Two things that set you apart from other practitioners are (1) what you know and (2) what you can do. In this litigious world where courts (and corporations regarding internal matters) rule on evidence, the rulings are usually based on a “person.”  By this, I mean that the ruling body, whether the court or corporate makes their decision by trust of a person that what that person said or did was true and relevant to the case at hand.

Disclaimer! 

I have personally witnessed where ruling bodies (legal or corporate) made decisions that were completely unexpected! I’ve seen where an expert opinion would have made a huge difference in a case, but a judge rule that an expert opinion is not necessary. There are cases where a witness will be disallowed because the witnesses simply asked to be excused from testifying because they were “too busy” or “too important” to testify.  I have seen “conflicting testimony” that could otherwise be called boldface lying (perjury under oath!) without any consequence. In other words, you might be the best, but might not be allowed to be the best.

Don’t hinge everything on my disclaimer applying 100% of the time. You can only be sure to keep doing what you should be doing in your preparation of laying down facts and opinions when called upon.  One way to look at this is that DFIR work is a competition.  Your peers will judge your work. Your organization will judge your work. A judicial body will judge your work. And your opposing expert will judge your work. The better you get, the more judgmental people become, and the more you need to be prepared.

The most important thing to know

Only you will document you the way you need to be documented because only you will be putting words that you say and write on the record.

Document what, exactly?

This is not about your resume, and this is not about your CV.  This is about creating and maintaining your record of what you know.  Here are 10 tips to get it right, save you time, prevent unnecessary stress, and stand apart from other DFIR practitioners.

Write it down

If you don’t write it down, it didn’t happen. This simply means that if there is no evidence to support that it ever happened, then for practical purposes, it never happened.  That includes documenting the course you completed last week and the one you complete five years ago. Many courses do not provide a certificate of training, for reasons that are beyond me. At least with a certificate of completion, you have a record of the training you completed.

What can you do if you are not provided a record?  First off, consider that there is a record, whether that be an email confirmation, enrollment sheet, or canceled check. Something exists to document that training.  Use the information from that documentation to ‘write down’ your course.

Corroborate it

If you have a cert, keep it!  No cert? How about an email confirmation?  Maybe send an email to the vendor and ask for an email that states the course was successfully completed.  Consider that if you can’t prove it, who will believe it when challenged?

Update it

Keep adding everything relevant to your training record. Everything.  Make it a habit to update. It is far to easy to go through a lot of training, education, and experience and plan to later, only to forget the details.

Validate it

If you were taught something, keep the practice, at least some of it. Keep your notes and practice. You can easily scan to PDF entire student manuals for archival purposes. If you take great notes and ever challenged, those notes will validate that you were exposed to information and validated it with practice, exams, tests, and notes.

Make it Detailed

It is one thing to say you attended Course 123 sometime in the year 2018 and quite another to say Course 123, 32 hours in length, in Washington D.C., with dates of 3/3/2018 through 3/6/2018, presented by Vendor A, instructed by Instructors B and C and the course covered topics 1-9.

Make it Accurate

The last thing you need to do is embellish. There is rarely any DFIR course that by itself doesn't speaks volumes more than embellishing could.  If the course was 5 days and listed at 40 hours, then that is what to document.  40 hours, not 60 hours unless it was 60 and you can show it.

Don’t treat it like a resume

Your training documentation is for you to see.  It is not a resume or CV.  This is your record as a source for your resume, CV, or statement of qualifications. Sure, you can offer it as your training record to support expert qualifications or when asked by a client, but typically, this is your official training record.  Treat it as such.

Don’t rely on your organization to do it (correctly)

Your organization might keep decent training and education records, but if you are going to rely on someone else keeping track, you are doing it wrong.  It is actually the other way around. You use your records to make sure that your organization is keeping track accurately and appropriately. Plus, there will be items in your personal record that won’t need to be in your organization's records.

Use it as a reference

When you write a report and have already documented research on what you are reporting on, refer to your training/education record.  You will have the dates and details of what you’ve done for easy reference.

Include your research (workflows, innovative processes, software, scripts, blog posts, presentations given, courses, workshops, conferences, books read, books written)

Your practice counts.  Your study counts. Your homework counts. If you read a DFIR book, document it.  All of them.  If you take a course online, document it. Almost as important as taking a course is noting who taught it. The perceived value (quality?) of a course is directly related to the vendor and/or the named instructor of that course.  An anonymous presenter of a DFIR subject on YouTube will have a much lower perceived quality view than a topic presented by a well-known vendor or well-known named expert.

Something as simple as a spreadsheet to keep track of your training will save you grief in putting together a CV for court, or a resume for a job, or listing qualifications on a report.  Keep in mind that the important points to track are:

• Name of course/book/class/conference/etc…
• Presenter/author name
• Vendor/company/organization sponsoring or presenting
• Date(s) attended or date published
• Hours completed
• Cert received if applicable
• URL if a YouTube video or video series
• Brief of topic/s
• Anything else of relevance that could be useful to remember later

Of the two things that will differentiate you from another practitioner, this one is the easiest because you just have to document everything to show what you (should) know. For the other thing…you have to show what you are doing based on your actual work.

These are the two things to get you that .5% edge that will set you apart from everyone else.