely.

If you want to see the book or buy it, here it is:

In this second edition book, I asked and received contributions from forensic examiners who are X-Ways Forensics users. These contributions were tested and evaluated, and published as a complete section of forensic processes (and war stories) with X-Ways Forensics. This serves several levels of awesomeness.

For one, readers get more perspectives on how to use X-Ways Forensics than just me.  I know some things, but not all things.  Second, these contributors, if they were in a shell, jumped right out front and put their work on the scale to be weighed.  This is a major thing to do, because if you are wrong, you gotta take the hit and then move forward to improve.  But if you were right, that will have validated your previous work as being logically correct.  All contributions were awesome, and now, each contributor has a formally published forensic process using a tool that they know well.  Few things are greater than that in a case when you have published works.  For that, I am grateful, and the readers will benefit.  The contributors also have the right to use their contributions as they wish, whether that be as an attachment to a case report, affidavit, or in their CV.

This brings me to another work in progress (two new book projects that will be ramping up soon).  For one of my next books, I will be asking for contributors in the same manner, for a similar sort of content. My intention is to pull some great forensicators out of their cubicle and into the DFIR community's eye to display their work, their processes, their wins, and their perspectives to share with the community at large.

This takes a lot of guts, but there is such a huge personal, professional, and community benefit when you can help someone else do better and be better by simply sharing.

With that, this next book will be the most comprehensive writings in forensics that I will have ever done, and quite unique is scope and scale.  It will certainly take me a year+ to finish it, but it will be so well worth it.

The short story:

The book is done!

Get it at $20 off during the 100-hour book launch coming up in a few days (but only a limited number of books will be sold in the 100-hour book launch). Free shipping in the USA. International is available to ship, but not free..sorry…

The book will afterward be available for purchase on Amazon (and elsewhere) at the retail price of $69.99 plus shipping.

Get on the notification list here so you don’t miss it:  https://order-dfir.com/optintfu71ito

The longer story:

I used X-Ways Forensics (XWF) a lot, starting from the first version. And somehow, the experience of over 15 years of being an XWF user fit into one book. The neat thing about this book is that any XWF user can go read it and learn from that experience in a much shorter time than 15 years! That doesn’t even count the experience laid out by nearly a dozen contributors* in the book which probably gives this book a century of XWF experience wrapped up in a tad bit over 400 pages.

The intention of this book is that there will be at least one thing that you learn that when you see it, you will forever end an XWF frustration point, and prevent many hours of wasted time for years to come.  That makes any book worthwhile.

I’ll say this as strong as I can: I use all sorts of software.  I don’t have a ‘favorite’ tool, but I do have a favorite collection of tools. XWF happens to be in that collection. For the most part, any of the top forensic tools do a fantastic job and I use them all at different times and on different cases. I use good tools, support good tools, and advocate for good tools, because good tools allow good examiners to do good work.  At best, I am okay at forensics simply because I do not know so much, but the tools help me learn and work.

The only reason that I wrote a book on how to use XWF is because the manual didn’t show me how to use XWF.  This is not a problem with most other tools because many other tools are very intuitive; but not XWF.  Only after learning how to use it does it become intuitive…

For me, I need something or someone to show me how to use XWF (and most other things, too), otherwise I am spending hours trying to figure it out and may end up doing it wrong anyway or never learn the right way. I teach the same way as well...mostly I teach the way that I would like to have learned what I am teaching, not how an engineer thinks the way I should learn.

Books, books, books

This is my seventh book authored with my name, plus one fully ghost-written** book, several ghost-written chapters in other books, plus tech editing a half dozen other books. Three of my seven authored books were published under a publishing house, four with self-publishing, one in the second edition, another to be in a second edition in 2023/2024, and another due out in 2023 with a fantastic forensic expert and co-author.

For this edition, the book is more than 150 pages longer than the first edition, includes content not in the first edition, and has a dozen contributors who gave either an XWF war story, told one of their processes in how they use XWF, or contributed information on their X-Tensions or third party tools. The tech editors, Troy Larson and Michael Yasumoto are awesome.  For those who get a copy of the book, you won’t want to miss Troy Larson’s bio. If you know Troy or of Troy, the bio will make perfect sense and is only missing a shark laser pointer.

The XWF/2E started in 2005 when I was struggling with X-Ways Forensics. I struggled enough that my partner-in-crime (so to speak) and I arranged for the first ever X-Ways Forensics course to be hosted in Seattle, Washington. I will go as far to say that since X-Ways wasn’t giving training up to that point, our frustration with XWF ended up with convincing X-Ways that we’d go so far as host a class, market it, fill the seats, and even cater it if that would make it happen.

I’ve used X-Ways Forensics ever since, taking lots of notes, auditing more training, teaching what I learned at various places, and banging my head along the way. That was the impetus of the first edition: take my pain of learning XWF and write it down so others can learn faster. 

The first edition eventually became outdated

Emails started rolling in asking for a second edition. Lots of emails. This was bound to happen because the first edition was outdated to the point that functions moved around or were removed or added to the point that the book didn’t work.

Unfortunately, the publisher didn’t want to approve a second edition as the first edition was still selling well enough to not justify replacing it, even though it was outdated. Writing a book through a publishing house means the author is simply a contract employee writing for the publisher and has no ownership of the book or content other than a commission of sales (royalties).

I then had a 2-year process with the publishing house and my attorney to regain the copyright from the publisher so that a second edition could be (self-) published. This is probably a story to tell in more detail another time in how to get your copyright back from the words you wrote that the publisher owns.

And now you have the second edition, with more content, better organization, and with contributions from a dozen XWF users.  This gives you a dozen different perspectives of how XWF is and can be employed, all from one book.

You most likely have the same reference books on your desk that I have on mine, with dog-eared pages, highlights, notes, and worn out spines.  This is one of those kinds of books.

*Amazing contributors include Michael Yasumoto, Mark Burns, Derek Eiri, Yuya Hashimoto, Alexander Kuiper, Chad Gough, Craig Bowling, Jeffrey Meissner, Erinn Soulse, and a few others wishing to be unnamed.

**Ghost-written, as in, I wrote it for someone else’s book, but in their name, under contract to not give my name.