Two things that set you apart from other practitioners are (1) what you know and (2) what you can do. In this litigious world where courts (and corporations regarding internal matters) rule on evidence, the rulings are usually based on a “person.”  By this, I mean that the ruling body, whether the court or corporate makes their decision by trust of a person that what that person said or did was true and relevant to the case at hand.

Disclaimer! 

I have personally witnessed where ruling bodies (legal or corporate) made decisions that were completely unexpected! I’ve seen where an expert opinion would have made a huge difference in a case, but a judge rule that an expert opinion is not necessary. There are cases where a witness will be disallowed because the witnesses simply asked to be excused from testifying because they were “too busy” or “too important” to testify.  I have seen “conflicting testimony” that could otherwise be called boldface lying (perjury under oath!) without any consequence. In other words, you might be the best, but might not be allowed to be the best.

Don’t hinge everything on my disclaimer applying 100% of the time. You can only be sure to keep doing what you should be doing in your preparation of laying down facts and opinions when called upon.  One way to look at this is that DFIR work is a competition.  Your peers will judge your work. Your organization will judge your work. A judicial body will judge your work. And your opposing expert will judge your work. The better you get, the more judgmental people become, and the more you need to be prepared.

The most important thing to know

Only you will document you the way you need to be documented because only you will be putting words that you say and write on the record.

Document what, exactly?

This is not about your resume, and this is not about your CV.  This is about creating and maintaining your record of what you know.  Here are 10 tips to get it right, save you time, prevent unnecessary stress, and stand apart from other DFIR practitioners.

Write it down

If you don’t write it down, it didn’t happen. This simply means that if there is no evidence to support that it ever happened, then for practical purposes, it never happened.  That includes documenting the course you completed last week and the one you complete five years ago. Many courses do not provide a certificate of training, for reasons that are beyond me. At least with a certificate of completion, you have a record of the training you completed.

What can you do if you are not provided a record?  First off, consider that there is a record, whether that be an email confirmation, enrollment sheet, or canceled check. Something exists to document that training.  Use the information from that documentation to ‘write down’ your course.

Corroborate it

If you have a cert, keep it!  No cert? How about an email confirmation?  Maybe send an email to the vendor and ask for an email that states the course was successfully completed.  Consider that if you can’t prove it, who will believe it when challenged?

Update it

Keep adding everything relevant to your training record. Everything.  Make it a habit to update. It is far to easy to go through a lot of training, education, and experience and plan to later, only to forget the details.

Validate it

If you were taught something, keep the practice, at least some of it. Keep your notes and practice. You can easily scan to PDF entire student manuals for archival purposes. If you take great notes and ever challenged, those notes will validate that you were exposed to information and validated it with practice, exams, tests, and notes.

Make it Detailed

It is one thing to say you attended Course 123 sometime in the year 2018 and quite another to say Course 123, 32 hours in length, in Washington D.C., with dates of 3/3/2018 through 3/6/2018, presented by Vendor A, instructed by Instructors B and C and the course covered topics 1-9.

Make it Accurate

The last thing you need to do is embellish. There is rarely any DFIR course that by itself doesn't speaks volumes more than embellishing could.  If the course was 5 days and listed at 40 hours, then that is what to document.  40 hours, not 60 hours unless it was 60 and you can show it.

Don’t treat it like a resume

Your training documentation is for you to see.  It is not a resume or CV.  This is your record as a source for your resume, CV, or statement of qualifications. Sure, you can offer it as your training record to support expert qualifications or when asked by a client, but typically, this is your official training record.  Treat it as such.

Don’t rely on your organization to do it (correctly)

Your organization might keep decent training and education records, but if you are going to rely on someone else keeping track, you are doing it wrong.  It is actually the other way around. You use your records to make sure that your organization is keeping track accurately and appropriately. Plus, there will be items in your personal record that won’t need to be in your organization's records.

Use it as a reference

When you write a report and have already documented research on what you are reporting on, refer to your training/education record.  You will have the dates and details of what you’ve done for easy reference.

