Brett's Ramblings

Font size: +
10 minutes reading time (2090 words)

You do not want to work in DFIR.


The fantasy

So many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows vivid and dynamic computer screens depicting the fascinating work of forensics and incident response, from James Bond flicks to any of the CSI tv show series.

And the money! There is so much money to be made! WHAT A GREAT JOB!

The reality

You need to know computers. I mean, you really need to know about computers, from the basic fundamentals of how a computer works physically with hardware through how software works on that hardware. You need to be a generalist and a specialist. The time spent to learn what you need to learn requires more than you can imagine and at that point, you will still be incompetent for working in this field. You’ll just know that you don’t know enough.

Then when you feel like you have learned “enough” to do the job, if you haven’t kept up with technical aspects of the field every day, you will realize that you have fallen behind in competence faster than a boulder plummeting down a high cliff.

After you read a dozen books on the topic, spend thousands of dollars in courses and conferences, practice with all types of software, your climb to the hill of knowledge will feel like the hill is growing and you are not making any headway. 

Every device that you touch will seem like Groundhog Day because not only will it be a different scenario than the prior device, but your objectives will be different, and the software that you once used might not work for what you need this time. That means learning a new tool to handle a new device on a new case, all the while, trying to keep up with the changes that were made in an operating system from last week.

You will quickly learn that CSI on TV has it all wrong. You won’t be solving anything in the timespan of a primetime TV show and will be explaining to your boss or client constantly that Hollywood has forensics all wrong, and that you have to do research on the analysis. Then your confidence will fall because you will feel that you should have already learned how to do analysis on this particular device, but you have to now do research and figure it out like it’s the first day on the job.

Once you get the hang of this career, for as long as you want to be competent, you will be constantly seeking out training, reading, practice, and research. If you didn’t realize it before, you just learned that the process to keep up is never-ending!

Your reality

If you still want to work in DFIR after all of that, then you might be made for it. This may be your path.  I spoke about much of this with Jessica Hyde of Magnet Forensics this week, and I stand by everything I said about trying to talk someone out of a difficult profession because there are some jobs that require more effort than other jobs in terms of preparation and sustainability.

For each of us, there are jobs that we could not be paid enough to do. Those same jobs where we would never work are the same jobs that some people would pay to have. Each person is different as each job to each person is different, and there is a sliding scale for career preferences.

Any and every job is honorable. No job is beneath any of us. And if we are fortunate in this life, we can choose a job that fits both our wants and needs. DF/IR is no different in that aspect with any other profession.

The one aspect where DF/IR is different is the effort required to get started. Compared to a job where minimal skill is required, or where the skill is fairly easy to obtain, DF/IR  is not only not easy, it is laborsome. With that comes making a commitment to carry through just to get a chance of working in the field. If you are not committed, you are not going to make it.

If you ever competed in anything, from music to sports, you know that it takes many hours of perfect practice, many errors, and extreme focus just to be able to be competitive against everyone else. You can tell in seconds those who have prepared from those who have not. There is no competition when there is no preparation.

On the visual below, if DF/IR is not on the far green end of the arrow for you, you might not make it because it is too easy to give up on anything, let alone something that you are not fully committed to do.

Boot camp is not what you think

If DF/IR sounds like a military boot camp to you, then you got the picture that I am trying to get across. It is boot camp for your brain. You need endurance. You need focus. You need to learn to walk all over again and eventually you are running.

Side note: Boot camp is not bad. It is physically challenging. It can be self-demoralizing as you flounder about learning things that you can’t learn anywhere else. But you know the goal, want to work toward that goal, and when you achieve it, have earned the respect of putting forth your efforts. Same with DF/IR. It is the sacrifice of effort and time in exchange for learning skills.

Few things in life are more frustrating and defeating than not getting what you worked for.  We are impatient. We want what we want when we want it and not a second later. If you are lucky, you get what you want when you want it. For the rest of us, it will take time, effort, failure, time, effort, failure, time, effort, failure, and eventually success. Time = days or years, different for everyone and everyone’s personal situation.

