Summary

There is no easy way to learn DFIR. You can stop reading from here if you want.

Longer version

Ok. Since you are still reading, you probably are the type that will drive through, over, around, or under walls to get to where you want to go. Good for you!

The perception that “everyone else” has easy access to training, education, and resources while “you” do not is just a perception. It is easy to fall into the trap that makes this seem like reality when in fact, it is far from it.

Social media reinforces that we should only show the good and the best and the positive of ourselves, in that, few people talk about their personal struggles and only showcase the best parts of their lives. The DFIR marketing experience is no difference. Vendors tout their wares, colleges push their programs, and those in attendance of these programs mostly preach how great the training, education, and networking are in these venues. For the rest of the DFIR Internet, it seems like “everyone else” gets to go while “we” do not have the same opportunities.

The fact is, perception is not reality, and that virtually everyone in this field of DF/IR/Infosec struggles to learn using every spare minute, any affordable resource, and every free resource available. In totality of the field, a very minute number of people can spend years in training and education while at the same time being able to work and have a life outside of work. It’s just not a realistic scenario for the vast majority.

The struggles

Do not believe that no one struggles in life except for you. Do not fall for any mental traps that you are the only person having the most difficult time in getting into the DF/IR/Infosec field. Avoid anyone and everyone who tell you that it is not your fault that you do not get what you want, but the fault of others that prevent you from learning or being hired because of what you are.  The “what” of you being everything that has nothing to do with “who” you are. The what are things like age, gender, race, height, weight, or any other physical description that have nothing to do with who you are.  It is the “who”, not the “what” that makes things happen. Anyone giving you excuses or perpetuating excuses like these is keeping you down, so ignore them.

Stop looking at those who have “made it” with a false belief that they had it easy. That they had everything handed to them. That they must be smarter and can learn things easier. I can promise that every single person who you think has “made it”, struggled for years and still struggle in trying to keep up with the field. They struggle to balance life and work. They struggle with medical concerns (like you), home budgets (like you), family duties (like you), and even suffering in traffic (like you too!).

No one lives inside a DFIR bubble that protects from any of life’s tragedies, miseries, and mishaps. I can also promise that many of those whom you may think had it easy, probably had a much more difficult time of getting to where they are than you could ever dream, maybe even harder than where you are now.

Tip: Everyone struggles. No one is born with a silver spoon in this field, because you have to put the labor to learn it. There is no other way.

The resources

With the Internet today, you can practically learn any field that you have interest, with virtually no money out of pocket other than an Internet-connected computer. DF/IR/Infosec is no different. On www.dfir.training alone, there are terabytes of forensic test images, thousands of software applications (more than half are free), hundreds of white papers and templates, and more resources than you could use in a career. Other related sites provide similar resources, even places where you can post any question, and have it answered by experienced practitioners in mere minutes of your post.

The training available today is more than I ever could have predicted when I first dipped my toes into this work. The courses available in the beginning pale in comparison to today. Where just more than a decade ago, the courses were basic “computer forensics” that covered a mere fraction of what we know today, courses now teach a deep dive into artifacts and systems in that you can select specifically to what you need.

Time and money

The issue of having enough time and money to learn is not new to DFIR, nor is it unique to DFIR. If you want to be an attorney at a top tier school, be prepared for the cost. If you want to be a physician, accept that there is a financial cost that is most likely more money than you have in the bank. And any field takes time. Anyone who expects this journey into DF/IR/Infosec to be 100% free or 100% paid by someone else, or that it can be learned in a few weekends (while watching Netflix on TV) will be greatly disappointed.

The reaction to high costs of education is not complaining about the difficulty or perceived unfairness, but rather figuring out your way to get what you want. Everyone has a different method to get to their destination. Everyone has different obstacles. But everyone has opportunities if you make sacrifices to take advantage of them.

Shortcuts

Let me digress a little. I am a firm believer in cheating. I define “cheating” as being innovative, creative, and imaginative. I do not use “cheating” as breaking rules, laws, agreements, or selling out a part of your reputation to get what you want.

Technology makes it easy to break laws and rules. Cracked (pirated) software/books are one of the most common things that I see among students, with the excuses that since they can’t afford the software or books, they download them from torrent sites.

Do not do this.

Or if you do, keep in mind that you will have crossed the bridge of the land of doing good to the land of doing bad. I won’t get into the moral aspects of digital property rights but will say that you cannot beat the law with excuses of “it is not stealing when you only downloading a copy”. Try and tell that to a judge if you are questioned about being a software pirate and let’s see how far the argument goes. Your client or boss will certainly not be happy…

Best field ever

As far as support, DF/IR/Infosec folks are the best. We like to learn, teach, and share. Yes, there are always a few bad apples in any group, but overall, the folks here are great. Avoid the bad apples. Don’t even communicate with them.

The reason I believe the people in DF/IR/Infosec are great is because the work we do is for the public good. The work is about justice, fairness, and truth. Usually, only good people gravitate to the good work like this. It’s in our nature.

In the words of Troy Larson, "Be good."  I cannot think of any better words that are more important than Troy's.

Shameless plug

Here are some things you can take advantage of from www.dfir.training.

•  * Find test images and challenges: https://www.dfir.training/resources/downloads/ctf-forensic-test-images
•  * Find tools to work on the challenges: https://www.dfir.training/dfirtools/advanced-search
•  * Find training to learn more: https://www.dfir.training/calendar
•  * Join an association to network and learn: https://www.dfir.training/directory/associations
•  * Find a DFIR blog with your target interest: https://www.dfir.training/dfir-blogs
•  * Find a college with a DFIR program: https://www.dfir.training/directory/educational
•  * Find a DFIR book: https://www.dfir.training/resources/book/library/1560/books
•  * Find a template, report, or search warrant to see how others write: https://www.dfir.training/resources/downloads/forms-and-templates
•  * Find any of thousands of white papers: https://www.dfir.training/resources/references/white-papers

And more. But you get the point. If you have the time, you have the resources.

The shortcut way

Granted, if you have unlimited financial resources and plenty of time, the options are “easier” in that you can sit in classes while being told the answers to DFIR problems using the most expensive software applications available today. This is the exception, not the rule for the DFIR world. In my opinion, the most expensive courses are best for when you can soak in every minute of the course because you already have a good foundation. Otherwise, your time and money will not be best spent if you don’t learn what you could have learned by being patient first. You will end up re-learning later what you should have learned in that course, which is a double waste of time and money.

How I do it

Your mileage will vary, but I plan on spending hours learning the bare basics of something that I don’t know.  I can spend an entire weekend and not accomplish anything because it was hours of trying, failing, falling into rabbit holes, wrong conclusions, wrong software, errors, oversights, Internet research, and restarting virtual machine snapshots again and again to try it all again and again. Sometimes I get it right quickly but most times I spend a lot of time to get it wrong a lot of the time.

I expect that some people learn faster than me and others learn slower. But that doesn’t really make a difference, nor do I judge myself against someone else. We are different.

A big point to make

I get asked questions often about topics that I have no idea because I haven’t done everything in DF/IR/Infosec. I know some things well just as I don’t know some things at all. Do not expect to learn everything because there is no such thing as knowing everything. By the same token, do not expect others to know everything either, regardless of who they are. Anyone who claims to know everything knows nothing about knowing everything. Also, don’t look at someone sideways when they don’t know the answer to your question when you think they should know it all.

One of the many things that I learned in Marine Corps boot camp was answering questions that I didn’t know the answer to. To jog the memory of the Marines reading this, we learned through positive reinforcement that to not know an answer to a question does not mean you cannot find the answer.

“I don’t know” is totally different from “I don’t know the answer right now, but I can figure out it and get back to you.”

At the CTIN conference a few weeks ago, I spoke to someone who has been doing this work for a long time.  His story, in brief, was that he spent an amazing amount of time to figure out how to pull data out of a database that he had not dealt with before. Nor could he find anyone who dealt with the same thing either. But he did it.  It took a lot of time and a lot of labor, but he did it. From what he described, this is not something you can find in a class or a book. You have to figure it out yourself. And he did as he always does, because he knows that it takes time and effort to learn and figure things out yourself.

By the way, his work made a difference in the case, because he found a way to pull out the data in a readable format, and it was a lot of data.

I wrote a little about the theme of figuring it out yourself here: Just show me the answer

One more big point

Another reference to the CTIN conference was a presentation by Mark Spencer of Arsenal Consulting. Mark spoke about a case where he found the most relevant forensically important data in a case that 14 other experts missed. Actually, it was 14 other companies that missed what he found, which most likely means that it was more than 14 individuals that looked at the same data and everyone missed it. The case involved the wrongful incarceration of more than 700 people, including journalists.

Mark could have been the 15^th company that missed the evidence, but he really dove into it, in the minute details of file analysis that I had never thought of before hearing his talk. You can believe that I look at the aspects of his work much differently in my work today.

In case you missed the point, it is that no matter who you are, you can do a great job when others do not. You do not need to work for a Fortune 50 company doing infosec to have part of a global case that affects hundreds of people, or even millions of people. You just have to put forth the effort to learn.

