Brett's Ramblings

Font size: +
5 minutes reading time (924 words)

DAIR: Digital Analysis/Incident Response?

Pure luck?

One day in patrol, my district partner and I were having coffee on break (imagine that…cops were having coffee…) while I was watching a known high-crime corner. I spotted a drug deal, actually several and said "Look, a drug deal” while partner asked, "Where?" Pointing directly, I replied, "Right there." I went over, and soon enough, we had a drug bust, with me having to break down down the play-by-play for my partner who had no clue.  We both “saw” the same thing, but one of us didn’t observe. The crime was happening right in front of his eyes but he couldn’t see.

In the world of policing and DFIR, some folks seem to have the most luck for stumbling upon crimes and making solid cases. On the flip side, you've got officers who spend their days writing traffic tickets without making any cases that don’t get thrown in their lap.  It seems like luck, but it is the exact opposite.

DFIR case success isn't a stroke of luck. It's about having an investigative mindset coupled with technical skills to uncover the who, why, how, where, what, and when of a case. So, why am I harping on this? Because neglecting the simple step of tying a person to a device at a specific time and place can lead to disastrous outcomes and irreparable damage to victims and their families.

I've seen top-notch DFIR skills without a hint of investigative thought. The "that's not my job" attitude has cost victims' lives and suffering. This is the essence of the "F" in DFIR, and I can't stress it enough as I have personally seen the effects of just doing the technical aspects of of DFIR.  Maybe we should call it DAIR for Digital Analysis Incident Response instead of DFIR.

What makes you DFIR?

Education: Formal degrees and certificates from colleges and universities.

Training: Intense, skill-based coaching programs.

Self-learning: Informal study, research, and practice.

Experience: Real-world application.

IMG 2990

Your education gets you thinking, training gets you doing, and self-learning solidifies it all. These elements are your keys to becoming a top-tier DFIR pro.

Now, let's talk about the missing piece. We know the drill in DFIR training and education by now, but what about your mind? Not your brain, IQ, or personality—your frame of mind. I call it the "DFIR Investigative Mindset” for a reason: It's about focusing your mind on investigating DFIR cases.

Fun fact: Most police academies and higher ed institutions don't teach this mindset. Checklists at crime scenes aren't for investigative minds; they're just checklists to prevent complacency. They also create complacency. I've never stumbled upon this aspect in any training either. Yet, it should be part of the DFIR skill set in all training and education.

If you change the previous diagram just a little and aim for this, you'll be the top 1% of all DFIR practitioners, no matter how many years you've been at it.

IMG 2991

Why do you need a DFIR Investigative Mindset? 

Simple: you'll observe what others can't see, find clues, connect the dots, and comprehend events like you were there.

Otherwise, doing DFIR without investigating just makes you a data analyst using top-notch tech—leaving the decision-making to those who don't grasp your technical magic.

How to learn it? Most cops don't get taught, but if they are lucky, they pick it up on the streets or working cases with experienced investigators.

For all of us, we can read up on memory (brain memory, not OS memory..) critical thinking, decision-making, and visualization. But avoid getting your investigative training from movies and TV shows—they're pure fantasy.  It takes active engagement to learn an investigative skill, which can also be thought of as art since it is involves creative thinking.

The easiest way to learn, and the quickest/most effective is to be told exactly how to do it as it applies to DFIR work.

Surprise, not surprise: I'm giving out two more free webinars on the DFIR Investigative Mindset, and I'm launching a formal course too. I've shared this concept, techniques and exercises with over 1,000 DFIR practitioners personally in classroom and webinars, and I'm opening up more slots in my third webinar this month for those interested. 

IMG 2992

One thing about learning: there are those who know enough about DFIR and don’t need any more training or education. For them, they truly do not need any more training or education because they will not learn a drop more than what they already know.

For everyone else, every drop of learning counts.  For if the learning stops, or the choice to stop learning is made, then hopefully that is the day of retirement because you will quickly fade into the background of DFIR effectiveness.

DFIR is a race, a friendly one, but still a race.

Want a job? Compete.

Want a promotion? Compete.

Want to be a DFIR expert? Keep learning.

Want to crack cases others can't? Get educated and trained.

Want to make tough calls in tense situations? Develop a keen observational mindset.

The hooman did it.

It was not the computer. It was a human.  Every computing device event has its human origin.  The human tells computers to do a bad thing. DFIR investigations are to find that human/s that told the computer to do the bad thing.

In a nutshell, you're racing against your opponents who are your competitors, peers, opposing experts, and adversaries.

Don't settle for second best. My goal for you? Be 1% better than your opponent and unveil the truth, no matter who benefits from the truth.

IMG 2993

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

ChatGPT destroys the planet
“I am neither a digital forensics practitioner nor...