Excuses are like…

During my first week in Marine Corps Boot Camp, a drill instructor was yelling at a recruit who had just given an excuse for failing at a task. The DI yelled "Excuses are like assholes. Everyone has one and they all stink!"  I don’t believe DIs can swear anymore by the way..but the point was well made to me and I was really glad to learn it by not being the recruit being yelled at. Don’t worry. I was given my fair share of being yelled at every day.  The point is that everyone has excuses and they get in your way if you let them get in your way.

There are some factors that will eliminate you from a specific job. For example, to be a firefighter, you need to be able to physically carry firehoses upstairs to put out fires. If you cannot physically do that for any reason, you won’t get that job. Same with being a house painter. If you blind, painting houses isn’t going to be possible. If you are able to perform a job, then the odds are good that you can get that job with effort.

Barring circumstances that physically prevent you from doing DF/IR, you can do this job. That might make it sound like anyone can do this job, but that is far from the truth. The only people who can do this job are the ones who dedicate themselves to continual education to keep up and learn. For those who DF/IR is for them, keeping up with the field is more entertaining than watching an action movie because it is exciting and challenging. For those who struggle with spending the time to prepare, learn, and keep up, DF/IR is not for them.

You cried?

If you didn’t get into the school of your choice for the DF/IR degree of your choice or were turned down by the job that you really wanted, or failed to pass a certification that you studied weeks for, or couldn’t figure out something that you believe to be simple for everyone, then you are probably still on the right track. This is normal. 

And if you sat in the middle of your room and cried about your choice of working to get into DF/IR, that is ok too. You are probably still on the right path. If you consider quitting to do something else, you are even still probably on the right path.

The defining point is that after you do that once or twice or a hundred times, you stand up, crack open the book, and get back to it. If you keep doing that, you will be fine. Do not let yourself get in the way of what you are working toward.  Quitting is simply what happens when you find out that what you thought you really wanted, you didn’t want bad enough. No matter how often you fail, it is only failure when you stop trying.

Yes, it does take time.

Timing is everything. If you are lucky (I am not….), by the time you are qualified to do DF/IR, the demand is so great that you have the pick of where you want to and how much you will accept to be paid.  You might not have any downtime between qualified to work and actual work.

For many others, it might take years to get where you want to go. Actually, it probably will take years to end up where you want to be. This is not only ok, but to be expected. Achieving what you want sooner than expected is nice but do not let this be your measure of success.

I get it

Sometimes the timing is not right for what you want. Maybe you are too early or too late for what you are after. Sometimes there are things out of your control that can prevent you from walking one path, but that does not mean you cannot walk another path that might end up being the better path for you.

Life happens to all of us. We hope to avoid life’s tragedies, but the tragedies are waiting on your path just as they are on the path of everyone else. We confront what we confront when it is time to confront them. We don’t choose when they happen, but we choose how to react.

With that, for anyone wanting to sincerely step off the DF/IR path because of any reason, I fully support the decision, because that decision to quit is probably the right decision. By the right decision, I mean that quitting means you weren’t meant for that path, but also means there is another path more fit for you.

But for those who are on the spectrum that they would pay their salary to work in this field, to learn the bits and bytes of data, and to spend whatever energy is required to get there, I am right behind you making sure you keep going.  You can cry along the way or even toss your laptop against the wall in frustration as long as you decide to keep moving forward. Cry. Wipe off the tears. Get back to work. You will be fine.

Hang on…you’re already in DF/IR?

If you do this job already, by now you should have encouraged at least one person who had a spark of DF/IR to move forward (maybe one of those folks was me!). Be an inspiration to the next generation. We now live in a world of the most negative social media, call out and cancel culture, where anyone can be brought down publicly for no reason at all. This is our world, the electronic world, the “cyber” world, and by virtue of our job, we are responsible for safety of all people. Be the force of good and make your name one to be remembered for helping someone, not tearing them down.

The experiences of anyone in this field are awesome! They are even more awesome when you can ignite a small spark of inspiration in someone who may use these skills to change the way we do business, change the way we think about DF/IR, and potentially change the world.

Don’t think this doesn’t apply to you, regardless of where you sit. You have more power to inspire someone to make discoveries in this field that would not be possible except for the spark you lit in someone. That’s pretty cool in my book.

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Facebook Spoofing: Your Reputation, Investigations...
COVID-19’s Investigative Impacts on Digital Forens...