I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig, that I was honored that he agreed to write the foreword of a book that Eric Zimmerman and I wrote. It stands to figure that I have followed his blog for many years because I learn something every time he writes something.

Well….

His latest blog post was more than I typically expected, and I had to read it several times because Craig bared his soul with something that every single one of us would be fortunate enough to experience.  I tried to search for another way to say, “bared his soul” because that is what Craig said in his post. However, there is no other description that fits better, because that is what he did.

https://craigball.net/2019/09/09/who-am-i-if-im-not-that-guy-anymore/

I’ll let you read Craig’s blog post before reading further, and you should read it regardless of what point of your DFIR/infosec/ediscovery career point you currently sitting.  Then come back for my thoughts on the “Five Stages of Grief in a DFIR Career”.

Welcome back*

You may have already read a Swiss psychiatrist’s model detailed in a book, On Death and Dying. I’ve used that book on many occasions as a reference for teaching response to traumatic experiences to others and as a tool for coping with my own traumatic incidents. *I know you didn't read Craig's post and kept reading, but seriously, read his post.

https://www.psycom.net/depression.central.grief.html

The above visual describes the grief cycle succinctly. No need for me to add to it to describe it. But then again, I’ve done a lot of personal and professional research as well as teaching on the topic in a past career. I recommend digging further into it if this is the first time that you have seen this.

In my own life, I have gone through this grief cycle many times. Sometimes, it has taken me years to complete, and other times, seconds. Many of us are going through this now, and if not now, we will at some point in our lives. Police officers, especially those forced into deadly force incidents, will go through the entire cycle in a few seconds during an encounter and can spend years going through it after a deadly force encounter, regardless if deadly force was applied. They tend to go through this cycle a lot...same with those in combat.

Bringing this back around to you and your DFIR career

Since you read Craig’s post, you saw where it sounds that he feels his relevance has faded into a crisis of lost confidence.  If you didn’t read the post yet, do not fret; there’s a party at the end. 

This is where I see a direct resemblance to the grief cycle and a DFIR career, at least to where we will eventually feel that our relevance waned. Perhaps it will. Probably it will not.  Certainly, that which we did good, especially good for others, will never wane. The good that we did selfishly for ourselves will be forgotten faster than a long-tailed cat in a room full of rocking chairs. But the good for others is another story.

Go to work for money. Then you can do for yourself what you couldn't do before and do for others what they cannot do for themselves.

That’s what I tell my kids. Do your job, but do not be your job. The job didn’t miss you before you got there, and it won’t miss you when you are gone. But the job can help you to make this a better place by being a positive force on others.

<I’m getting to the point on the DFIR Career Grief Cycle, so bear with me>

When you create a ripple of positive change in a person’s life, you also spark a chain reaction of a tidal wave of good far past what you will ever have the fortune to see. The difference in a newcomer doing well or failing is in direct relation to your interaction with the newcomer.  Their failure or success in this field is directly tied to you. This is the point to know that the DFIR Career Grief Cycle is not a negative, but a positive in your career growth if you do it right. 

My suggestion is to push through the DFIR Career Grief Cycle as quickly as possible when it comes. Don’t be stuck at Anger, because you’ll be that ‘grumpy old person’.  And try to fly through Depression by knowing you are almost done with the cycle. Acceptance doesn’t mean the end. It means that your path has evolved, as it will for all of us, if all of us are lucky enough. The DFIR Career Grief Cycle is simply an evolution from doer to mentor or role model. Or maybe a not-so-subtle hint to move to a different job or position with a more instrumental role because your experience is incredible.

Our goal should be to be able to look back at the seeds that we planted, the good that we did, the bad that we prevented, and the positive guidance that we gave newcomers for them to grow.

