The bad cons are the criminals that victimize you.

The good CONS are the conferences that you were glad to attend.  CTIN is one of those good CONS.  I’m partial to CTIN because it was the first organization that took me in when I was but a babe-in-arms as far as digital forensics goes. I am also partial because the people in it have always, and I mean that literally to mean all-the-time, been the best in welcoming members and sharing everything. I’m also partial because I was once the Secretary and afterward, the President. I am glad to see that CTIN has maintained its original founding principles. Much of what I am writing in this post applies to most local conferences, so you will probably think that I am writing about your local organization. That's cool if so, and also it's my intention to bring out the good.

The bad stuff

I have to admit, I have read the incredibly terrible things that have been happening at conferences. I won’t repeat anything that I read simply because I don’t want to make it any worse than it sounds. As for me, I’ve been to many conferences, but ‘many’ is only a small percentage of the number of conferences there are. For the conferences that I have presented and/or attended, I have never seen any of the negativity that some have seen. Mostly, that is because I usually fly in to present and fly out, or stick with a close group of friends for dinner (or just me and my wife) without getting involved in any craziness of midnight partying. However, with the high number of attendees in some of the conferences, I have no doubt that things happen. Don’t forget, I was an undercover narc for a decade…I know how people can get.

By the way, if I ever were to see negative behavior, I am the kind of guy that is not happy if I am not the first person to address it, directly, on the spot. I don’t agree with calling out anyone online, but I will fix problems on the spot because the evidence is there. The witnesses are there. The culprit is there. And usually, it is best to handle it on the spot. Enough of the bad. Onto the good! 

The good stuff

CTIN (http://www.ctin.org) became a non-profit way back when, back in the days of DOS and floppies. I came on-board as a cop just starting out in forensics around that time. We had monthly meetings at the police academy in Burien, Washington, and probably had eight or ten folks show up each month .Half were cops. Half were private sector tech. Both were figuring out this high-tech crime thing..together. After our meeting, we’d head out to a nearby restaurant and continue our conversations before heading back to work. It was, and still is, a public-private partnership in high tech crime investigations.

Over the years, CTIN grew to hundreds of members, with training sessions having almost 100 showing up! All of this cost each member nothing but their time to attend.  Everything was shared, any member with something to add was (and still is!) welcomed to share, and everyone knows everyone, at least by face if not by name.

The lucky stuff

The Seattle area is rife with seriously great people in this field! I mean, we have Amazon, Boeing, Microsoft, dozens of tech start-ups, and even Google moved in. And we have companies like Crowdstrike, DomainTools, and other greats each all having their toes or completely immersed into the cybersecurity realm. And don’t forget the University of Washington! With billiionarie Paul Allen’s donations to the UW computer science program, we have quite a bit of talent to draw upon; after all, US News ranks UW #6 in the nation in Computer Science. Any member, or rather every member, in CTIN has the opportunity to sit next to someone with amazing experience. We are also a short driving distance away from British Columbia, Canada. Talk about competent forensic folks, they are not only competent, but also nice to be around ('cause Canadian, ey?). 

The CTIN conferences

CTIN didn’t always have conferences. I took a chance and volunteered to arrange the first one and over a hundred people showed up! Speakers were great, and the venue was not that great. An old hotel near the airport…dark…dingy…slowest Wi-Fi on the planet, except maybe the Kwajalein islands. It was also our first attempt at “swag” and charging money to pay for the venue. It worked out and is still working. From that experience, any time I meet someone who arranges these types of conferences makes me want to give them a hug or a drink.

Now CTIN is at Microsoft for the conferences. How's that! From a dingy hotel to the Microsoft campus. Not that a place like Las Vegas isn't "fun" to have a conference, but compared to having a conference at the place where the actual source code to 99% of your electronic evidence is being developed, there isn't a comparison. You won't get access to source code, but you'll be sitting in the same buildings learning how to examine it. That's kinda cool.

The best stuff

The CTIN conference is not the only good conference. There are plenty of others. Many of these conferences (should I say ‘all’?) are run by folks donating more time than they originally planned, herding multiple organizations, dealing with money, schedules, and more with the only compensation being that they were part of something that made a difference. Every non-commercial conference is like that. The non-commercial conferences charge just enough to pay for expenses because no one gets paid. It is all done to share. Commercial is different, but that's not what I am talking about.

