Brett's Ramblings

Font size: +
4 minutes reading time (816 words)

The key to DFIR mastery

Have you been spending years and thousands of dollars on training, earning certifications, getting degrees, testing tools, researching, and writing blogs? Have you been frustrated, stressed, and overwhelmed in searching for the mystical golden key to DFIR mastery?  

What else can you do? What is this key to DFIR mastery?

Hint: You will realize the answer only if you are open to it.

Impatience slows it. Arrogance delays it. Ego prevents it. Humility and open-mindedness allow it.

I have always believed and repeatedly said that a great artist like Picasso can create a masterpiece with a simple paint-by-numbers kit. Creativity involves inventing, building, developing, or innovating something new or finding a solution to a problem using any tools at hand.

In DFIR, science is straightforward. A registry hive is a registry hive. An LNK file is an LNK file. You know what should exist on a device, how it should look, and what it should do. You can push buttons, write and run scripts, and navigate data as easily as putting on your socks. If there is a technical task we don't know how to do, there is a book, manual, video, blog, or training course that tells us exactly how to do it.

The hard part is the art (but this is still not the key!)

We often forget that even in science, there is art. Science exists because of creativity and inspiration. Hypotheses are born from creative thinking and tested by the scientific method.

I have worked cases with investigators who always seemed to have the answer, even in the most complex, international, multi-faceted, and multi-criminal cases. They remained calm and worked as if they had done it a hundred times before.

When I asked how many of these types of cases they had worked on, the answer was always, "This is the first one like this."

No one could explain how they made decisions and guided these complex cases to success, even when obstacles arose. I thought it must be their training, so I took every training available, pursued higher education, read extensively, and applied everything to my casework.

Here's what I found:

It's not a training class, college degree, or certificate. It's not writing a book or teaching a class. It's not working harder or trying harder.

It is all of these combined. To become a DFIR artist, you need it all. The more you learn, the clearer you see (observe!). The better you hear (listen!). The more you retain. All these efforts, time, sweat, and tears will develop the art in DFIR. You have the science if you can do the tech. But you need to be an artist too (and yet, this is still not the key!).

Pushing Buttons

I don't credit DFIR software vendors enough. Today's tools are almost perfect DFIR paintbrushes. They guide you on where to paint and their training tells you how to paint. The only thing tools can't do is instill the creativity needed for working a case. That's 100% up to you. You guide the direction and make the decisions in cases.

When a book or class teaches you how to examine a malicious file, it doesn't teach you creativity. It gives you the technical answer. No pill makes you curious. No physical exercise builds creative muscles.

From Tactics to Wisdom

Tactics We must learn the tactics of DFIR, the specific methods of doing the work. One tactic might be pulling the plug from the back of a computer to remove the hard drive and create a full disk image. Tactics are perishable because they can expire over time as technology changes.

Strategy These are the abilities you earn from practice and learning, enabling you to apply tactics. Strategies change occasionally. For example, "Software A is better for this problem than Software B." This is the next level of DFIR mastery.

Principles These are broader solutions to problems, like "do no harm" or "preserve forensic soundness." Principles are developed through education and experience and are constant.

Wisdom This is the point beyond knowledge. Your decisions and judgments are based on knowledge, experience, and insight. Here, creativity flourishes, allowing you to work any case. You see what others cannot and do what others only dream of.

Your mind is the golden key to DFIR mastery.

A broken record 

Call me what you will, I'll take it. In accepting that I may be annoying in this one thing of your mind being the key, it is because it is true. I've written about it for over a decade and taught it twice as long. I believe it enough that I'm writing yet-another-Placing the Suspect Behind the Keyboard book to push the concept.

From Placing the Suspect Behind the Keyboard, 1st Edition (Syngress, 2013)

I'll keep harping on this for the next decade as well. Because once you have this, nothing in DFIR is impossible.



Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

The Multiverse of a DFIR Case