In this thing of ours, the world of digital forensics, there is one thread that ties us all together: the truth. All else is malleable.  Processes improve. Technology changes. Laws are added. Training morphs.  But the thing that remains unchanging is the truth.  We must speak it. We must live by it.  We must defend it.

I know that you are thinking that this post is simply reminding you to be truthful, but it’s more than that. Let’s start with this example (keeping politics aside, imagine this being someone in DFIR):

A liar will not be believed even when he speaks the truth.  AESOP

The point of this video is that credibility was lost because lies were uncovered.  I chose it because of the simplicity and public nature of the video. In nearly all other aspects of life, lying can get you promoted, elected, hired, and even married. The ramifications of getting caught lying generally affect nothing more than what you received in return for lying.

In DFIR, lying is different.  Lying, at best, ends your career.  At worst, innocent persons could be convicted or the guilty may go free, and you earn a perjury charge to top it off. Much like staying healthy, being known as truthful is not a box that you can check on Monday and never worry about it again.  Being truthful is a box that you must check every day.  The day that you neglect to check the honesty box and lie in a report or on the stand is the day that all your past truths are now questionable.

Not more than 2 years ago, I peer-reviewed reports where the examiner clearly omitted information in his report to the point that it was (at least to me) written to clear the guilty.  The rebuttal reports and exam showed this intention as blatantly obvious. That is not a good look by intentionally omitting facts.

In another recent case, I observed two (government) witnesses lying under oath. To be honest, I was in complete disbelief in what I heard and read because there was absolute evidence to the contrary. Even the judge was visibly and verbally stunned.

There are cases where I have not been involved in where expert witnesses have lied under oath. This is not uncommon to the point that an attorney client that wanted to retain me believed that all experts are liars. I didn’t accept his retainer simply because he wouldn’t believe a truth from an expert if he heard it since he has heard so many lies.

Tips to save your career

Tell the truth even if it hurts.  Especially if it hurts, tell the truth. Many times, I have had attorneys tell me “I appreciate your candor” in a manner that they didn’t like what I had to say, but they were grateful to hear it.

Distance yourself from liars. This is not always easy, but important.

The essence of a lie is the intention to deceive. - M. Prideaux 

Call out any lie that touches you. If you let a lie that touches you continue undefended, you could be seen as agreeing and supportive of that lie. Some lies may be inconsequential (like a personal matter with someone) that a reply is not warranted. But those lies that affect more than a comment made against you anger needs to be addressed with facts. Imagine knowing that a co-worker intentionally lied to cover up malfeasance or incompetence in a case that you are also working! You will be in the same boat with silence.

I don’t know

On the stand, I cannot count the number of times that my answer was “I don’t know.”  If I did something, I say that I did it. If I didn’t do something, I say that I didn’t do it. If I know it, I say it. If I don’t, I say that I don’t. Filling in the blanks is like filling a hole on a sinking ship with Elmer’s glue.

A strong desire to be right

DFIR seems to draw the same type of folks into the field.  Driven to perfection.  Persistent in gathering facts. Curiosity to the point of breaking apart every bit of data. And a strong desire to be right. These are all great personality traits to have.

But there is a line between “strong desire to be right” and “will do anything to be proven right.” Being right in your analysis is supposed to mean that you did everything possible to corroborate and verify the information you recovered.   “Doing anything to be proven right” means that you did everything necessary to be right even if you are wrong.  One of these makes a great examiner and the other should not be working in DFIR.

Tips to stay truthful against pressures to ‘stretch the truth’

When asked by a client, attorney, or boss if you can simply omit the bad information, your immediate response must be ‘nope.’  When asked if you can stretch the truth, you may want to consider being even more forceful, that you won’t lie, even a little.  This has happened to me on three occasions with three different attorneys.  I fired all three attorneys as clients in each of these cases.

Cutting ties from those who pressure you to lie makes work so much easier. The pressures of any case is more than enough to handle without being pressured to embellish, omit, or outright lie.

If offered any amount of money, consider that this one payment may be your last and that your reputation is eventually going to be mud when the truth eventually comes out.  This kind of offer happened to me once.  I turned it down, of course.

Encourage everyone around you to be truthful. Compliment candor as if it was not common.  Good managers know this. In an environment where mistakes are openly discussed without condemnation, people will (1) more likely admit their mistakes, (2) feel comfortable to talk about mistakes, and (3) will help the remediation of mistakes.

If you can’t help but lie

Find a new career. Some career fields seem to require it.  Otherwise, there is no such acceptance of untruths in DFIR. Zero.