Some of the best stuff is meeting great people at a local conference. You’ll not find a more well-connected bunch of people than those working and attending at a local conference. If you want a connection to a Fortune 50 company, you’ll find the nicest people here. Actually, the person who helped me get into this forensics field worked at one of the world’s largest companies, is a published author, speaker, and is an extremely experienced and technically competent forensic examiner.  With all of that, he spent personal time in me as a mentor that turned into a decade long friendship. He’s also one of the founding members of CTIN, so that’s how this CTIN thing started.  A nice guy met up some with nice folks, helping each other figure out this cyber-thing. Then they shared it all.

And that’s why I will always be a CTIN member.  

**edit 2/16/2019**

Forgot to mention, I'm speaking at this year's conference. Please say 'hi' if we've not yet met.  I'm one big ear, so to speak :)

The #1 factor is not giving up. The #2 factor is talent. Actually, scratch #2. You can make it without talent if you don’t give up. Talent is overrated.

<sounds of desks being pounded>

•   *Here is the thing about giving up or quitting:      It is easy to do.
•   *Here is the thing about not giving up or not quitting:      It’s tough.
•   *Here’s the other thing:      You will never know “when” you will make it.

I talked about my path into “DFIR” (specifically, the DF part) in today’s Patreon podcast.  Although I didn’t talk about everything, I did give the broad-brush stroke of what I had to do. It took years, lots of my money, lots of my personal time, and personal risks. This was before the flood of colleges offering degrees in cyber/forensics. With a wife, two young kids, and working full-time as an undercover cop with crazy schedules and travel, I had every reason to quit. More of that in my podcast, but you get the point. Others have had more difficult circumstances to get into the field, so I’m not complaining. I'm just saying that I have yet to meet someone who glided into their favorite DFIR job just as easy as buying a book on Amazon.

For some years, I taught at the University of Washington's Digital Forensics program.  Every student in the UW-Seattle Digital Forensics program that I taught was told the same thing, on the first day of the program each year:  “If you are sitting in this room, with the intention to learn forensics, you are smart enough and have the opportunity to do it. You just have to do it.” - me

I say that to you reading this, here and now.

By the way, this post was inspired by Liam Booth.

Soooo, I may have blown the dust off my old wordpress(ugh) blog, and made a new post. Annnd I may have name dropped a couple of people (@Brett_Shavers @cybersecstu) https://t.co/ddH66lqNhL

— Liam Booth (@UpsidedownCanuk) January 10, 2019

From those words that I read in the post, Liam is going to do it.

A story of not giving up

When I was a younger pup in a military course that had a lot of walking in it, the last walk on the last day was a long one.  Before that last “walk” of 20 something miles, one of the guys next to me said that he is going to make it even if it kills him. Of course, I said, “Me too.”

At the end of this walk, I was sitting and watching the last people coming down the hill and there was that guy walking down the hill.  He fell, got up, fell, got up, fell, and didn’t get up. Then he was crawling. Then the Corpsman rushed to him. He was having a heart attack, and then he tried to fight off the Corpsman until they got control of him.

The good news is that he lived. The bad news is that he was medically discharged afterward. But I sure learned what determination looked like. He had it. I don’t remember his name, but I am sure that whatever he wanted to accomplish after the military, he did it. I wish I remembered his name because I am curious. Then again, I’m not curious because I know that he made exactly what he wanted. He has been my role model of determination every since. 

I hope that I imprinted this trait on my kids, and think I have. My son wanted Harvard to accept him out of high school. That didn't work...he was not happy at all about it...but after going to another college and working extremely hard at everything, he starts Harvard law this year. Determination and tenacity will win out over natural talent and wishy-washyness. 

Back to knowing who will make it in DFIR

My point is that it is difficult to get into any profession, including DFIR, but there are some who I have met that I know will make it. There are also those who I meet and I know they have no chance. Not because of who they are, what they are, or where they come from, but because of attitude.