Walking miles in two feet of snow to get to school

I have talked about how difficult it was years ago to get into the field because the resources were scarce. No college programs at all. None. Not a single one. The books were few and extremely generic. Conferences didn’t exist either. Vendor courses were very expensive and plainly generic. Software choices were so bad that we used hex editors.

I do not say this to mean it is easier today than it was yesterday, but that there is always some struggle or obstacle to get where you want to go. The struggles and obstacles change over time, but nonetheless, they will always exist. Where I had no college choice years back, now there are many choices, but it comes with a financial and time cost.

Want to be famous? How about wanting to do good?

Here is the neat thing about this field: find something to research that hasn’t been done before. Dive into it. Break it apart. Smash it into bits. Test your theories. Come to conclusions. Publish it. It is not unreasonable, nor impossible to discover something really cool in this field.  Most fields work this way; DFIR is not different. You do not need a PhD to do this job. You do not need a certification to be competent. If you can do the job, that is all clients and victims want. 

Bonus points

You read to this point? That shows to me that you won’t take a shortcut, that you will do it right, that you will make it, and that you will be able to solve problems. Some of you will be solving problems that will affect hundreds or hundreds of millions of people. That right there is cool.

Short post and quick opinion.

I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little deeper. Actually, I didn’t have to dig far at all to find truly negative things, things that I don’t typically see.  (*edit: this wasn't written about a current infosecdrama, but certainly can be applied to it)

DFIR Call-out culture

On the call-out culture in DFIR/infosec, aka “name and shame”, I liken it to a Game of Thrones style Walk of Shame. When the Internet is weaponized against someone, for any reason, justified or not, it’s not just a walk of shame, it is a walk of shame on a cocktail of meth and steroids, and carved in stone.

I don’t have any requests of anyone who chooses to participate in the call-out culture, simply because people will do what they are going to do regardless of any positive advice you want to give. For those, it will always be damn the consequences, to hell with long term negative effects, and so what to those hit as collateral damage.  I’m using the ‘call-out culture’  term as it applies to simply calling out anyone online to bash, shame, embarrass, ridicule, or troll because you are angry at something.

Stay above the fray

There is a reason that I don’t see these things online. I don’t look for them. I ignore them and certainly don’t follow them. I intently look for the positive. There are good people in the world, in every profession, just as there are not-so-good people in the world and in every profession. We each choose who to listen to, who to associate with, who to mentor, who to be mentored by, and who are our role models. We make our own beds by the choices we make. Make the wrong choices and you will see a lot of negativity that is amplified more than its reality.

To be honest, I have started this post several times over the past year, but I chose to not write it because of a fear of somehow being targeted in the culture that we developed in targeting ourselves. But I hope that the post helps someone, so I write it today.

Inciting fear, anger, and hate

Here is one example of what I am talking about: It is difficult to get the job that you really want. For some reason in the universe, no matter what job that you truly want, it is difficult to get. Sometimes it is impossible. Same with the school that you want to accept you.  I have no reason why this is, or maybe it is just me. Whatever story that you have on not getting what you truly wanted, I can one-up you on every count. Whatever story that you can give on not getting what you wanted because of something about you, I can one-up you on that too. We all suffer from some form of something that we had nothing to do with or have any control over that is used against us for some reason or another. All of us.

The thing is, when we tell each other that the world is against us because of something, like what you are (versus who you are), or some other reason, we do a disservice by discouraging hard work. By knocking someone down online, we discredit ourselves and the community. When we say, “The system is against you”, that roughly translates into “No matter what you do, you won’t win.”  Some of us, certainly a small percentage, dance in the muck of trolling others, embarrassing peers, creating untruths, and worse still, doxxing each other.

This negativity won’t go away, but you can choose to not listen, not be a part of those conversations, and push the positive, not push the narratives. And simply keep moving forward. Simply, by the way, does not mean easily.

I'm not trying to conflate the mentions that may unintentionally come across as negative with the intentionally negative comments found online. There is a difference in innocently saying something that may be misinterpreted and blatently calling someone/something out.

I see this sort of culture online, where some users are constantly spreading fear or generating anger, riding on any hot topic of the day. I just don't know what to say about those who are angry about something that affects no one but themselves. When they try to build an audience to support their cause of anger, by "calling out" some person or some group of people for some reason or another, the Internet magnifies someone's personal perception which in some cases, can be totally offbase. All I can suggest is to ignore those who do this because those who do this can't be reasoned with. Associate with eagles so that the turkeys don't hold you down.

Confrontation

Going directly to the source of an issue that you have with someone takes guts. You won’t get any ‘Internet social cred’ for not calling them out publicly, but you will get respect from the person or company that you confront. I have been in military and law enforcement units that the only way to solve a problem was to go straight to the person and talk; if you don’t talk to the source of your problem, shut up about it. Today, we see people hit every social media platform to take someone down on an issue that might not even be an issue, with long lasting (i.e., permanent) effects. Whether a justified injustice or perceived slight, the result is the same when the Launch-the-Internet-nukes button is pushed.

The contact information of nearly any person or company is blatantly open online. A simple email or DM might answer a question that you have, or clear up a misunderstanding that you or the other person may have. Maybe it won’t.  But I can tell you, when you slam a company or person online, it doesn’t matter if you were right (or self-righteous), or totally wrong. The damage is done to both your target and you as soon as it hits the interwebs.

Enough of this already

I will repeat something that I have said many times before. I remember every single person that helped me in every aspect of my life. Some have no idea that they were even a positive influence in my life, but I remember them as such. I remember them by name and by the very thing they helped me in achieving, overcoming, or most importantly, helping me survive.

One of these people, with whom I served with in the military, had a huge impact in me being positive in any situation. I’ll name him, because it is in the positive, as you will never see me call-out anyone in the negative.

So many years ago, when I was a young E-4, Sam Birky was my unit’s Chaplain, and was one of the most positive of anyone who I have ever met before or since then. Every minute speaking and every mile running with him affected me then through to today. You would think that looking at his demeanor and attitude that everything must have come naturally to him and nothing ever bad happened. If you thought that way about him, you would be totally wrong, yet he came across as one of the luckiest, happiest, and most positive people you can ever meet. If you are fortunate to have him tell you about his life, from serving in Vietnam, to its aftermath on him and family, and more that he has endured, you will see how someone can be better even when everything is at its worse. Those stories that he told me are mine, but for anyone who I ever helped, know that most likely that it was Sam Birky that helped you as I was just the middleman of Sam's goodwill and good advice.

As for those who held me back, pushed me down, sabotaged me, kicked me while I was down, stole from me, or spoke nothing but untruths….I remember you just as clearly, but not for any good thing. That’s all I will say about that.

My opinion to you is, be the person that is remembered like a Sam Birky. You will sleep better. The community will be better. In the end, you will be remembered, and not ignored. And the world around you will be a better place to be. That is all that matters today. Yesterday is gone, but we can work today to make ourselves better tomorrow, even if just a little bit (or byte) at a time.

*edit 4/26/19*

Some have asked, and this is the Sam Birky to which I refer (hint: he's the Col).

Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in, literally puking.

The inspiration for this post

I listened to a well-done presentation not too long ago, and afterward, I went to the restroom. When I walked in, I heard someone puking their guts out. It turned out to be the presenter. When he came out of the stall, looking all embarrassed, he said that it must have been something that he ate.

I told him that food probably had nothing to do with it, but more with the stress, pressure, anxiety, fear, and energy required to give the great presentation that he did. I realized after I said that, he was more nervous...

Then I told him that he’ll probably tango with the toilet again at another presentation. It’s just the way it is when you open yourself to a crowd of people. The fear of being judged, evaluated, critiqued, criticized, or being wrong is a lot for the stomach’s brain to handle. Of course, I immediately realized that I was making it worse after the words left my lips..

I said that sometimes I drive the porcelain bus when I give presentations (I have once, and I expect to do it again surely at some point). My advice was to let it flow when it comes, either before or after the presentation, and consider it a badge of honor that you truly put out your best effort for your audience and put yourself out there. You physically and mentally gave it your all because you exposed your entire self to a crowd of strangers. As a bit of comfort, I did say that I’ve not seen anyone hurl during a presentation, but I’m sure that can happen too. I didn’t tell him that at the time tho.

But can it happen to you? And should you ever risk speaking in public if so?

In my opinion, presentation-induced upchucking can happen to anyone from the most experienced presenters and the greenest of presenters. In DFIR, anyone, and I mean anyone, can find themselves on a stage for the first time in a young career or at any point of their career simply because they know something that others don’t. Maybe a small thing. Maybe a big thing. But your time in DFIR is irrelevant insofar as being able to speak to those in DFIR.

Also, it doesn’t matter the size of the audience or your competence level of your job that will determine if you will toss your cookies.

Ok. Let me give it to you on my ralph story.