In 2013, I wrote a book and throughout the book, wrote of telling the truth as it relates to your investigations. One area of telling the truth that I should have covered more, was ensuring that your team also tells the truth.

The only statement in this book that skims this advice is that of not letting someone else make mistakes IF YOU KNOW of the mistakes being made or will be made.

Placing the Suspect Behind the Keyboard, 2013

I have felt this pain before and was fortunate that no one was killed the one time that I didn’t act. I’ll give the story at the end of this post of how this lesson was scarred into my brain.

Testify

https://www.merriam-webster.com/dictionary/testify

In a previous chat session, I gave a few personal examples of “inaccurate/conflicting” testimony in two separate trials. I’ll be talking details about these two cases more in another chat or webinar. Both instances miffed me quite a bit because I don’t like seeing untruthfulness in what absolute truth should be, especially in a courtroom, under oath.

I might also talk about two clients strongly pushing me to embellish forensic analysis findings and how I fired them instead.

Inaction and errors

For me, taking action to prevent mistakes has been ingrained in all of my professional careers.  In most jobs that I’ve had, the accomplishment of any task was usually a planned team effort.  From military to law enforcement to collecting evidence in the private sector, there has been multiple planning steps prior to taking any action.

In any of these planning steps or stages, every involved person has the ability, if not the outright obligation, to call out errors and potential errors in the plan. By the time action is taken, most of the known issues are settled which allows for the unknowns being more effectively handled in real-time. Plan for the worst, hope for the best, and handle everything else in between as it pops up.

One aspect is tactical planning. Be tactically sound in what you are going to do.  I don’t mean “tactical” as wearing battle gear, but rather being methodical and engaged in your actions to mitigate risk.

Another aspect is honesty. Anything that we touch, seize, write, say, hear, or see in the DFIR world has a potential, no matter how slight, of being offered and accepted into a legal case. If you had any part of the operation, you are potentially a key witness in some aspect of it for good or bad.

The truth can hurt. The truth can be embarrassing. The truth can be career ending. But no matter how difficult the truth may be, a lie or embellishment is 10x that, even if you had no part in other than watch it unfold without saying a thing.

Your input (or lack thereof) in planning, your reporting, your witnessing or others' actions and reporting, and the willful inaction of those involved must be looked through these lenses.

When you don’t speak up to prevent a problem, you are part of the problem

Here is one incident where someone could have been killed and I would have been part of the cause. I reflect on this one day as a constant reminder.

While assigned as a Task Force Officer, a fellow detective asked for my opinion on the plan of a drug operation takedown.  The operation was for my fellow detective to assume an undercover role, meet a drug trafficker, and subsequently end in a takedown of the drug trafficker.  Simple and common operation. I have participated in every aspect of this type of operation in more operations that I can remember. But....

After he gave the basics of the op plan, the first thing that I said to him was, “You are going to be robbed.”  He agreed, which is why he asked for another opinion. He then invites me into the briefing for this operation that consisted of maybe 5 or more police agencies, including an administrator overseeing the operation.

They go over the plan again for my benefit and I said bluntly said, “You guys are going to get robbed.”  From there, it didn’t go well for me. Every person in the room was for the plan, and I started to give my reasons of why their plan sucked.  My verbal skills have improved, but I believe my exact words were something like, "You plan sucks and you are going to get robbed 100%."

I won’t go into the reason that I felt this way, other to say that in the world of takedown operations (buy busts and the such), there are a few rules that must never be broken. I won’t say any of those rules publicly either, but if you have done this type of work, you know them already.  In this operation, they already broke two of the rules and were going to break a third.

I gave my suggestion of preventing a robbery. My suggestion was ignored, and this group of experienced detectives decided to go forth specifically against my advice. I didn’t push it.  This is where I should have strongly demanded action. But I let it go forward.

Since I was too chicken to stand up in front of a bunch of police agencies that were putting my officer at risk from my own agency, I asked, “Who is on the officer rescue team?”

The answer was condescending with a “We don’t need a rescue team for this.”

This was another opportunity for me to argue against the op. But again, I did not. This was my inaction again, where I knew the risk was unreasonable to go forward, but I didn’t push it.

At the time, I was tasked for support of another operation for a different agency, but since I was not a pivotal part of that operation, I was able to withdraw and I offered to be this detective’s rescue “team”.   They let me drive a family van as the “rescue team” to keep me quiet.

The result of the operation was that multiple suspects in a car pulled up, pulled out guns, and attempted to rob the undercover.  The rescue team is usually within rescue distance, so with this chaos, here comes the family rescue van “team”, rushing in, and ramming the suspect’s car while the rest of this highly trained task force made it through a crowded mall parking lot to clean up.   No one was killed. No one was shot. Suspects were arrested.