We live our lives day-to-day knowing that tomorrow will never come, and that we have plenty of time to do something good for someone else tomorrow. When we accept that every new morning means that we have one less morning when we will not wake, then we can focus on what matters at home (and at work to make someone else’s life better). You have a fixed number of sunsets. A fixed number of sunrises. A fixed number of days to make a difference. Don't make the DFIR Career Cycle a Grief be one of regret, but one of satisfaction.

Craig Ball has nothing to worry about in regard to imposter syndrome, crisis of confidence, or whether or not he made a difference. I have followed his career for more than a decade. He has made a difference across the board in the forensics and electronic discovery fields as well as in the careers of many. We will all do better if we do better by others; then the grief cycle will not be feared as much as it will be welcomed.

The short story

Any person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any other person face and voice. This is known as a “DeepFake” video.  Credibility of videos will no longer exist without some form of analysis, but the assumption that a DeepFake video is credible will create enough damage before being proven to be fake. The technology is not perfect (yet), but does it have to be in order to induce the intended effect?

Tip for some: You have to look up to get this. https://t.co/tfqTuToZK2

— Brett Shavers 🙄 (@Brett_Shavers) August 28, 2019

The longer version

It is difficult to find which aspect of our lives will be more in harm’s way because of DeepFake videos. With children, cyberbullying will take on an entire new life by an exponential factor.  DeepFake cyberbullying will be the nuclear bomb of child’s bullying nightmare.  The cruelness of bullies with access to make their victims appear to do anything in a video that can be instantly spread across the planet in seconds is not something to ignore.

The direction of a nation-state’s actions can potentially be moved with video evidence that was completely manufactured.

The movie industry can profit from DeepFakes by hiring B-list actors and replacing their face with A-lister faces but I don’t see an upside for the actors…

Innocent people can be made to look guilty of a crime. Today, your face can digitally replace the face of a violent criminal who was video recorded while committing the most horrid of acts, and people will believe the video..with your face on the criminal.  Criminal charges (vigilantism is a possibility!) might be filed, an arrest made, and your reputation ruined long before the video is determined to be fake.

Photoshop (and its competitors) changed the way we look at photos. Forensically, it is not entirely impossible to exam manipulated photos to find inconsistencies based on the content or layers of an image. Still, photoshopped photos are still intentionally created to damage a reputation. I’m referring to the manipulation of a photo using any photo-editing software, not just Photoshop.

But videos…this is an entirely new world of potential damage to a person’s reputation, or worse!

Stand by for a new world of fraud and information warfare campaigns.

Your online photos

The free Internet services that we have been graciously offered over the past years, in which we blissfully post photos and videos of ourselves, family and friends, is ripe for abuse. Our Internet service providers have already abused our data, selling it haphazardly to every bidder (not just the highest bidder, but practically everyone willing to pay for it). Since data can be duplicated forever, we can be abused forever as soon as we have given our data the first time to any online company.

With that, our pictures are online. We have posted the pictures of our children. Our online resumes, ie Linkedin, have a super clean portrait which is perfect for the source of a DeepFake video (all the machine learning software needs is one picture of your face…). Everyone is at risk. We already created the source material for abuse. And we did it with a smile.

My (online) photos

Working a decade in undercover narcotics turned me into an ultra-paranoid-of-cameras person. At two points in my patrol career, photos of me in uniform were posted online by my department and local news. Then I went undercover.  Always worried about someone finding those two photos of me online at the worst possible time, I avoided cameras ever since.

Even during those years, if anyone (friend or family) ever pointed a camera at me, it was like I was ducking a baseball being thrown at me.  I did the same thing working undercover to make sure my photo wasn’t part of evidence in a case that may go public. Even with that, a family member of mine kept posting my photos online, without my knowledge, even while he knew the type of work that I was doing. Good grief. Third party control of our data is never good. Never ever.

The solution

I hate to say it, but lawyers are the only solution. They also stand to be the only people that will make out like bandits in the DeepFake future with litigation. Litigation, including criminal prosecution is the only remedy for damage and hope for prevention.