My day-of-barf came at a presentation to a group of citizens on basic cyber security. The talk was a favor to a friend who organized the attendees. I gave it my all, as every time I do, but nothing extremely out of the ordinary. As soon as it was over, I felt a little queasy, and lost my lunch in the restroom. That was it. I did it once. When I stepped out the restroom, there was a small group of people staring at me and one asked if I was ok. Yep....they must have heard me...If you ever hear anything different, that was the story, and not a big deal. I would not be surprised to have it happen again, mostly because I care about giving an audience the information that they came to hear, in a manner that everyone benefits.  And I hope that my zipper is not done at the time…

I tell you this because no matter how many times you present, you may never know the one time that you end up revisting your breakfast afterward which has nothing to do with the number of presentations you have given. I have given presentations for more than 30 years to groups of less than 5 to rooms of more than 500 and I still ordered a buick in the restroom.

But this doesn’t mean to stop presenting when you have the opportunity. On the contrary, I hope it encourages more presentations from those who are so nervous that they would never think of standing on a stage to present a topic that so many people are waiting to hear.

If you are doing your best, and you care that you are connecting and giving a part of yourself to the audience, you are probably at risk of retching afterward. Consider it solid (albeit chunked) proof that you gave everything you had and that your audience received maximum output from your effort.

My intention with this post is that if you find yourself blowing chunks after a presentation, whether you were nervous or not, do not take that to mean you should not present anymore or that anything went wrong with your presentation (it probably as good as it gets). If I happen upon you as you make modern art in the toilet, I will know that I saw a presentation given at your best and you beared all to your audience.  Kudos to you.

By the way, I believe there to be three types of presenters:

• Those who have thrown up.
• Those who will throw up.
• Those who have thrown up but haven’t told anyone.

So......have you ever thrown up with one of your presentations? Don’t worry about it 😉

Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner had the journalist just asked. I find this tweet to be an extremely important tweet that affects many in forensics (see my side note on 'forensics'). 

Lesley's tweet was in an article about a national security lapse, or actually, several national security lapses. The incident described in the article is important on its face of national security, yet a journalist took a snarky tweet to validate the journalist's statements. Lesley was spot on with her tweet, as Leslie mentioned, she would have written a killer response that would be better for the journalist had the journalist just asked her.

TFW your shitposting tweet about infosec is so funny they just stick it in a serious and credible news article 🤷🏻‍♀️🍸

— Lesley Carhart (@hacks4pancakes) April 9, 2019

Let me take this a step further to get to the crux of this blog post on why many practitioners don't post opinions online 

"I am afraid of some attorney using my words against me. - unnamed DFIR expert" 

I have spoken to more than a few practicing DFIR folks about their decisions to not openly use social media to discuss DFIR, since that is the best way to get the fastest answers to problems. The common response is the fear of having a conment being used against them in a case, especially since they are perpectually under subpoena in one case or another.  Some of those who do post online comments are using anonymous accounts. They are afraid of their words being used against them in court, so they go the anonymous route, as if that will protect them from answering the question under oath, "Do you have any social media accounts where you discuss your work?"

This commonly stated reason of fear of any comment or comments being used against them in legal proceedings where they stand to be called as a witness is something that I totally get.

 A scenario that can play out is being a witness in a civil or criminal trial, undergoing cross examination, and past comments being brought into play as a means of discrediting the witness. With journalists and activists reaching back decades of online comments to discredit or embarrass someone, the legal arena is ripe for doing the same thing (I have seen it done). In some instances, this could be reasonable if full context is introduced, and even then, opinions are like fruit; they can be perishable as time goes by.

I've had a tweet of mine end up in a class action suit filing. While I stand by it (not a good idea to link to JavaScript from an ad domain that was abandoned years ago—and now repurposed by an attacker—in a production site), it made me rethink how I framed things.

— Kenn White (@kennwhite) April 9, 2019

The result is that we have an incredible amount of talent, experience, and knowledge in the forensic world that refuse to post any comments online for the fear of potentially having a comment being used maliciously or falsely in either expert qualification or cross examination.  The impact on the community is that we miss the most relevant and impactful resources that could move the community forward 100x, all because of fear of being quoted out of context.

Some people, for whatever reason, do not want to disclose where they work, as if having any job would be embarrassing anyway. So, they stay anonymous online. Again, I totally get it, but if you aren’t bashing your employer, disclosing intellectual property, or being disingenuous in what you say, do you need to be anonymous?

What we get then is a slew of anonymous accounts. We have anonymous practitioners and experts, who we have no idea of their qualifications or reputation, stating opinions on “DFIR” topics, which do not have the same impact as a named person. It’s anonymous, therefore, untrusted and unverifiable, even when coming from someone who is probably the best to state an opinion on the topic at hand. We just don’t know, therefore, almost pointless.

Reasons supportive of anonymous accounts

I understand the use of anonymous accounts when your personal safety is at risk, such as working in a field where you or your family could be targeted (and killed) because of your job, such as working undercover or for an intelligence agency hunting terrorists.  If you are only doing forensics, the odds of being targeted are quite low… How do I know this? Because when I worked undercover, where I was day-in and day-out hanging out with people who killed people, I never had my name online. I was also at the point of not having any social media presence at all (anonymous or not) for the sole reason of limiting risk of exposure to myself and family.

Other than that, I see no need to have an anonymous account other than for the ability to post anything, and I mean practically anything, without any risk of being personally called out for unreasonable, untruthful, or otherwise harmful opinions.  Unless an employer has a specific policy that an employee cannot have a personal social media account, then anonymity simply appears to be a manner to spout off without recourse.  I’m still looking for an employer that prohibits an employee from having a social media account…  But again, I get it. Anonymity is here to stay.

To the anonymous experts

Brett’s opinion: Anonymous accounts hold zero weight for opinions. It doesn’t matter how many retweets, shares, or favorites you get, anonymity is not credibility.  But if you put your name on your words, your words are heavy. For those working in the legal arena, especially those writing affidavits, you particularly know the weight of an anonymous complaint versus someone willing to have their name listed in a search warrant affidavit. 

Your word is to your honor as your name is to your reputation.

The things that we say (post/tweet/share) today will most likely exist forever. This by itself should be enough to make us at least read our words before posting them. Although I will admit, I will re-read what I just typed, post it, and then catch my grammar errors too late after the post…but for the content, I stand by what I post. As to the grammatical errors, I’ll take them too because for context, my words are my words.

I hate saying that I was wrong

I do not like to apologize or admit to being wrong, but when I am, I do it. I consider everything that I do and say, including social media posts, to be under scrutiny of accuracy and truthfulness. I don’t need anyone scraping my data to find something that I misstated, but surely could see something in court or online by someone who wants to dig something up. That’s fine. If I was incorrect in stating something, I’ll admit that I was wrong.  I will even apologize for it because I want to learn and improve, not be stuck in growth in the field.

pot calling the kettle black

Yes, you have seen me, and will continue to see, embed someone's tweets in a blog post. But you will never see me take someone's comments out of context, nor re-post someone's comment that will embarrass or shame. That is uncool. However, I will showcase some good ones that deserve more discussion than just a tweet can do. The really important tweets that affect hundreds or thousands of people. Lesley's tweet is one of those tweets. Her tweet was perfectly done and did not need rephrasing in the least bit (or byte).

I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was ‘issued’ a USB flashdrive to temporarily store our reports. In theory, we would be able to write reports in our patrol car laptops (MDCs/MDTs), store the reports on the flashdrive, and then plug into the network to upload the report.  At the time, the patrol car laptops had no “Internet” connectivity, other than a data channel for running names and license plates.

In practice, those USB drives were forgotten in whichever computer that the officer plugged it into. Everywhere you looked, there would be a handful of these things either plugged into workstations or laying around desks. Some had names written on them, others were just plain ol’ USB flashdrives in every color of the rainbow.

At one point, the entire network was infected with a MS Word macro virus that was spread throughout the city. I blame those USB flashdrives.

Oh yeah. None were encrypted, but they should have been considering how many were probably lost throughout the city after inadvertently dropping them while on the street. When the real “Internet” was connected to the patrol MDCs, we could finally upload reports directly without those using those malware devices.

Personally, I still hate those things. I have lost USB flashdrives before, simply because they are small and easy to lose. Any USB flashdrive that I personally have is encrypted because I KNOW that I will lose one eventually. No, make that I will always lose all of them eventually. Thank goodness for cloud storage…but that’s another story.

 Today's spy story

https://abcnews.go.com/Politics/chinese-woman-mar-lago-security-controversy-expected-court/story?id=62247972

I’m not getting into why I think this spy is incompetent, because maybe she isn’t. Looking at all angles, this could be a small part of a very well executed operation where this particular operative was designed to be caught from the beginning. Perhaps to probe security or maybe as a distraction to the primary operation. Basically, this spy got caught with typical spy stuff, including a malware infected USB flashdrive.

Here the rub: After seizing this suspicious USB flashdrive, the Secret Service plugged it into a computer. I don’t know anything about the process used or the computer that was used, but reading that the agent shutdown the computer because of seeing a “very out-of-the-ordinary” event of files being installed to the computer implies that it was not the correct process…at all.