For me, DFIR is overwhelming in that there is so much information and breadth, that choosing something specific to focus on is like being a kid in a game store who is only able to buy one game. Or more personally, me walking inside Cabalas…. But that is also what makes DFIR so great with so many opportunities.

Making the long story short

•   *Do not quit, period.
•   *Motivate yourself because no one else will.
•   *Make your plan, because no one else’s plan will work for you.
•   *If you think you can, you’re right.
•   *If you think you can’t, you’re right.
•   *There is no magic bullet to get what you want.

One more thing

I want to be the person that is the #1 supporter of anyone and everyone who wants to better themselves, improve themselves, and get into any profession. Motivated people motivate me. I have had plenty of obstacles in my life, and I distinctly remember each and every person who either cracked a door for me to step inside, held out a hand so I could pull myself up, or pointed me in a direction so that I would at least be going forward and not backward. I also remember the saboteurs, but not for the same reasons.

So, the ‘one more thing’ is that we, those in DFIR, should endeavor to fan the flames of those with the attitude and motivation to follow in your footsteps. I say “your" footsteps, only because I am also working my way forward in the shadows of those who came before me, those who are clearly more skilled, and those who I value as a role model.

My goal…I want anyone who I can give guidance, to do more in their life, than I ever could in mine. If we don't at least do that, then what is the point of it all?

Short version:

1. Bring your A Game
2. Don’t hold back
3. Be prepared
4. Know what you claim to know
5. Fight complacency

The longer version (and the version you should read):

First, here’s what I mean about being outdone, outmaneuvered, or plain outright embarrassed in DFIR: someone or something kicks your butt in the arena. The ‘arena’ could be in court, or mitigating a breach, or just working a case where nothing is going right for you.  Sometimes the arena feels like a circus. The last place you want to be in that kind of circus is the center of attention wearing clown shoes with a red nose. Trust me. I’ve been there more than once (I will talk about my experiences in tomorrow’s podcast). 

Bring Your A Game

If you don’t approach every scenario with the intention to do the best you can do, then you have a some chance of screwing it up. Maybe it will work out like it has for the past 50 similar situations, but I promise that the day is near where you will screw up just because you didn't do your best.  You must bring your A Game each and every time, regardless of how small the task or monumental the objective.

I will give you one mindset shift that will help you: Never accept when someone tells you “good luck” and never wish someone “good luck”. Luck can beat most anything, but luck is simply chance.

Here is a better way to look at the “good luck” saying. Rather than good luck, simply ‘do your best’.  If a team member is about to tackle a problem, especially a potentially public problem, recommending your team member to do their best is a better encouragement of wishing them luck. For a good example of this theory, check out the Japanese. They don’t wish luck.  It is “Gambatte!” which translates to ‘do your best’.  Both of my kids were raised with “Gambate!” their entire lives as their mother is Japanese. I have never seen either depend on good luck to win a sports match, compete in a music recital, or get into the colleges they wanted. Live by doing your best, not hoping for the best will happen by luck.

Do your best each time you approach a scene, scenario, situation, incident, task, computer, malicious file, or meeting, focus as if the only thing that matters is the task at hand, because that is all that matters. Never ever trick yourself into thinking that ‘this time’ is just like the ‘last 100 times’.  Every time is the first time, and it is the only time that matters.

I’ll bring this around to the military, to where in Marine Corps Boot Camp, a drill instructor asked me (asked is polite for how it came out of his mouth), how many rounds are fired for rifle qualification. As he repeated his question in case I didn't hear it the first 10 times, I tried to count how many rounds at each line of fire, and of course, I got the answer wrong. 

The answer, which sticks with me today, which I have repeated in anything that I have taught for decades since, is that there is exactly one round fired in any firearms qualification. The round fired prior doesn’t count. The round to fire after the current round doesn’t count. The only one that counts is the round you are firing. Same with any task in DFIR. It doesn’t matter what you have done before, how many times you have done it, or how many more times you will do it. The only thing that matters is this time.

One round. One chance. One opportunity. Focus on the current thing as if it is the only thing, because it is.

Don’t Hold Back

If you get really good at what you do, you may tone down your efforts a little just because you only need to do 75% to solve the problem (whatever the problem is). Do not do that. Go at it full speed and full energy as if you don’t know how your task will turn out, because in reality, you don’t know how it will turn out regardless of how much effort you put into it.

