I sometimes carried up to 10 cell phones at one time for work. Each phone had its own purpose. One or two of these phones were used for case calling criminal targets in one country. Another phone was used to call another target in a different country. One was used to call informants. Others used to call targets in different investigations locally. On this particular day, I had four cell phones. Three were burner phones and one was my official work phone.

The day was September 11, 2001, and my official work cell phone rang early in the morning while at home. My narc partner called to tell me to turn on the television. That was my introduction to 9/11. That was also the day that many things changed not only in my career field, but in life.

Numbers are more than just numbers

One good thing about numbers is that you can visualize numbers as it compares to something else. The numbers of 9/11 and everything related to it, however, is incomprehensible.

On and from that date of 9/11/2001, there have been over half a million people killed around the world directly related to the attack on the World Trade Center. More than 500,000 dead including military, contractors, and civilians is not insignificant. 

Visualizing that number as people shocks the senses. There are 32 countries on this planet, each having less than 500,000 in population. Most cities on this planet have less than that number in population. Cities like Bakersfield California, Minneapolis Minnesota, Orlando Florida, and even Atlanta Georgia, each have populations that are less the number of people killed because of 9/11.

This number doesn’t even include the number of people who have been wounded. There have been over 50,000 wounded just in the US military service members alone. The term wounded does no justice to describe what that means as it relates to amputations and posttraumatic stress. Add to that the suicides directly caused by so many wars. And I don’t even know if there is any way to measure civilian injuries.

It is just business

Then we have the “business” effects of 9/11. The airline and travel industries were devastated. Stock market erupted into panic selling. The economies around the world were hit hard. This impacted so many more people directly with lost businesses and lost jobs.

If you are old enough, you will remember being able to meet friends and family at the gate in the airport, without needing to have a ticket or boarding pass yourself. You remember not having a TSA or have in your naked body visually scanned with machine and viewed by security. You remember not having to take off your shoes and your belt before being patted down and scanned. Retina scans, swabs for explosives, and scans of your body are here forever more.

New toys with new power

The reaction to 9/11 created entire new markets for innovation, surveillance, legal authority, and new companies. I saw firsthand the creation and implementation of the Patriot Act. I saw the spending of so much government money on so much technology that made a law enforcement investigation so much easier.

At my desk in a federal task force, I had access to databases that I thought only existed in movies like Minority Report. At this time, I was sent to computer forensics training all over the country given by different vendors and government agencies. I had never known there were so many federal agencies until that time of being taught by them and with them. I was given a half-dozen pelican cases full of computers and gear. I must have had more than six months in classrooms being taught forensic analysis of all types of computing devices and networks. I cannot imagine the cost but assume it was more than my annual salary times two or three.  The money was free flowing.

I had access, the ability, and used technology to wiretap cell phones, hardlines, Internet, and even cars. I was slapping on GPS trackers on cars. I was legally stealing cars with search warrants to install GPS trackers. I helped to legally break into homes and businesses to install audio and video devices. I worked “T” cases with the alphabet agencies involving money-laundering, drugs and arms trafficking, and IEDs being conducted by terrorists in the USA. I built up miles from flying all over the country (across, in and out) and no expense was spared in undercover ops with flashy cars, hotels, meals, and "items to impress."

The ability to make a phone call and ask for the financial history of a person was incredible as I could get information on practically every dime made or spent by a person. I was able to arrange surveillance to be conducted by special people (I’ll leave it at that for the type of “special people”) at any US border to watch for my targets cross the border whether by foot, quad, helicopter, plane, and sometimes a tunnel.

I had reports given to me in my ICE group that came from the DEA which came to them from the NSA containing information on communications intercepted by various intelligence communities. The only requirement using this information in my case was to not disclose it, and to corroborate the information elsewhere that could be used in a case. Strange, right?

While I was doing these organized crime and “T” investigations as one small cog here, Operation Iraqi Freedom, Operation Enduring Freedom, Operation Inherent Resolve, and other operations were ongoing overseas. I was fortunate to "play" with so many of this new technology, some of which is still not-so-publicly known.  I was fortunate to have been given a crazy amount of forensic training, certifications, and experience in so many different types of cases.  Little of this was easy, none of it was freely given to me, but all of it is treasured as experiences.

I was drawn up into this fast-paced, incredibly awesome technology development, and witnessed the awesome power of a government, and some of it was not only not good, but it was bad.