USB flashdrives are evil.

To be honest, I love finding USB flashdrives because I am a curious person. I automatically assume that malware is on every one of them that I find, and that is what I look for. If I had no intention of uncovering malware on a found USB flashdrive, I would throw it away. Unless someone’s name was on it and it could be returned, I toss them. I recommend that everyone toss them.  Most likely, you won’t find the owner unless you plug in the flashdrive and fish through the files. That means exposing your machine to potentially harmful malware.  Additionally, I am certain that the owner would rather have the found property tossed in the trash than have a stranger go through their personal data.

The year is 2019 and we should all know better by now. You do not need to be a “cyber” person to know that plugging in ANY unknown device into a system causes a risk of compromise. Plugging an unknown USB flashdrive into your computer should be viewed as if you were taste-testing white powder that was mailed to you in a letter. You just don’t do it because you just don’t know.

To have the Secret Service plug a USB device into their system is disappointing, because the best forensic training that I have ever received was from the Secret Service. They know their stuff. You just don't start plugging devices into a government computer system...

The lesson

If you know that USB flashdrives are dangerous, be sure to tell others when the occasion arises. Teach your kids. Teach your friends. A found USB flashdrive is garbage. Don't fall for anything that makes it enticing to plug in, because that is the point of an intentionally malware infected USB flashdrive: to get you to plug it in.

If USB flashdrives were shaped like spiders, we would have ZERO instances of people plugging these things into their computer. https://t.co/oSMTSMAkio

— Brett Shavers 🙄 (@Brett_Shavers) April 8, 2019

As for me, I would have loved the opportunity to examine that USB flashdrive. I have a computer set aside just for that sort of thing 😊

Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and gunning, saving the world, hacking into remote systems, and stopping bombs from exploding seconds before the countdown timer expires!

At least it looks that way from the outside.

But seriously, DFIR work is cool, just not in the way outsiders see it. Mostly this is because of Hollywood productions of “hackers” and “CSI” forensics. Every cool job works this way. Hollywood says so, therefore everyone’s perception is what Hollywood says it is.

One example of how this perception thing works is a recent podcast interview that I had on The Many Hats Club, which by the way, is a pretty good podcast to keep up with. My intention and thought when asked to be on the podcast was that I would be talking about the cool forensics stuff, but ended more talking about police work, specifically, undercover work.  No complaints, as it was really fun to bring up some old stories that I had with a few things that I have done.

It's been a while, but @notameadow has been hard at work and we have new podcast episodes for you! We had @Brett_Shavers on to talk about forensics and also finding out his past undercover work.https://t.co/MNyanCuKPR
Also available on iTunes, Spotify and other podcast apps.

— The Many Hats Club (@TheManyHatsClub) April 4, 2019

I have had this happen before, where I was hired for a class action litigation and flew out of state for trial with this team of really really expensive lawyers. At dinner with the lawyers, no one was paying me any mind at all, until someone asked what I did “before computers”.  I do credit the kindness of being asked, even though it was just courtesy.  As soon as I mentioned that I worked undercover narcs, the rest of the night was not a peep about computers, but lots of undercover stories. The class action case was not even talked about. They saw the dope work as cool and the computer work as mundane, but only because they see how the computer work (the ediscovery/forensics part anyway) is done. No big Hollywood excitement there other than spreadsheet and file fragments.

I’ve had the same responses when asked about some of the military and SWAT assignments that I’ve had. Internally, and much like DFIR work, most days are mundane. Writing. Sitting. Waiting. Planning. Training. Training. Writing. Sitting. Meetings. Training.  And then a few extreme highlights pop up, just like DFIR work. I call these extreme highlights "fires" because that's typically the way they happen...unplanned, unexpected, and everyone running around like the world is on fire.

The point of this post

Your DFIR job really is cool.  It was cool to you before you got in it and you may not feel the exact same excitement as before you learned how to do it, but it is still cool. It is cool because it is important, and you can make an amazing difference in the outcome of a case or incident for the special things that you can do that few others can even comprehend. Never mind the stereotypical images of hoodies, flashy computer graphics, and totally unrealistic movie plots. That doesn’t matter. What matters is that you have a job that is cool enough that Hollywood wants to make movies about it and people want to talk to you about it.

So, much like military ops and undercover ops, DFIR ops are super cool also, particularly to the non-DFIR folks who ask you about your job. Talk it up when it comes up, because it is just as important as they think it is, and a career well worth the effort to fight for a spot for those thinking about getting in. It doesn't hurt to have a job that many people know to be very important.  Every bit of positive perception in your job goes toward support for you when the public and your co-workers understand that what you do is so important, Hollywood movies and television series created to showcase the amazing things you do, so to speak :)

In the highest of technical terms, this DFIR work is defined as: neat!

I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not mean that they took on more than what they could handle, but that they started down a path, committed themselves to it, and refused to adapt to the changing environment.

Here is one example that I have seen in police work: Officers were dispatched to a drive-by shooting with a description of the shooters and vehicle. Reasonably, and expectedly, two officers pulled over a car that matched the make, model, and color of the suspect vehicle. Since it was a shooting, they conducted a “felony traffic stop” which means guns out, ordering occupants out the car, one by one. They were committed at this point in a high risk stop. As soon as the first occupant was ordered out of the car, both officers knew that they had the wrong car (they told me such afterward).

The thing is, they kept going forward, knowing they had the wrong car, but had to ‘finish the felony stop’.  They were overcommitted without room of adapting to a dynamic environment. I’ve seen this on a few occasions, not many, but enough to know that it happens.

The point

This happens in DFIR too, and I have seen it happen more often than I have ever seen in police work (or in the military). The way that I have seen it happen is on smaller scales of seriousness (no one has guns pointed at them..), but larger scales of wasted time only to get to the wrong objectives. I have seen this in peer reviewing reports in that I can tell that an examiner was hell bent on going one direction in an analysis, forcing a tool to do something that it really shouldn’t be doing, following leads that have nothing to do with the case objective, and completely missing blatantly obvious clues along the way. They are overcommitted in plugging in a dongle and driving through a media on a pre-set course with no room for deviation. This happens a lot in with students when teaching classes and is expected as a learning experience. But don’t let it happen to you.

As for me, I have gotten on the wrong track on occasion, but I have no hesitation to realize it, cut my losses in time already spent, and get back on track. Every time this happens, I end up in a better place in the analysis because I realized that I had become overcommitted.

How it happens

Basically, you hop on a train that has one track to one destination and you refuse to get off once you realize that you are on the wrong train. Some of the ways this happens include;

Your favorite tool

We all have a favorite tool or two. Sometimes that tool is not fit for the task you need. Either don’t start out using it when you shouldn’t, or as soon as you realize that you need a different tool, stop drop roll and change tools. The sooner you realize you need a different tool, switch to it.

Your “system”

Yes, it is easy to get into a rut and start an exam by looking in the usual places for the usual things in the usual order that you always do. Stop doing that! Each case is different. Each case needs to be evaluated with a ‘custom systematic’ method of analysis. Otherwise, you will miss evidence and not even know it.

Your blinders

Don’t start out thinking that you know what happened because you will keep looking to prove what you think rather than prove what actually happened on the system (or to the system).  By “blinders”, I mean that you intentionally don’t look at what you should be looking at because you only want to see what you want to see. As soon as you realize that you are doing this, guess what? Stop it, back up, and do the real work that you started out to do.

How to realize when it happens

As soon as you see yourself spinning wheels and getting nowhere fast, stop and reflect on what your initial goals were, the plan that you laid out, and just as important, the things that you saw along the way. It is what you find along the way that determines which way you go. Much like a tree blocking a road requires you to find a new route, when you find evidence or leads in your exam, adapt your previously well-thought out plan to what you find. Otherwise you will be stuck, spinning wheels, going nowhere.

Your benefit to re-group and re-start

You won’t waste as much time as you would have had you not just stopped, reflected on what you are doing and seeing, and adapting your plan to the evidence you have at hand. This advice works for practically any aspect of life by the way, but it is particularly helpful in forensics because it is so easy to get off on a wrong start or drift away from where you should be when looking at data.

Your next case

Plan how you want to attack it. Gather your tools. Prep yourself that your plan will probably change, which means your approach may change, your tool choices may change, and the route you take to solve the objective may change. Know that up front and you can save days and days and days of effort. As a side note, don't worry about the time you wasted, as long as you get back on the right track, because it is not wasted time if you adapt to the evidence you find along your route to the objective. You may even end up in a better place.

Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that the article brings up a few questions and assumptions to think about on any legal matter.