This could have been much worse, including for me.

Had I pushed in the planning process more, there would have been 90% less risk or 100% no risk by canceling the op.  For that, I cringe every time I think about what could have happened had not the rescue “team” not been there to chase armed suspects pulling out guns on an undercover officer in the middle of a shopping mall parking lot. 

That was not a unique situation unfortunately, but every time after that, I was not a quiet mouse in the room when I was the only person seeing red flags or the only person saying something.

Honor and integrity

For the Marines reading this, you will get it.  Everyone else….well, this kind of integrity reinforcement is constant in boot camp.

On one day in Marine Boot Camp, myself and two other Marine recruits were standing in the quarterdeck talking.  I was “firewatch” while my platoon was being given physical activity by drill instructors. Two Marine recruits, also on firewatch in adjacent squad bays came into my squad bay, and we were only talking and laughing.

One of the DIs from my platoon stormed in like a hurricane, saw us laughing, and in a manner that only a Marine DI could ask, “Are all of you having a party?”

Two of us said that we were not having a party. I confessed and said that we were having a party. I am using the word ‘party’ in a professional manner. There were other words used.

Anyway, that DI spent an entire training session teaching those two recruits the value of integrity and the consequences of dishonesty. I was advised to go back to doing my duty.  But, I learned that integrity will save you, because it is all that we have. I believe the other two recruits learned the same lesson, but lost a lot of water weight learning.

Courts get this. People get this. I get this.

Because of that, when you see or hear something that is not right, that you are part of, that you know is going to cause harm to someone, speak out and prevent damage from happening or getting worse. 

Sometimes people can get killed. Sometimes people can lose their careers. In this DFIR field of ours, you never have a worry if you are always truthful and candid in all that you do.

There is a saying of "Tell it to the Marines."  You may have heard of this but not know what it means. It simply means that if a Marine said it, it must be true, because they have seen everything.

Use that example to build your reputation, that clients, courts, employers, employees, friends, and family will be able to say about you, "That if s/he said it, then it must be true."

I recently finished a lawsuit, and it was the most time consuming process I’ve ever experienced.  I have been involved in lawsuits for about 30 years as a defendant, lay witness, expert witness, and now as plaintiff.  Let me break each of these down for you first:

As defendant:  I have been named in several lawsuits as a police officer. In every instance, my name was withdrawn because I was never involved in the allegations.  I was named sometimes just because I was on duty at the time. I’ve never done anything in my law enforcement career to justify being sued.  Still, the experience of having a process server serve me at home is unpleasant. 

As a lay witness and expert witness: I’ve testified plenty as a police officer, detective, task force officer, swat officer in law enforcement and in the public sector as a consultant. Looking back on this aspect, this is the absolute easiest of the entire legal process.

As a plaintiff: One time, and hopefully the only time. 

More than just a lawsuit

I once thought that I knew the justice system, after all, I have been working within it for three decades in both the public and private sector. I have spoken with hundreds of attorneys, hired by many of these, spoken to judges, have had judges sign my affidavits in their living rooms at 2am, testified in front of Grand Juries, courtroom juries, and in front of judges at bench trials and administrative hearings.  I have worked cases from initiating the case, filing it with a prosecutor, prepping for trial, and testifying. Still, this did not prepare me for a lawsuit as a plaintiff.

I thought I knew a lot, but I was wrong.

This lawsuit was a simple public records dispute, and through it, I learned more about the justice system that has completely changed my past perspectives of attorneys, judges, and the legal process.

So, you think you know the justice system?  Think again.

Here is where this learning came from: I was acting Pro se, in that I was my own attorney.  I know, I know. The Pro se has an idiot for a client.  But in my defense, my attorney was guiding me along the process, even though I was doing everything (he was checking to make sure that I did it right).  And this was just a public records violation.

What I thought would be a simple public records act violation turned into a full-blown litigation. I was threatened with hundreds of thousands of legal fees and sanctions, I was disparaged, defamed, deposed, and cross examined. I wrote a book’s length of paper in complaints, motions, replies and responses to motions, appeals, reports, opening statements, closing statements, and legal forms.  I sent and answered interrogatories. I demanded discovery and was demanded to provide my personal emails in discovery. I deposed witnesses and was deposed. I conducted direct testimony, was directed in testimony. I cross examined and was cross examined.  I offered evidence. Some was admitted and others not. I argued in trial and in filings. I did practically all legal research in state and federal case law online, in databases, and in a phyiscal, legal library.