What happened to us

We went to far.  We overdid it.  And few tried to put on the brakes to reflect on what was happening. When given a free ticket to ride, government will ride it into the ground, and that is what we did.

We had initially rallied together around a common cause and supported not just our country, but others as well. We were on a good path. We were unified; undivided.

Somewhere along the line, we lost that.

Somewhere along the line, war became norm to the point of not even being mentioned on the news anymore.

Somewhere along the line, economies became war-focused because of immense war profit. 

Somewhere along the line, uncommon investigative methods and technology was being used too commonly, making it seem "normal" and not unreasonably intrusive.

We lost faith and love in our neighbors.

My sadness is that we have an entire generation born after 9/11 who have only experienced war, and many of those are serving in a war that began before they were born. Born into a war only to fight in it is a tragedy for entire generation.

Forgetting

I forget things. My wife reminds me of many things that I forget. Don’t tell her, but some of those things are those that I intentionally try to forget, like vacuuming…

But I will never forget the “before time” where most of today’s technologies did not exist and there was no need for it. I will remember when there were no secret warrants and immense surveillance on every aspect of our lives. 

I will also never forget the trials and tribulations of raising two kids during this time. The arguments (?) of not giving our kids cell phones or unfettered access to the Internet was tough. Listening to "but all my friends are on Facebook" and "all my friends have cell phones" and not giving in was difficult. I was fortunate because of the work that I was doing gave me (ugly) insight to what happens on the ethernet to children.  My wife and I do not regret our decisions and tough love where our kids had to suffer not 'being online' like all of their friends.  As a side note, one did tell me that it was appreciated what we did because of what happened to others in college because of online postings during high school.

The first new generation

For those born into post-9/11, it is “normal” to accept that your smart phone is a GPS device that is logging everywhere you go every day of your life. It is “normal” to accept that practically all of your activity on the computer or in public is being recorded, logged, analyzed, and saved as potential evidence in a criminal investigation in the future. It is “normal” to accept that we are always in a war in multiple countries. It is “normal” to accept that joining the military means probably going to war in some capacity and some country at some point. It is “normal” to accept that your private Facebook messages and Gmail are being read and archived by humans, not just machines.

For me, this is abnormal.

For me, I will never forget.

Sadly, all of this will be forgotten and be normal.

I believe that most every book begins by seizing upon the spark of an idea before the idea fades.  This book, the one that Mark Spencer and I are writing, is no different.

But first, let me give credit where credit is due, for I will never take the spotlight from another who deserves it.  Mark is an extraordinary forensicator (I actually do not like that word, but what else is there?).  His casework has been featured internationally.  He has presented on some of it and the little that he can share has always been impressive.  This book revolves around his casework. I will merely validate what has already been validated many times over.

What is this new forensic book about?

The story in our upcoming book, which won’t be out until 2023 is Mark’s baby.  Mark and his team did incredible work, and this book will highlight some aspects of a case. Although we are writing as one, my intention is to help get the story out, in both a manner that every forensic analyst must read to reduce making mistakes and for the public to read to grasp a sliver of how important DFIR work is to countries and individuals. You will see forensics with a entirely different perspective after reading this book.

At this point, the actual story won’t be let out until we get closer to the end, nor will the forensic feats be detailed until then as well.

I am humbled to see this book from the beginning and can’t wait to read the finished product.  I have another book in progress, which will also be released near the same time or sooner, but this book is different.

This book won’t be like any forensic book that you’ve read before because of the manner of the way that it is being written.

That spark for a book

This is the one-thing that I want to get across in this blog post (if you ever listened to any of my presentations, you know how I feel about “one thing”): 

The spark for a book can and will come anytime and be unexpected. And it will die out faster than Windows ME if you don’t act on it.

In this case, I met Mark for the first time at a conference, where I introduced myself and told him how much I enjoyed his presentation. No need to go into details about Mark, other than it is easy to figure out that he is a cool guy, knows what he is doing, and is also a humble human.

This is another “one-thing” by the way:

Go say ‘hello’ or ‘great presentation’ or whatever when you have a chance to whomever you wanted to speak with, because that opportunity will disappear the longer you wait.

That one conversation was the spark of this book.  It didn’t happen at that very moment, but that seed grew in a few years to when the decision to put a forensic story on paper was made.  Maybe the book would have happened at another point in time, but certainly it is happening faster than ever now.