This should be a mandatory read for every IT person who thinks they’re suddenly a forensics expert ready to judge facts. Inability to present preserved traces and timeline, along with impossible knowledge they can’t explain? 🥴 don’t know what’s going on https://t.co/sK1DbCWIaC

— SwiftOnSecurity (@SwiftOnSecurity) March 9, 2019

The short version of the story is that Tuft’s University accused a student of altering her grades by hacking the school’s system and subsequently expelled her. I’m not going to case-study the article since there isn’t any signed statement of perjury as there would be in an affidavit, other than the expulsion letter.

https://techcrunch.com/2019/03/08/tufts-grade-hacking/  

There are a lot of unanswered questions in the article, and without having the reports that surely had to be written, I see this article as a friendly reminder that ‘investigating’ an incident (crime, policy violation, etc…) should be done by those with experience to back up the findings, as well as having no hesitation in releasing the evidence and findings to the suspected party. The facts are what the facts are, but if you can’t refute the facts, it is only allegations and not facts. 

The topic of attribution is a favorite of mine. I like it enough to have written a book on it.  Actually, two books. These types of cases are cool because I love to find out whodidit and prove it that they did it (or disprove a false allegation). Articles like this are teases, because we’ll never know unless the facts of the case are produced showing what was done, how it was done, and what evidence was found. Implications one way or another only incite readers to believe one thing or another.  The subtitle to the article ,'You're guilty unless you can prove it", sort of shows this, although I think the writer meant "You're guilty unless you can disprove it". 

As to my opinion on what happened in this Tuft's matter, that is a risky proposition to even start. Too many 'experts' are asked their opinion on a cyber-related topic, and if the answer is not something to the effect of "Well, practically anything is possible", then the expert may get dug into a position that may not have been the best to dig into. The best opinions are those when you have complete and unfettered access to all available information, and based on your training and experience coupled with the evidence at hand, your opinion holds legal weight.

Side note: Don't forget that the "F" in DFIR stands for "forensics", defined as being part of the legal process, meaning that there are rules and procedures to follow to identify, validate, and admit evidence in legal proceedings. It's not just willy-nilly-I-found-an-IP-address!

I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions (https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html).  I agree with everything he points out about book writing, so no need to regurgitate any of what he wrote, except to say, ‘ditto’ on the book stuff.

The thing that I want to expand is that of Harlan taking phone calls.

Back in the day, from my narc desk, in my narc office, when I was contemplating whether to dip my toe into ‘computer forensics’, I found Harlan Carvey’s email on the Internet while I was researching if I really wanted to get into this thing called computer forensics. Harlan's email has never been a secret by the way…he's had the same one from more than a decade now.

I figured that since he put his email in the public view and that I was thinking hard on getting into forensics, I would cold shot Harlan with an email.  Surprisely, Harlan replied within a few minutes with his phone number. Of course I called him :)

He may or may not remember that call, and no need to get into the details of the call other than to say that this call was the deciding factor in me jumping wholeheartedly into this field. There was no other person, and no other thing which made such a directional turn in my career into this field more than this one cold shot email and phone call to Harlan. I'm not the kind of person that does anything half way; you could say that I went overboard in forensics as soon as I hung up the phone and haven’t slowed down since.  When I wasn't undercover arranging drug deals, I was planning, learning, and conspiring to get into forensics one way or another. And I did.

The point being, Harlan aint no joke when he says he responds to emails and phone calls. In my example, it was one of the most important calls that I have ever made.

The other big point

Your words are heavy.  Your advice can inspire someone to their potential. Your personal recommendations and advice can guide a person in a direction that benefits them personally and professionally, and you (by extension) will help others tenfold. Or not, if you don't take your words seriously.

As for me, I suggest that lending an ear, offering your hand, and gently pushing someone to their potential greatness is the most honorable thing a person can do in their life.

During a recent workshop, one person in the class kept asking me for the magic bullet to work his case. By that, I mean that he kept asking me over and over again for the answer to one of his cases. A ton of ‘hypotheticals’ and another ton of ‘what ifs’ and a half ton of ‘that does not apply to my case’.  One thing about these types of questions is that nothing is going to solve the problem when you don’t know what the problem is in the first place. Another thing is that there is no one answer to solve someone else's problem in their case that you can give, not usually anyway. You can guide and suggest, but having the answer isn't typically going to happen.

So then this happened

The second part of the workshop was a discussion of past case studies and then current cases from the class (whoever wanted to volunteer their cases). The guy with all the questions, had none during the volunteer-your-case time. Others did, but not him. Oh well, I had been hoping to dig into his case directly, and when the class was over, the detective was gone out the back door. Probably not the happiest student since he left right after the class was over. We did get some really good ideas going on some cool cases that I wish I was working...

Fast forward a month.

The dissatisfied detective emailed me. He figured out what to do in his case, which worked, and it was nothing that I had given in the workshop. I thought that I was getting a complaint until he described that when I was discussing case studies, one thing led to another, to another, and he thought of something on his own, which was the key to overcoming an obstacle in his case. He was halfway complaining that I didn’t give him the answer, but conceded that I had helped him find it on his own. That was the entire point of the case studies session by the way; Figure it out yourself, with a tad bit of inspiration.

To the point

Had it not been for him listening to case studies (past cases and current cases) from a variety of different perspectives, he most likely would not have been inspired to come up with his own solution. At best, the solution might have come to him weeks or months later had he not listened to the class discuss case studies, and at worst, never at all.  For that, I’ll take a little credit to providing the spark for a fire.

Here is the thing with case studies, particularly with DFIR-type case studies; unless you did the case yourself, you’ll not have all the information on how the case was worked. But you can get a feeling of the flow of the case, a few pointers on how someone else ran it, and maybe grab a spark of inspiration on one of your cases.  All you need is a spark, not an explosion.

I’ve been making some case studies available through videos, in which I talk about the main points of cases that I find online. Talking about my cases doesn’t make as much sense because I already know what I was thinking.. It is the other cases where I want to find out how other people think, how they plan, and how they implement investigative strategies in their cases. With the videos, my intention is to show how I look at cases, criminal or civil, and things that I learn. If I could go back in time, I would do all my cases 10x better than I did, simply because I continue to study how cases are worked by others, gain ideas, and get inspired by innovative methods.

The forensic part of casework is ‘easy’, in that as long as you know how to do X, Y, and Z in an analysis, you can examine any piece of electronic evidence. Yes, analysis can be tedius, monotonous, eye-straining, and frustrating, but it is essentially easy when you can work tools to do what you want done with the data.

Do you know the difference between an average analyst and a great analyst?

One just examines electronic media and the other works the hell out of a case.

As a side note, I am working toward becoming a great analyst one day. I will never get there, but I won't stop trying until I do, which I may not get there, but I will keep working on it. I hope you get the point of that :)

Tips

• - There is no limit on the number of great examiners. Whoever wants to be one, can.
• - There is no restriction on who can be a great examiner. Identity = irrelevant.
• - This all applies to you.

Examples

Here’s two videos on case studies to get a feel of what I mean. I have more videos, and making the time to keep them coming, but this should hopefully drive home the point of what I mean when I say that you, yes you, can break a case regardless of seriousness or size. From theft of petty cash to cyber-terrorism, a case is a case is a case. You just need to work the hell out of it.

More case studies here, and more coming: https://www.patreon.com/DFIRtraining 

The bad cons are the criminals that victimize you.

The good CONS are the conferences that you were glad to attend.  CTIN is one of those good CONS.  I’m partial to CTIN because it was the first organization that took me in when I was but a babe-in-arms as far as digital forensics goes. I am also partial because the people in it have always, and I mean that literally to mean all-the-time, been the best in welcoming members and sharing everything. I’m also partial because I was once the Secretary and afterward, the President. I am glad to see that CTIN has maintained its original founding principles. Much of what I am writing in this post applies to most local conferences, so you will probably think that I am writing about your local organization. That's cool if so, and also it's my intention to bring out the good.

The bad stuff

I have to admit, I have read the incredibly terrible things that have been happening at conferences. I won’t repeat anything that I read simply because I don’t want to make it any worse than it sounds. As for me, I’ve been to many conferences, but ‘many’ is only a small percentage of the number of conferences there are. For the conferences that I have presented and/or attended, I have never seen any of the negativity that some have seen. Mostly, that is because I usually fly in to present and fly out, or stick with a close group of friends for dinner (or just me and my wife) without getting involved in any craziness of midnight partying. However, with the high number of attendees in some of the conferences, I have no doubt that things happen. Don’t forget, I was an undercover narc for a decade…I know how people can get.

By the way, if I ever were to see negative behavior, I am the kind of guy that is not happy if I am not the first person to address it, directly, on the spot. I don’t agree with calling out anyone online, but I will fix problems on the spot because the evidence is there. The witnesses are there. The culprit is there. And usually, it is best to handle it on the spot. Enough of the bad. Onto the good! 

The good stuff

CTIN (http://www.ctin.org) became a non-profit way back when, back in the days of DOS and floppies. I came on-board as a cop just starting out in forensics around that time. We had monthly meetings at the police academy in Burien, Washington, and probably had eight or ten folks show up each month .Half were cops. Half were private sector tech. Both were figuring out this high-tech crime thing..together. After our meeting, we’d head out to a nearby restaurant and continue our conversations before heading back to work. It was, and still is, a public-private partnership in high tech crime investigations.

Over the years, CTIN grew to hundreds of members, with training sessions having almost 100 showing up! All of this cost each member nothing but their time to attend.  Everything was shared, any member with something to add was (and still is!) welcomed to share, and everyone knows everyone, at least by face if not by name.