Some of the most incredible lessons learned was that the legal process is not about the truth as much as it is which side does better in trial.  Even then, considering that most cases do not go to trial, the truth doesn’t matter if trial can be avoided with a settlement or dismissal.  You might think that you already knew this, but it is worse than you thought. I promise you it is much worse.

Oh yeah, opposing counsel tried to dismiss this lawsuit with multiple motions. When the court denied the motions on the basis of my claims, they made multiple and increasing offers to settle. I rejected every offer to settle.

The evidence

Without getting into the deep aspects of evidence in this case, just know that there were public records that were destroyed, records that withheld, “misleading” and “conflicting” testimony in trial, and every effort by opposing counsel to prevent any of my evidence from being admitted.

On top of that, in some evidence where I proved intentional manipulation of dates, and the court agreed with my findings, the court didn’t seem to care and didn’t use this manipulated evidence.

Considering that the “conflicting testimony” came from the #2 person in the organization but didn’t result in perjury blows my mind, when it was clearly more than just “conflicting”.  Conflicting is the word used by the judge….this, after the judge warned the witness that she was under oath, yet the conflicting testimony continued.

Another witness wrote an affidavit to be excused from being a witness, where the affidavit was factually incorrect. It was more than just “incorrect.”   I provided documentation that this witness’s statement was false, but rather than force the witness to be forthcoming with the truth, the judge excused the witness. This witness was the #1 of a government agency and “too busy” to testify.

Lawyers are (not?) under obligation to be truthful

In court filings, the opposing attorney misled the court in such a manner that I replied with documented facts in a filed reply that directly countered the misleading declarations and filings. The result by the judge was that the misleading information was not material, therefore, not a biggie.  As if this is normal. Apparently, it must be.

It was not just one lawyer

Against me, there were at least two attorneys (both Harvard law grads), from a major Seattle law firm, with several paralegals, and a government organization with 20+ C level board members from that many government agencies that spared nothing in the case. In total, over a quarter million dollars was spent on the attorneys in this lawsuit over emails and text messages.  I pleaded publicly for the records to every person represented below, but got nowhere...the only thing I received was that I'd get the records in 17 years...which explains the lawsuit.

Skipping to the end

I won the lawsuit, including attorney’s fees for my attorney who guided me behind the scenes.  There is a story to this ruling and process as well…which I’ll get into via Zoom.

More to the story

I will be doing a Zoom chat session about this escapade within the next two weeks, but I have to limit it only to anyone who ever signed up for a DFIR Training course, or bought a book from me through the DFIR training website.  My Zoom account is good for only 100 at a time, so I am keeping it at that.  If you don't get in, I apologize in advance as there are several thousand people that won't be able to join due to the 100 person Zoom limit.  And it won't be recorded, and I probably will do this once for this topic.

The things that I will talk about will be:

* Some details of the public records request (it was of public and personal importance)

* Why I turned down several offers to settle

* The pitfalls of any lawsuit that you don’t know unless you have been through one on an intimate level

* How I discovered manipulated dates and times

* How evidence, great evidence, can be excluded from trial for literally any reason

* Report writing tips that make an extreme difference in trial as evidence, including illustrative and demonstrative items

* Some details on the trial, misleading statements, misleading affidavits

* What I would have done differently had I known all of this

If you ever took a www.DFIR.Training course from me, or subscribed, or purchased a book directly from me, I have your email and will send out a notice of the Zoom session if you want to join in.  You are not required to participate to join, but I will take questions and give my opinion.  My opinion is my honest opinion, so you’ll hear that anytime you hear me talk on anything.

To the agency that I sued:

Do not worry, I will not be saying anything that I did not say in trial or in court filings, nor will I say an specific name, even though I could since it is all public record.  The purpose is to share the lessons and that only needs me to generalize the specifics and focus on the process and experience for your benefit for your next (or current) case and court experiences.

My intention to share

You’ll get 2 years of this experience in a short Zoom conversation, so if you have questions beforehand that you want me to cover, send them to me and I’ll have answers.

My goal is that you will have an intimate view into a lawsuit process and what truly matters, because there are things that I wish I knew because these things affect how I should know for forensic reporting and analysis.  Not knowing some of these details means your work may be a waste of time and money because it doesn't matter if you do it 'wrong'.  

Not knowing how the legal process works in detail means that case outcomes are affected. I do not care how a case ends up (win or lose) as long as the truth is admitted and that the ruling reflects the truth.

In order for this to happen, you have to argue against the untruths, otherwise, the ruling will not be based on the truth, but on who did a better job at arguing the case.  You, as a witness, play into this.