Actors will need tighter contracts to protect their image and voice, otherwise Tom Cruise will be starring in new release movies well into the next century…

Victims of cyberbullying, whether it be children or adults, will have to sue for damages, but as we all know, that which goes online tends to stay online forever.

Third party curators of our data need to be held legally responsible for something or anything. If our data is being controlled by others, without any compensation other than a free email address or data storage, then this problem will only grow.

Pandora’s box is opened and the DeepFake video is here to stay. I wonder how many Pandora’s boxes exist, because it seems that every year or so, another Pandora’s box is opened and something else pops out that does 1% good and 99% bad. I’m still looking for that 1% good that DeepFakes might provide, but I’m not holding my breath.

The future

Like anything on the Internet, it is all fun and games until someone loses a job, gets sued, gets beat up or killed, or commits suicide because of doxing, harassment, and cyberbullying.

As for me, I prefer to work on things that do good.  That's why I wrote this; to remind you that this 'thing' we do, this thing we call DFIR, is for doing good.

I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the course already and this class is probably too basic for me…on the first day…in the first hour…and I was in the first row…I was a little uncomfortable.

I spoke to the instructor afterward about the course being well-done, with an effective delivery, and I learned more than enough to make the time and cost worthwhile. It was a good course and I have already benefited from the cool tips that I saw, including from what came out of the course from other students.

Side note: Did you catch that I said “students”? If you go into any training thinking that you know more than anyone else, you aren’t a student. A student is one who studies and learns with interest. That includes the instructor.

This is the crux of this post: Several people in this class, including the instructor, asked why I spent money and time in this course when I could be in some super-secret-and-advanced-digital-forensics-training given by the best-instructors-on-the-planet kind of class that costs tens of thousands of dollars. For me, it only makes sense to keep up on the foundations of any field on a regular basis. I mean, there isn’t any reason that I can think of to work on anything beyond foundations if the foundations are not solid. Foundations are like vegetables. They spoil in time.  As you wouldn't want to eat a rotten apple, you wouldn't want to do any DFIR work with spoiled skills. You have to be fresh in your foundations.

In the DFIR world, complacency may not kill a person, but it can certainly kill a case or your job. If you ever want to know if you have become complacent, ask yourself, “Am I comfortable?” If you are comfortable in your job, in that you have the answer for everything, and for that which you don’t know you assume that it is not important, you may be getting too comfortable in your skills. Maybe you are that good, but as for me, whenever I think that I am “that good”, I take a step back because I know that have crossed the line between confidence and complacency.

You can see the chain of how this happens as soon as you become confident in your skills.

*  Confidence leads to cockiness.

*  Cockiness leads to comfort. 

*  Comfort leads to complacency.

*  Complacency leads to carelessness.

At that point, anything you touch is at risk of failure. The good news is that most of us avoid heading down that path because it is easy to discover how much you don’t know with any given scenario, just as long as you have an open mind of accepting that you don’t know what you don’t know. The bad news is that carelessness can sneak up on you without warning until something bad happens if you don't keep alert.

If you think that those in the DFIR field are exempt from continuing having to keep up on the foundations of the field, you are wrong.  Would you want your doctor to have never refreshed the foundations of general practice medicine or are you fine with your doctor last seeing foundational medical instruction twenty years ago?

When you see me in any training, do not expect that I know anything or everything that will be presented in the course (probably…I know nothing or at best, not enough). I read and re-read “basic” forensic books all the time. I refresh myself on my notes that I have taken in classes, because I tend to more clearly understand what I wrote after I have experienced those skills in work afterward. I repeat tests that I’ve previously done, most always before testifying or writing a report on my findings where I cite those personal tests. I take and re-take "basic" forensic courses.

Sure, you may be an expert at an advanced topic, but be sure to have the foundation solid.

So if you are comfortable, make yourself uncomfortable and hit the foundational books and courses, that is, unless you are on vacation. Then by all means, be sure to make yourself comfortable.