The lucky stuff

The Seattle area is rife with seriously great people in this field! I mean, we have Amazon, Boeing, Microsoft, dozens of tech start-ups, and even Google moved in. And we have companies like Crowdstrike, DomainTools, and other greats each all having their toes or completely immersed into the cybersecurity realm. And don’t forget the University of Washington! With billiionarie Paul Allen’s donations to the UW computer science program, we have quite a bit of talent to draw upon; after all, US News ranks UW #6 in the nation in Computer Science. Any member, or rather every member, in CTIN has the opportunity to sit next to someone with amazing experience. We are also a short driving distance away from British Columbia, Canada. Talk about competent forensic folks, they are not only competent, but also nice to be around ('cause Canadian, ey?). 

The CTIN conferences

CTIN didn’t always have conferences. I took a chance and volunteered to arrange the first one and over a hundred people showed up! Speakers were great, and the venue was not that great. An old hotel near the airport…dark…dingy…slowest Wi-Fi on the planet, except maybe the Kwajalein islands. It was also our first attempt at “swag” and charging money to pay for the venue. It worked out and is still working. From that experience, any time I meet someone who arranges these types of conferences makes me want to give them a hug or a drink.

Now CTIN is at Microsoft for the conferences. How's that! From a dingy hotel to the Microsoft campus. Not that a place like Las Vegas isn't "fun" to have a conference, but compared to having a conference at the place where the actual source code to 99% of your electronic evidence is being developed, there isn't a comparison. You won't get access to source code, but you'll be sitting in the same buildings learning how to examine it. That's kinda cool.

The best stuff

The CTIN conference is not the only good conference. There are plenty of others. Many of these conferences (should I say ‘all’?) are run by folks donating more time than they originally planned, herding multiple organizations, dealing with money, schedules, and more with the only compensation being that they were part of something that made a difference. Every non-commercial conference is like that. The non-commercial conferences charge just enough to pay for expenses because no one gets paid. It is all done to share. Commercial is different, but that's not what I am talking about.

Some of the best stuff is meeting great people at a local conference. You’ll not find a more well-connected bunch of people than those working and attending at a local conference. If you want a connection to a Fortune 50 company, you’ll find the nicest people here. Actually, the person who helped me get into this forensics field worked at one of the world’s largest companies, is a published author, speaker, and is an extremely experienced and technically competent forensic examiner.  With all of that, he spent personal time in me as a mentor that turned into a decade long friendship. He’s also one of the founding members of CTIN, so that’s how this CTIN thing started.  A nice guy met up some with nice folks, helping each other figure out this cyber-thing. Then they shared it all.

And that’s why I will always be a CTIN member.  

**edit 2/16/2019**

Forgot to mention, I'm speaking at this year's conference. Please say 'hi' if we've not yet met.  I'm one big ear, so to speak :)

The #1 factor is not giving up. The #2 factor is talent. Actually, scratch #2. You can make it without talent if you don’t give up. Talent is overrated.

<sounds of desks being pounded>

•   *Here is the thing about giving up or quitting:      It is easy to do.
•   *Here is the thing about not giving up or not quitting:      It’s tough.
•   *Here’s the other thing:      You will never know “when” you will make it.

I talked about my path into “DFIR” (specifically, the DF part) in today’s Patreon podcast.  Although I didn’t talk about everything, I did give the broad-brush stroke of what I had to do. It took years, lots of my money, lots of my personal time, and personal risks. This was before the flood of colleges offering degrees in cyber/forensics. With a wife, two young kids, and working full-time as an undercover cop with crazy schedules and travel, I had every reason to quit. More of that in my podcast, but you get the point. Others have had more difficult circumstances to get into the field, so I’m not complaining. I'm just saying that I have yet to meet someone who glided into their favorite DFIR job just as easy as buying a book on Amazon.

For some years, I taught at the University of Washington's Digital Forensics program.  Every student in the UW-Seattle Digital Forensics program that I taught was told the same thing, on the first day of the program each year:  “If you are sitting in this room, with the intention to learn forensics, you are smart enough and have the opportunity to do it. You just have to do it.” - me

I say that to you reading this, here and now.

By the way, this post was inspired by Liam Booth.

Soooo, I may have blown the dust off my old wordpress(ugh) blog, and made a new post. Annnd I may have name dropped a couple of people (@Brett_Shavers @cybersecstu) https://t.co/ddH66lqNhL

— Liam Booth (@UpsidedownCanuk) January 10, 2019

From those words that I read in the post, Liam is going to do it.

A story of not giving up

When I was a younger pup in a military course that had a lot of walking in it, the last walk on the last day was a long one.  Before that last “walk” of 20 something miles, one of the guys next to me said that he is going to make it even if it kills him. Of course, I said, “Me too.”

At the end of this walk, I was sitting and watching the last people coming down the hill and there was that guy walking down the hill.  He fell, got up, fell, got up, fell, and didn’t get up. Then he was crawling. Then the Corpsman rushed to him. He was having a heart attack, and then he tried to fight off the Corpsman until they got control of him.

The good news is that he lived. The bad news is that he was medically discharged afterward. But I sure learned what determination looked like. He had it. I don’t remember his name, but I am sure that whatever he wanted to accomplish after the military, he did it. I wish I remembered his name because I am curious. Then again, I’m not curious because I know that he made exactly what he wanted. He has been my role model of determination every since. 

I hope that I imprinted this trait on my kids, and think I have. My son wanted Harvard to accept him out of high school. That didn't work...he was not happy at all about it...but after going to another college and working extremely hard at everything, he starts Harvard law this year. Determination and tenacity will win out over natural talent and wishy-washyness. 

Back to knowing who will make it in DFIR

My point is that it is difficult to get into any profession, including DFIR, but there are some who I have met that I know will make it. There are also those who I meet and I know they have no chance. Not because of who they are, what they are, or where they come from, but because of attitude.

For me, DFIR is overwhelming in that there is so much information and breadth, that choosing something specific to focus on is like being a kid in a game store who is only able to buy one game. Or more personally, me walking inside Cabalas…. But that is also what makes DFIR so great with so many opportunities.

Making the long story short

•   *Do not quit, period.
•   *Motivate yourself because no one else will.
•   *Make your plan, because no one else’s plan will work for you.
•   *If you think you can, you’re right.
•   *If you think you can’t, you’re right.
•   *There is no magic bullet to get what you want.

One more thing

I want to be the person that is the #1 supporter of anyone and everyone who wants to better themselves, improve themselves, and get into any profession. Motivated people motivate me. I have had plenty of obstacles in my life, and I distinctly remember each and every person who either cracked a door for me to step inside, held out a hand so I could pull myself up, or pointed me in a direction so that I would at least be going forward and not backward. I also remember the saboteurs, but not for the same reasons.

So, the ‘one more thing’ is that we, those in DFIR, should endeavor to fan the flames of those with the attitude and motivation to follow in your footsteps. I say “your" footsteps, only because I am also working my way forward in the shadows of those who came before me, those who are clearly more skilled, and those who I value as a role model.

My goal…I want anyone who I can give guidance, to do more in their life, than I ever could in mine. If we don't at least do that, then what is the point of it all?

Short version:

1. Bring your A Game
2. Don’t hold back
3. Be prepared
4. Know what you claim to know
5. Fight complacency

The longer version (and the version you should read):

First, here’s what I mean about being outdone, outmaneuvered, or plain outright embarrassed in DFIR: someone or something kicks your butt in the arena. The ‘arena’ could be in court, or mitigating a breach, or just working a case where nothing is going right for you.  Sometimes the arena feels like a circus. The last place you want to be in that kind of circus is the center of attention wearing clown shoes with a red nose. Trust me. I’ve been there more than once (I will talk about my experiences in tomorrow’s podcast). 

Bring Your A Game

If you don’t approach every scenario with the intention to do the best you can do, then you have a some chance of screwing it up. Maybe it will work out like it has for the past 50 similar situations, but I promise that the day is near where you will screw up just because you didn't do your best.  You must bring your A Game each and every time, regardless of how small the task or monumental the objective.

I will give you one mindset shift that will help you: Never accept when someone tells you “good luck” and never wish someone “good luck”. Luck can beat most anything, but luck is simply chance.

Here is a better way to look at the “good luck” saying. Rather than good luck, simply ‘do your best’.  If a team member is about to tackle a problem, especially a potentially public problem, recommending your team member to do their best is a better encouragement of wishing them luck. For a good example of this theory, check out the Japanese. They don’t wish luck.  It is “Gambatte!” which translates to ‘do your best’.  Both of my kids were raised with “Gambate!” their entire lives as their mother is Japanese. I have never seen either depend on good luck to win a sports match, compete in a music recital, or get into the colleges they wanted. Live by doing your best, not hoping for the best will happen by luck.