It is so easy to write a book!!

That’s a lie.  Show me someone who says that it is easy to write a book and I’ll show you someone who never written a book.  For me, I think that I have a harder time writing books than anyone else.  But I also bet that everyone else thinks that they have a harder time writing than me.  The point is that it is not easy to write a book.

I’ve written a few books, tech edited a few others, and ghost-written partial books and chapters. None have been easy.  I expect this current book to be the most difficult and at the same time, have the highest expectations that this will be one of the best books written in this field.  We shall see when it comes out.  If it turns out to be a flop, it will not be due to a lack of effort and research.

Don’t do this

If you are thinking of writing a book, my advice is to not force it. I spoke with someone who wanted to write a book and he wanted to write any book on practically any topic.  The end result was no book. That was years ago and still...no book.  If I spoke to you about writing your book, and you didn't write it, this isn't about you. I was talking about a different guy....

If you are not damned determined to write a book, don’t even start because you certainly won’t finish it.

If you are damned determined to write a book, but don’t have any idea of what to write about, wait for the idea.  You can’t beat an idea out of yourself.  The idea has to be burning to get out of yourself.

If you are planning to write something that you wouldn’t pay to read, neither will anyone else.

Don't assume that everyone already knows what you are going to write about, because everyone doesn't know.

For those who have written DFIR books, kudos to each of you because I most probably read your book and might still have it on myself, even after a decade of being published. For those who will write forensic books, if you get only one sale, that one sale will probably be me.

More (potentially) big news

At a recent conference (TechnoSecurity), I sat down with the author of one of the most popular and useful forensic books ever written, and written by one of the most influential people in the DFIR field.  The book has been in print for over a decade and the topic of a second edition came up...for all you reading this, believe you me when I say that I hoped that I talked him into a second edition.  I really really want an updated version of this book, but I won't give any more pressure than I already did, until the next time I see him...

TL:DR

The difference in skill and knowledge between the very best and everyone else is small but requires so much effort to obtain that most people don’t even try or quit trying.

This post is intended to kick you in your butt.

A little bit more detail

If you watch sports, a common theme is that wins are by thin margins of time or points, sometimes only split seconds or inches make the difference. This applies in everything including the DFIR/infosec field. I have been involved in casework and read cases of others where one person does or finds one small thing that completely changes the direction of the case or even makes the entire case. One thing!  Usually, this one little thing is something that you later look at and say to yourself, “Why didn’t I see that?”

We tend to think that ‘next time, I’ll do that too’ but that next time never comes.  And we keep seeing others do this over and over in different cases and wonder why we keep missing these little things that make big differences too.

The effort needed

In music and sports, perfect practice makes perfect. No practice and sloppy practice is a downward slide in skills. The most skilled make it look easy and natural. But those are the ones who have made more effort off the court (or in the lab or the classroom) than anyone else. This is no different in the DFIR field or any field.

Effort = physical energy + mental focus + resources (money, time)

You need all three.  You will never have an equal balance of these. Something will always be lacking.  But you must do the best with what you got and what you can get. Everyone else does too.

Our Own Effort

Our perception of effort spent might not be accurate….we sometimes tend to think we are putting out more effort than necessary (without getting results!) but in reality, we are putting out less and don’t need as much as we think. Athletes and musicians have coaches to help them put this into better perspective.

Our Perceptions

It is so easy to believe that we have it harder than others, and that others don’t need to put forth as much effort to be “x” (where x = competent, or highly skilled, etc…).  Rule #1 – don’t worry about what someone else is doing because you’ll never really know what they are doing outside of what you see in public and online.

Quitting and giving up

If you quit early on, you are most likely far from your goals. If you have been doing the work and putting in the effort, you might be a lot closer to your goals than you think. It would be nice to know how close we are, but we won’t know until we get there. It is easy in college to know how close you are to your degree because everything is by a checkbox.  Math course required? Check the box. Next until done. This is easy because you have a known path to your goal.

In DFIR, when we aspire to do something specific or reach a certain skill level, we don’t have a known path or gauge of where we are.  You don’t know where you are until you get where you are going.  You will never know how close you were when you quit. Frustrating!