Holding back in DFIR work means that you could be going all out to solve a problem, but you figure, “nahh, I’ll just run the so-and-so application over the drive and be done with it”, or “I beat that opposing expert in court last time, so I’m fine to go up against him tomorrow.”  When you hold back, your opponent, whether it is a person or data, will eventually take advantage of you holding back.

Be Prepared

This is an easy one, but something we sort to slack off the more we do the same thing over and over. In everything you do, be prepared. Think back to how many times you had to do something and assumed that you have the tools in your toolbox, or the dongle in your Go-bag, or that your software license was current, and when you needed to use it, you couldn't. When you run into a situation where this sort of thing happens, it is solely because you were not prepared.

An uncomfortable related preparation issue is that of your teammates. If you must rely on someone else to do their job in order for you to do your job, be sure that they do their job. The buck stops with you, and blaming someone else is a bucket that holds no water. Don’t assume that a teammate (co-worker or whomever) will be prepared to the extent that you need them to be prepared. I have too many examples of this happening to me, where entire operations had to be cancelled because someone forgot something that they were told to bring. Double-check. The end result will reflect on you, regardless if a teammate is blame (which, if it is your gig, it is your responsibility to make sure).

The two-prong point is that you need to be personally prepared and ensure that if you depend on any other person to do your job, that you supervise them to do their job. Yes. Technically you could be ‘supervising’ someone, but more specifically, you are making sure that you can do your job.

Know what you claim to know

If you are reading this blog post, especially to this point, you have dug deep in the world of DFIR. My assumption is that you know more about the DFIR field than the average computer user. That means you know far more than simply ‘what is a computer’.  I would bet that if were thrown into court tomorrow and quizzed, the court would qualify you as an expert in some aspect of the DFIR world that you know. The reason…is because you know more than the average bear. That makes you an expert.

Here’s the thing to remember: being an expert, or someone considering you to be an expert, or even a judge qualifying you as an expert does not mean you know everything. Quite the opposite. It means you know more than most people, but you are also acutely aware that you are learning all the time.

Those who have been doing this work for more than a few days will never say that we know everything, or that we know everything about even one small thing. There are too many variables, too many moving parts, and too many unknowns to claim to know it all or be a know-it-all.

But if you claim to know something, you better know it, because one day, you will be called upon to prove it. You won’t have time to prepared. You won’t have time to learn it. You won’t have time to practice. It will be game-on at that moment.

Fight complacency

The better you get at what you do, the better you get at what you do. Which means, the better you hone a skill, the more honed that skill naturally becomes. Realize that this is a good thing, but comes at a price. The price is complacency. Complacency will sink your career and skills faster than a long-tailed cat running through a room full of rocking chairs. In some jobs, your life may depend on not being complacent.

<Back to my wife> I have had the fortune of "luck" by working hard to get good results. At times, I would brag about some of the things that I have done and my wife would always give me a Japanese proverb of “Even a monkey can fall from a tree”.  Until I was t-boned in a patrol car did I really take this to heart. I’ll talk about the wreck in my podcast, but suffice to say that I consider myself to be a monkey that is trying not to fall out of tree, regardless of how good I am at climbing trees.

The point

Everything you do needs to be done with pinpoint focus as if the task at hand is more important than it appears. I am not suggesting to stress yourself out when you have to image a drive or run AV against a media, but that when you do the little things with focus, the bigger things will be more easily handled.

When I am hired for peer-review reports to find flaws, I can instantly pick out where the analyst was lazy, or complacent, or is relying on past experience and luck rather than focusing on the work or even focusing on the report. Any time I hear someone say, “I’ll just knock out a quick write-up”, I cringe. If it relates to my case, my responsibility, my name, my reputation, or any aspect of my work, I stop-drop-and-roll with a clear “That report better be your best work or don’t give it to me.”

A warning

You will get caught off-guard at some point. Unprepared. Surprised. And you’ll have to sit in the hot seat until it is over. BUT! If you at least do the five things in this post, the chances that you will be in that hot seat will be less and when it happens, it won’t be so bad, because you will know that you did your best.

Gambatte!