Do your best each time you approach a scene, scenario, situation, incident, task, computer, malicious file, or meeting, focus as if the only thing that matters is the task at hand, because that is all that matters. Never ever trick yourself into thinking that ‘this time’ is just like the ‘last 100 times’.  Every time is the first time, and it is the only time that matters.

I’ll bring this around to the military, to where in Marine Corps Boot Camp, a drill instructor asked me (asked is polite for how it came out of his mouth), how many rounds are fired for rifle qualification. As he repeated his question in case I didn't hear it the first 10 times, I tried to count how many rounds at each line of fire, and of course, I got the answer wrong. 

The answer, which sticks with me today, which I have repeated in anything that I have taught for decades since, is that there is exactly one round fired in any firearms qualification. The round fired prior doesn’t count. The round to fire after the current round doesn’t count. The only one that counts is the round you are firing. Same with any task in DFIR. It doesn’t matter what you have done before, how many times you have done it, or how many more times you will do it. The only thing that matters is this time.

One round. One chance. One opportunity. Focus on the current thing as if it is the only thing, because it is.

Don’t Hold Back

If you get really good at what you do, you may tone down your efforts a little just because you only need to do 75% to solve the problem (whatever the problem is). Do not do that. Go at it full speed and full energy as if you don’t know how your task will turn out, because in reality, you don’t know how it will turn out regardless of how much effort you put into it.

Holding back in DFIR work means that you could be going all out to solve a problem, but you figure, “nahh, I’ll just run the so-and-so application over the drive and be done with it”, or “I beat that opposing expert in court last time, so I’m fine to go up against him tomorrow.”  When you hold back, your opponent, whether it is a person or data, will eventually take advantage of you holding back.

Be Prepared

This is an easy one, but something we sort to slack off the more we do the same thing over and over. In everything you do, be prepared. Think back to how many times you had to do something and assumed that you have the tools in your toolbox, or the dongle in your Go-bag, or that your software license was current, and when you needed to use it, you couldn't. When you run into a situation where this sort of thing happens, it is solely because you were not prepared.

An uncomfortable related preparation issue is that of your teammates. If you must rely on someone else to do their job in order for you to do your job, be sure that they do their job. The buck stops with you, and blaming someone else is a bucket that holds no water. Don’t assume that a teammate (co-worker or whomever) will be prepared to the extent that you need them to be prepared. I have too many examples of this happening to me, where entire operations had to be cancelled because someone forgot something that they were told to bring. Double-check. The end result will reflect on you, regardless if a teammate is blame (which, if it is your gig, it is your responsibility to make sure).

The two-prong point is that you need to be personally prepared and ensure that if you depend on any other person to do your job, that you supervise them to do their job. Yes. Technically you could be ‘supervising’ someone, but more specifically, you are making sure that you can do your job.

Know what you claim to know

If you are reading this blog post, especially to this point, you have dug deep in the world of DFIR. My assumption is that you know more about the DFIR field than the average computer user. That means you know far more than simply ‘what is a computer’.  I would bet that if were thrown into court tomorrow and quizzed, the court would qualify you as an expert in some aspect of the DFIR world that you know. The reason…is because you know more than the average bear. That makes you an expert.

Here’s the thing to remember: being an expert, or someone considering you to be an expert, or even a judge qualifying you as an expert does not mean you know everything. Quite the opposite. It means you know more than most people, but you are also acutely aware that you are learning all the time.

Those who have been doing this work for more than a few days will never say that we know everything, or that we know everything about even one small thing. There are too many variables, too many moving parts, and too many unknowns to claim to know it all or be a know-it-all.

But if you claim to know something, you better know it, because one day, you will be called upon to prove it. You won’t have time to prepared. You won’t have time to learn it. You won’t have time to practice. It will be game-on at that moment.

Fight complacency

The better you get at what you do, the better you get at what you do. Which means, the better you hone a skill, the more honed that skill naturally becomes. Realize that this is a good thing, but comes at a price. The price is complacency. Complacency will sink your career and skills faster than a long-tailed cat running through a room full of rocking chairs. In some jobs, your life may depend on not being complacent.

<Back to my wife> I have had the fortune of "luck" by working hard to get good results. At times, I would brag about some of the things that I have done and my wife would always give me a Japanese proverb of “Even a monkey can fall from a tree”.  Until I was t-boned in a patrol car did I really take this to heart. I’ll talk about the wreck in my podcast, but suffice to say that I consider myself to be a monkey that is trying not to fall out of tree, regardless of how good I am at climbing trees.

The point

Everything you do needs to be done with pinpoint focus as if the task at hand is more important than it appears. I am not suggesting to stress yourself out when you have to image a drive or run AV against a media, but that when you do the little things with focus, the bigger things will be more easily handled.

When I am hired for peer-review reports to find flaws, I can instantly pick out where the analyst was lazy, or complacent, or is relying on past experience and luck rather than focusing on the work or even focusing on the report. Any time I hear someone say, “I’ll just knock out a quick write-up”, I cringe. If it relates to my case, my responsibility, my name, my reputation, or any aspect of my work, I stop-drop-and-roll with a clear “That report better be your best work or don’t give it to me.”

A warning

You will get caught off-guard at some point. Unprepared. Surprised. And you’ll have to sit in the hot seat until it is over. BUT! If you at least do the five things in this post, the chances that you will be in that hot seat will be less and when it happens, it won’t be so bad, because you will know that you did your best.

Gambatte!

This week, @taosecurity (Richard Bejtlich) wrote an important blog post on managing burnout (Managing Burnout). As he mentions in the first sentence, he is not talking only about information security, but burnout in any profession.

I’m certainly no expert in preventing burnout, other than regularly bringing myself to the burnout line, because that is the way I am. I enjoy working hard, solving problems, and moving on to the next challenge.  I tend to go all the way to that line because of high expectations of myself. I also tend to be highly vigilant of my limits.

I believe that most everyone in InfoSec (DF/IR) has the same type of personality. We see broken things and want to fix them. When we don’t see broken things, we break things and try to rebuild improved versions of what we just broke. That’s the nature of problem solvers. I have been that way in every job that I ever had.  You are probably the same way. This works out well most of the time, until it doesn’t.

Richard shared a great deal of his personal burnout careers, for which I am grateful of his sharing. My belief, based on what I have seen in my life so far, is that for us problem solvers, we have to monitor our burnout because few others will do it for us, or even if they notice, will ever show that they are worried about pushing ourselves too far.

For me, I have been lucky. My family has been the balance of burnout prevention. My wife certainly makes sure of it and I take vacations whether I feel I need it or not. Moral support is priceless too.

But here are some things that I learned about burning yourself out at a job.

• * The harder you work, the more work you get. Work smarter. Not harder.
• * Your job didn’t miss you before you got there. It won’t miss you when you leave. Do your bit and then go home.
• * Suck it up. Don’t be selfish. Until this turns into stupidity; then you stop.
• * There’s and time a place for everything. That includes recuperation.
• * You are just a warm body. You are there to do a job, not become the job.
• * See someone reaching burnout?  Offer support.
• * Are you a supervisor and see someone reaching burnout? You better have resources on hand, right now.
• * Be a positive in life overall.  Ask coworkers and friends how they are doing. You may just save their job.
• * If someone tells you that they are at their limit... BELIEVE THEM!.

This is what I came to conclude from my last jobs as an employee (before becoming business owner and part-time employer). At one point in my police career, I had many duties at the same time. Let me repeat myself: all at the same time. Most were on-call duties, but it added up. I was the Use-of-Force lead instructor (defensive tactics instructor, firearms instructor), SWAT, OIC (Officer in Charge), narcotics/vice detective, undercover officer, and computer forensics examiner. I carried a pager (for SWAT), a business cell (for detectives), and up to a dozen burner phones for all the undercover cases I was working in multiple countries and states. I answered calls 24/7. Was called out for bank robberies for SWAT, officer involved shootings as a detective, and undercover assignments for guns, drugs, human trafficking, and stolen car rings. I did some really cool cases in some really cool (and scary) places. I was at work a lot.  A whole lot.

None of that bothered me, except that when I would seize $100K cash in a drug bust, the expectation from my agency was that I would seize $200K the next time.  Or if I arrested 10 in a major case, that I’d arrest 20 the next time. And if the next case only had $10K in cash and one car seized instead of a fleet of luxury vehicles or a flush safety deposit box, the case was a failure. And running from city to city for either SWAT or undercover or imaging a computer, only to be worry about having lesson plans ready for either defensive tactics or firearms to teach the next week, led to me always reaching that burnout line as I didn't want a failure of a case because only $10K in drug money was seized, or the drug dealer's car was only a Camaro and not a Mercedez. Unnecessary stress. Half of it self-induced.

Couple that with expectations from multiple agencies that I worked with, that I was doing all of this at higher levels than anyone anywhere, that everyone believed that I could just keep going forever. Doesn’t work that way. This is where I repeat myself; know your limits because no one else will, or few (if any) will care anyway. Your warm body will be replaced by another warm body when you leave.