Include your research (workflows, innovative processes, software, scripts, blog posts, presentations given, courses, workshops, conferences, books read, books written)

Your practice counts.  Your study counts. Your homework counts. If you read a DFIR book, document it.  All of them.  If you take a course online, document it. Almost as important as taking a course is noting who taught it. The perceived value (quality?) of a course is directly related to the vendor and/or the named instructor of that course.  An anonymous presenter of a DFIR subject on YouTube will have a much lower perceived quality view than a topic presented by a well-known vendor or well-known named expert.

Something as simple as a spreadsheet to keep track of your training will save you grief in putting together a CV for court, or a resume for a job, or listing qualifications on a report.  Keep in mind that the important points to track are:

• Name of course/book/class/conference/etc…
• Presenter/author name
• Vendor/company/organization sponsoring or presenting
• Date(s) attended or date published
• Hours completed
• Cert received if applicable
• URL if a YouTube video or video series
• Brief of topic/s
• Anything else of relevance that could be useful to remember later

Of the two things that will differentiate you from another practitioner, this one is the easiest because you just have to document everything to show what you (should) know. For the other thing…you have to show what you are doing based on your actual work.

These are the two things to get you that .5% edge that will set you apart from everyone else.

I had an interesting discussion with a highly educated and self-proclaimed computer-literate professional on the process to dedupe emails.  The interesting part is that I couldn’t believe what I was hearing about his process on how to dedupe files.

https://www.merriam-webster.com/dictionary/self-taught

I’ll sanitize this story to protect the guilty.  So, here is the scenario.

Step 1: Find exact duplicates in a batch of 3,000 emails (.msg format)

That’s it. No step 2 or 3 or 4. Simply find the duplicate emails from a folder of emails.

I know what you are thinking; that you would just drop the files into an app like HashMyFiles (https://www.nirsoft.net/utils/hash_my_files.html), or maybe even get fancy by creating a case in your favorite forensic suite and adding the emails as evidence items, and output a formal report which would add maybe 5 or 10 minutes to the process.

Either way, the total processing time to find the exact duplicates would take about a minute.  Here is where it gets a little interesting. The process that was described to me was way more elaborate. It went something like this:

1. Import the emails into MS Outlook.
2. Print the inbox.
3. Compare the titles of the printed inbox against emails in a folder.
4. Export the emails to a spreadsheet.
5. Use Excel to remove duplicates.
6. Visually compare each email in the spreadsheet against the emails in a folder.

The time spent deduping emails this way took 60 hours, and strangely, the IT pro was bragging about how long it took.

Speed test!

This is what it looks like when compared to using a free file hashing utility.

This would be fine if there were no resources available to know otherwise, you had no training or education in technology, you were physically unable to ask anyone for advice, and you had never been exposed to file hashing before. However, in this instance, not a single resource was used. The IT professional didn’t use anything that was taught formally in either the BS or MS degrees, nor from any of the  CompTia courses completed, didn’t ask anyone how to do this, and didn’t even search the Internet to see how to find duplicate files. That might normally be ok, but not here.

The problem is that this IT pro intentionally didn’t ask for help or search online for a process and boasted that “this is the way we do it in this field do it; by being self-taught.” With that statement, I figured that if one person thinks this is the right way, maybe others do too, therefore, this post needs to be written.

There are many right ways to self-learn. This was not one of them.

I am a big believer in self-learning. We learn better when we learn information on our own. It is as if we discovered the information, therefore we “own” it and can be proud of it. But there is a line between self-learning and simply doing it wrong, and worse, doing it wrong on purpose.

Being self-taught means that you first look for the answers (or the processes) that others have discovered.  You can modify and improve upon processes that exist, but you use these as a starting point of self-teaching.

An analogy

I once built a motorcycle from the frame up. I had no idea of what I was getting into.  This was years before the Internet, so my only resources included a friend that knew a lot about motorcycles and my local library. It took me a summer to build the bike, but I could not have done it without help from someone who knew what he was doing and the books that I checked out of the library.

Had I not asked for help or researched in a stack of manuals, I would have ended up with boxes of parts for a garage sale. Instead, I had a bike that I fully built myself.

Self-taught means that you learned outside a classroom. It means that you used resources available to learn, such as books, Internet searches, and asking others to show you.  Of course, being self-taught includes practice and experimentation, but even that requires some resources as a baseline of where to start.

