Brett's Ramblings

Font size: +
5 minutes reading time (1059 words)

DFIR is a mindset, not a skillset.

I recently posted a webinar on the DFIR Investigative Mindset, which is a snippet of a program I’ve occasionally taught internally over the past years. 

I distilled a major component of the DFIR Investigative Mindset for this post into seven words:

DFIR is a mindset, not a skillset.

That is pretty much all you need to know about getting into DFIR, excelling in DFIR, getting promoted in DFIR, achieving your highest potential in DFIR, and hiring people in DFIR. It fairly well sums up what I teach.

There are so many courses that I’ve taken that focused solely on a tool or a set-in-stone process without ever touching on problem-solving. The practical exercises are almost always perfected by the trainers beforehand, and everything works perfectly. Students walk out of classes thinking they know the buttons to push and all cases are solved.

Students then learn afterward that they must be doing DFIR work wrong because of the problems that continually pop up, totally unlike the training!  What they fail to recognize is that DFIR is a problem-solving field. Obstacles are expected to exist in every engagement, to the point where if you don’t have any obstacles, you probably missed them! This is a training failure point. 

I screwed up, a lot

In terms of the number of hours of professional training that I have taken, I stopped counting at 2,000 hours. In none of the courses has any instructor outright said that they made mistakes, make mistakes, or that mistakes are allowed in order to learn. This should be the opposite! 

Side note: I do not advocate making mistakes intentionally so that you will improve! I advocate to try not to make mistakes.  You will make mistakes and errors anyway no matter how hard you try!

Anyone competent enough to teach a skill should be confident enough to talk about mistakes and errors that they have personally made in that skill. Any person who claims to be free from errors and mistakes is not credible to teach, because they have not learned or not tried to do what they are teaching, or not being honest.

At the Magnet Forensics' summit in Nashville, I crammed two decades of my mistakes into an hour. I could have rambled on for another 2 weeks straight without breaks, but an hour was more than enough to prove a point.

Note: making mistakes and not learning from them means making the same mistakes over and over again. 

My objective in this keynote was to have everyone breathe a sigh of relief that their mistakes are okay, expected, and are needed to improve, but only if they learn from the mistakes each time that they will happen.

Kudos to Magnet for allowing such a keynote of errors and mistakes!

If you shy away from talking about or admitting to your mistakes because of embarrassment, I give you permission to use me as the example of having made that mistake already for you. I’ve already copped to it, paid for it, and moved on.  You just need to hop onto my errors and you can move forward too.

Figure it out

I wrote about figuring out problems a few years ago ( and I still believe this is the most important skill to have over absolutely anything. If you cannot solve problems, you are worth only as much as you can follow a checklist in a process that never has problems.  But if you can “figure anything out”, you value is near priceless.

Practice until you get it right and then practice until you can't get it wrong

Practice does not make perfect. Perfect practice does. With every key that you press on the keyboard, be mindful of what you are doing. Do it better each time. Be aware of what you are doing. You should not be on autopilot when dealing with data in a DFIR case!  Just like driving, you have to be aware of obstacles, distractions, and unexpected disasters just waiting to happen.

When your perfect practice makes perfect, your errors will be minimal, the impact on the cases will be minimal, and you will have good learning experiences. When you are lazy, apathetic, or complacent, your errors will be mistakes and the learning will be painful. That is if you choose to learn from them.  Otherwise, this is a career of constant pain and stress.

The DFIR Investigative Mindset

Through plenty of failures with investigations that I have had, the one thing that makes successful conclusions is being able to figure out solutions to obstacles using whatever means is at hand. That is also how I teach a DFIR investigative mindset, and how I prefer to be taught. Teach me the why and I’ll be able to figure out the how in any given situation.

It is true that the more tools that you have in your toolbox, the more problems you can solve, and more that you can solve difficult problems. But you need to have an investigative mindset first, otherwise, your tools are as useful as a fish using a hammer.

When your brain is turned into an investigative mindset, you see everything differently. Distractions are blocked, attention is focused on seeing (and observing!) evidence, and inferences scream out to you. To the outsider, this looks like magic when you solve the unsolvable, or solve cases in half the time because you can see the totality of the circumstances and the specifics of an incident.

Practical vs Academic

Everyone who has heard me speak knows that I am not an academic. Although I have taught graduate-level programs, I have never taught the academics of digital forensics (which at times irked schools….). I appreciate academia in giving practitioners incredible information in this field, otherwise, practitioners would not be as incredibly effective as they are today. But as for me, I appreciate practitioners teaching practitioners what they need to do both physically and mentally to do the job and succeed.

Get your brain into a DFIR Investigative Mindset and you can learn anything in this field, do anything in this field, solve any problem in this field, and look like a magician to everyone when you accomplish the impossible.


Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

The DFIR Investigative Mindset
This is an evidence storage device.