Changed goals

When your goal is “x” (forensic examiner, incident responder, etc…), and you work toward that goal, your goal post might change.  Maybe during your journey, you find a more suitable goal. Many people stick with their initial goal and fight themselves all the way to achieve it. Then they are unhappy with the goal they achieved because they choose to ignore the goal that they truly wanted. Rather than see this as giving up on a goal, recognize this as an inspiration derived from your initial path that opened your eyes to a truer path.

How do I know this?

As embarrassing as it is to admit, I have tried things and quit. I have tried things, failed, and quit. I have tried things, failed, tried again, failed again, and quit.  I have tried things, failed, tried again, failed again, tried again, and quit.

I have also tried things without putting out the effort that I KNEW that I needed to put out.  None of those ever worked out.

I have also worked to obtain something that I later realized I didn’t want, only to keep going to get what I didn’t want…

The only time that I made my goals that I set was putting in more effort that I thought was needed and each time, barely made the goals.

The “How To” get where you want to be in DFIR (aka ‘harsh realities’)

*  You must put forth the effort.

*  If you quit, you won’t get anywhere.

*  Goals change for the better.

*  Don’t ignore inspirations.

*  Find a coach (ie: a brutally honest friend or a coach you pay to be brutally honest).

*  Realize that you are closer than you think, but won’t know how close until you make it.

*  Focus or the effort is wasted.

*  When you are short on one thing, use more of the other (ie: less funds available means more time spent to find free or less expensive resources).

*  Stop complaining.

*  Stop whining.

*  Stop making excuses.

*  Stop blaming others.

*  You demean yourself and your reputation by putting others down.

*  It doesn’t matter if you were unfairly criticized, unjustly accused, wrongfully discriminated against, or inaccurately judged.  No one cares and neither should you.

*  No one has unlimited resources.

More realities in DFIR

*  Few people are as good as you think they are.

*  Anyone can learn more about something than anyone else.

*  Credentials are meaningless if you can’t do the job.

*  If you can do the job while uncredentialed, you are more valuable than a credentialed and incompetent competitor.

*  You are better than you think you are.

*  You will never know everything. No one does and no one ever will.

*  You can’t control the “system,” but you can control your effort and path.

*  You have the potential to discover something today that no one ever will.

*  Put your words on paper or someone else will. They will deserve the credit, not you.

*  Talk is cheap. Action is what matters.  Want to write a book? Then do it and stop talking. Want to develop an application? Get to work on it!

*  Haters will hate.  Accusers will accuse. But they only do that to bring people down, not to those who are already down. Don’t feed the trolls.

Do this one thing right now. Do it again tomorrow. Do it again the next day. Keep doing it.

Find ONE THING a day. That one thing must be something that (1) is newly learned, (2) refreshes what you previously learned but forgot), (3) saves you time in your work, (4) makes your work more efficient/productive/effective, or (4) inspires you.

This can be related to work, a class, a YouTube video, playing around, relationships, or a hobby. Anything! Every one of these items affect all the others.  A hobby can create an incredible inspiration at work. Play can create a solid relationship. A great relationship can support amazing ability to work. It is all related to each other and affects one another.

Now: Write it down. Email it to yourself. Tweet it. Tell someone about it.  Do something that will burn it into your mind.  If you don’t do one of these, this ‘one thing’ will be a fleeting moment in time and wasted when it could have saved you hours of work, led to an amazing discovery, or opened an opportunity that you would never have otherwise.

Don't do this for more than one thing a day. Just one. That is all that you need and the most effective. Otherwise, it because unduly burdensome and less effective. PICK ONE ONLY!

Don’t be lazy about this.  This is 100% on you.

Backstory to a book

My most recent book (X-Ways Forensics Practitioner's Guide/Second Edition) is an example of all of this, and is also a reminder to me of what I just wrote. First off, writing a book is not easy. The mere effort to write requires effort (as described above). Then there are detractors, imposter syndrome, and personal matters and work to attend. That is on top of research, writing, editing, re-writing, more research, cooridinating and organizing information and people, and finally putting the final period on the page.

This X-Ways book took way more time than I had planned, I wanted to quit many times, spent more resources than expected, tested more than ever, and simply had to create the words out of thin air, which I believe led to my thinned hair...  There is no need to get into every little thing that was an obstacle to this book, but suffice to say there were many.  The more that I think about it, there were a thousand reasons to quit writing this book and only ONE reason to finish it.  And that is all you need to have, because ONE thing can outweight a thousand others.

Consider your butt kicked, but with much love and respect.