Excel

It might not be a stretch to say that practically everyone in DFIR is competent with spreadsheets. Excel is a flexible and necessary tool in DFIR to view, analyze, and display data.  But just because you dump data in Excel does not mean that you are using it correctly.

In the example of dumping emails into a spreadsheet to find duplicates when there are probably dozens of applications (free, open-source, and commercial) that can do this task easier and without error, using a spreadsheet because it seemed like the best way goes directly against the meaning of being self-taught.  This would be the same as me buying every nut, bolt, and part of a motorcycle and trying to put it together blindly in order for me to be self-taught in building a motorcycle.

So now, when I hear that someone is self-taught, I have to dig a little deeper to get the details. If I hear that self-taught involved deep research, replicating what others have done, and improving upon what others have done, only then will I believe that the person was self-taught. To do otherwise is to waste time and do the direct opposite of learning.

Self-teaching advocate

Once you become competent in any field, self-learning is what you do for the rest of your career. You will always “self-learn” a process new to you by seeing someone else do it or write about it. Then you replicate it. Eventually, you improve upon it. And if you share it, it will further be improved upon by others.  If you are lucky, you have co-workers who share what they learned with each other, which takes team competence to much higher levels.

For managers, be aware of those who rather learn absolutely everything on their own without some sort of process (research > ask > replicate > improve). Blindly trying anything is likely wasting time and making things worse. It will be a net negative and can border intentional incompetence.

For practitioners, “trying something new” is all well and good, but before spending 60 hours on something, spend 6 minutes to see if what you want to do has already been done before. If it has, then you can replicate it. Use that 59 hours and 54 minutes of time you just saved to improve upon your replicated process.

Leaps and bounds

Do you ever wonder why some in DFIR jump so fast and far ahead of others? It is not usually because they have a higher IQ.  They are smarter tho. They are smarter in the fact that they know to RTFM (aka: research first). With a firm foundation, their experimentation starts at a higher level and propels them ahead as if having booster rockets.

Those who start from scratch and intentionally choose not to do even the barest minimal research not only have no foundation of which to build, but will learn the wrong way to do DFIR things.  This is not only not moving forward, it is moving backward.

The deduping emails story

The end result of the story of this deduping emails is that the IT pro was proud of the time spent as it was an “exhaustive effort”.  Yet, the emails were not deduped because admittedly, the IT pro admitted that he was unsure of some emails being exact duplicates or not, so they were produced anyway (no email was even hashed).  All of this wasted time could have been avoided with a phone call, an ask of someone else in the IT shop, or just one Internet search. Instead, we have self-taught incompetence that wasted weeks of work with a defective work product.

If you want to be entertained, block out 5 minutes of your time at 9am (PDT) on Friday, June 11^th, to see how something so simple as asking for public records turned into a major cluster. I’ll be giving comments in an Open Public Meeting about a lawsuit in which I asked for some public records, they were all not provided, and some have been destroyed.

https://www.norcom.org/event/governing-board-meeting-2-2021-06-11/2021-06-11/

So this team of lawyers has been hammering away at me…

I’ll get into the details of the records in my public comments, but some of the records include a workplace so bad that one employee committed suicide over it, another contemplated suicide, another suffers from PTSD from it, and an independent evaluation determined this workplace to be so bad that he described it as  “workplace violence”.   Then there are the non-disclosure agreements of up to $150,000 of hush money to public employees so that they don't disclose how bad it is! It is as whacky as it sounds.

For simply requesting public records, which anyone in any city, county, or state in the US can legally do, I somehow ended up with a team of attorneys against me causing nothing but obstruction.

Forensics?

What does this have to do with forensics or anything related? That’s a good question, and the answer is quite a bit.  The lessons that I have learned in this case can benefit you in forensics, ediscovery, or even if you want to request public records yourself if there is something of public interest that you are aware of. I’ll talk about that later, but for now, you might want to tune in to enjoy the fireworks in the virtual public meeting this Friday at 9am (PDT)!

Schedule:

0900 Meeting starts.

0902 I speak.

0905 I'm done.