I have never been approached with advice or support or suggestions or offers to take some of the burden, so I quickly learned that it is up to me to recognize where my pain threshold is and to take proactive measures to not cross that burnout line. My suggestion is that you should never expect anyone to tell you that you need a vacation. You have to check yourself constantly. Consider yourself lucky if someone else tells you that you need a break. And take the advice because they may see something you don't.

Did I mention that family saves the day? Family and friends are my cure all to burnout. When any of them say, ‘Hey, you should take a vacation’, I take it to heart and take time off.

I have seen the Infosec community only in a sliver of time and space, much like peeking through a fence at a football game for one play, I only see a bit of the game. I haven’t worked everywhere or with everyone, but I certainly see some of us get burned out, frustrated, and even leave the profession for something else. With self-management, we can reduce this exodus, extend our joy of working in this field, and be productive by solving problems. More important, we can be better humans and be happy.

I don't want a point getting across that I am advocating being lazy, or not working hard. Quite the opposite. I have learned that when managed properly, you can be a star player and still take vacations,  and still not work yourself until you are delusional. Key point: Being a star player means taking care of yourself.

As far as being better humans, one of my primary goals in life is removing the worst humans from my life. If someone is not supportive, or always negative, then I don't want to be near that person, online or in real life. The Internet has made the few worst of us affect the whole lot of us, with negative tweets or shares, lies, allegations, and just plain meanness. They will never go away, so as the saying goes, don’t feed the trolls. A method I believe in:  mute them. block them. ignore them. don’t engage them. There is no other way to be less affected by the ugly on the Internet without excluding the Internet completely. 

Be vigilant

I look for burnout in others. And dude, if I see it, I am on it like no one’s business. If it comes down to me just giving a hug, a pat on the back, or having a serious sit-down, I do it on the spot. Consider that if you see burnout in someone, that is a problem. You are a problem solver. Go solve that problem. You might end up doing more than just saving someone’s job.

**May 15, 2019**

Relevant video, well worth the watch.

Call me paranoid. It’s okay. I’ve been called worse.

Nothing I am saying in this post will harm officer safety and actually should increase it. The public needs to tell cops to stop being online marketing tools. PIOs choose to be a public figure, but the everyday patrol officer is a law enforcement officer, not a marketing tool. Officer safety is responsibility of the individual officer, but it helps if others remind each other of the pitfalls of police work when sacrifices in officer safety is seen.

The Internet is a boon to law enforcement investigators. I started in police work before Microsoft Outlook for MS-DOS was released, which means, the Internet really was not an integral part of police work.

Introducing Google Earth and Brett’s eyes opening wide

The first time that I realized that the Internet may be pretty cool for police work was when I was on SWAT and attending a search warrant briefing where the team leader used Google Earth…I sat there thinking, “Oh my. This is so cool.” Practically every SWAT raid used some form of Google Maps or Google Earth after that briefing. That was really cool for officer safety.

Then I went into detectives (narcs, vice).  Of course, the basic Internet investigations at the desk were cool, but being able to lug a laptop in my undercover car on surveillance with Internet access, and having direct and immediate access to lots of alphabet resources like DMV/DOL, WACIC, NCIS, HIDTA, and the usual public Internet research tools outside the office…“Oh yes. This is so very cool.”

And then I started ‘running informants’…

I developed and managed over a hundred informants in my career. That’s a lot, but not all at once. Some were one-case wonders, some were cant-put-together-a-ham-sandwich informants, and some were star players. Out of that 100+ informants, 3 were kidnapped while working for me. I have to use a cliché because there is no other way to say it, but they were each beaten within an inch of their lives. One was held hostage for three days in a basement in an abandoned house…and tortured. Because they were not cops, and they each kept their wits and never admitted to being informants, they were all let go. This is from 3 different cases involving 3 different and violent organized crime groups. Had they been cops, and had public facing social media accounts, it would have turned out differently. *SIDE NOTE* These 3 informants were star players, kept working with me in the cases, and helped me turn three self-initiated cases into full-fledged, successful OCEDTF investigations.

But then I started working undercover…

A friend of mine in another agency told me a story of how he forgot to bring his undercover (fake but real) ID with him on an undercover op the month prior. The targets wanted to meet at a bar, which requires….you guessed it, an ID check. Rather than say that he forgot his wallet, he used his real ID and covered up as much as he could to just show photo and date of birth.

Less than twenty minutes into the undercover meeting, he was outed as a cop in the bar. They claimed to have his real name and agency. And they were correct, all because of an Internet search of the information that he didn’t cover up. He was lucky that he was in a public place with targets that didn’t want to kill him.

I’m getting to my main point a little further in this post, but I want to give more supporting info first

There are many stories I can talk about to drive officer safety points home. Although I was a use-of-force instructor (defensive tactics and firearms), the officer safety methods that I also pushed was non-physical, and I carried this over to undercover work.

One of several eye-opening experiences I had was being in a room full of criminals in an OC case where someone in the room was on the phone, asking for information on a name. After the call, the guy using the phone told another guy in the room about the guy’s name he asked about on the phone.  The other person on the line gave the date of birth, full name, home address, and arrest records of that name. Later, we found that the name had been run through DOL (DMV) and NCIC by a local police department. This criminal group had an ‘in’ with that police department, which turned out to be social engineering through a criminal third party, but nonetheless, they had someone who had social engineered their way into law enforcement records. They had the information in minutes, way faster than the public records check story I mentioned earlier at the bar.

I have more stories like this than I want to have had, but the type of people in this particular room drove the point of officer safety home much more clearly than any other.  I was unsure if my undercover ID would have been enough if they choose to run my name. The thoughts I had at the time were, ‘how many bullets do I have on me’ and ‘do not let anyone behind me’ and ‘where is the nearest exit’ and ‘if the fight starts, stay in it, be in it, win it’. Technology is wonderful….

So I when I teach this sort of thing (OSINT/Internet Investigations) to cops

In LE-only courses, I give more details on the cases I worked and the close calls. And I show how to background someone suspected of being a cop or an informant, in a manner that criminals do it using both public-only resources and public+private+govt resources (in case of corrupt or compromised govt employees).  In one class, I was questioned about the effectiveness, and the officer questioning me asked to background him. Against my suggestions, he pushed it, and so I did. Using just his undercover ID and supporting ID (other things typically used to prove an ID), I found him online. And his home address. And his agency. And his social media. And his family. And his daughter in college. And her apartment. And photos of her and her car. And the location where she will be on the next Friday night. The officer stopped me at that point. We did this together during the lunch break and used some of what we found in the afternoon for the rest of the class.

Here’s the point, and it applies to non-LE too

Your photos that you post online are going to the cause of problems. Let me say that I know that everyone will still keep posting photos online. That’s not my point. I have been accused of being a cop while undercover but there was not a publicly available photo of me anywhere. Well, there were some physical photos in a few public places, nothing you could find online. The odds of being identified are much lower when a photo can’t be printed and held up to your face while you are in a small room with locked doors and everyone has a gun.

The bigger point that I want to make is that the current philosophy of law enforcement today is to encourage police officers to be active on social media, to be involved in every public event to get dunked in buckets, break dancing in parades, and making music videos. I understand the intention to have police look to be involved in the communities they serve, but I’m telling you that this is not the way to do it.

Using cops as agency marketing tools sacrifices officer safety in ways that can never be remedied or fully felt until something bad happens. These photos and videos are forever! Young officers who are active online socially (personal life) and online with agency encouragement, or worse by requirement, have practically ended any undercover work in their future and have placed their families at risk. It is virtually impossible to be invisible today. The extent of personal information that is publicly exposed, on purpose, will be used by criminals to harm law enforcement officers and their families.  If not harm, it is wholly possible to compromise an officer using information found publicly online. Anyone, and I mean anyone, can be compromised by being groomed either in the short term or long term if their life is open for public inspection. Grooming isn’t just for kids.  I groomed many-a-criminal to be informants, either as witting or unwitting informants.

More to my point

Hey police agencies, maybe you want to take a step back with all these music videos and break dancing in the streets for photo ops. Do you really want to sacrifice the safety of your employees and their families because dunking the officer in a bucket of water on Facebook makes police work more effective? The community knows if their police engage in the community or not, regardless of if an officer is on YouTube doing the moonwalk or skateboarding. The job is already hard enough.

For the cops out there, come on now. Think about it. There are sacrifices to make when you are military and law enforcement, and one of them is controlling your social media presence. No matter how ‘nice’ you are to every person you arrest, you are at risk by someone who doesn’t care how nice you are. They maybe only care that you arrested a family member and now they may want to hurt one of your family members. Why make it easier for them? Why have your spouse be followed home from work by suspicous cars? Or strangers approaching your kids telling them to say hello to their Mom or Dad by name?

And for the non-LE DF folks

Don’t think that I forgot about you. Some of the cases you may working in the private sector can have the same safety issues that law enforcement have. Just one example of a CIVIL case I had, was that the defendant in the case had everyone terrified. He wasn’t diagnosed as mentally ill, but he was clearly dangerous, threatening, angry, and had the background to back it all up. I think I was the only armed person working that case…

The inspiration for this post… https://pimeyes.com/en/