Brett's Ramblings

Font size: +
10 minutes reading time (1994 words)

The most neglected skill in DFIR is….

The one that is just as important as any technical skill: The DFIR Investigative Mindset. Personally, I’ve been harping on this concept since 2013. It has been written about as early as 2005 as “investigative mindset”, and written about using different names before then, such as “investigative spirit.”

But targeting DFIR specifically, this is a recent concept of encouraging practitioners to work on this skill no differently than working on any technical skill in DFIR, or any job under the broad cybersecurity umbrella.

If I were to visualize how we work to gain competence, it would be like shopping in a store, picking up the skills off the shelf that we think we need. We grab a bottle of “forensic imaging” and put that in our cart.  We pick up a 6-pack of registry forensics skills, maybe a sample bottle of lnk file analysis skills, and if we have some extra pocket money, we get a big box of Windows forensics analysis skills.


But nearly everyone walks on by the entire aisle of DFIR Investigative Mindset without even looking at the ingredients.

Why is that?

I guess that it is because of not being glamorous or “sexy”. It doesn’t carve data. It doesn’t have a dark mode or flashy icons. You can’t even see it or plug it into your computer! Then, we “think” that we already know how to investigate. Maybe that is because of watching crime dramas, which by any measure is the worst way to learn much other than being entertained. Just ask any juror what they know about how forensics works and you’ll see what I mean.

My two cents

You should focus on this mindset if you want to round out your DFIR competence. If you want to be better than your co-worker, better than your competition for a job or promotion, and certainly better than the opposing expert, you should seriously consider working on this skill.

Yes, this is a skill.  You have to learn how to use it, practice it, and master it. Or you can ignore it and always be second or third best, at best.

Here is an interesting stat: Research shows that being proficient in this mindset increases effectiveness by 1% up to 40%.  Imagine improving your overall DFIR competence by even 1% with nothing more than improving the way that you think.


I just wrapped up two webinars that had quite a lot of sign-ups from all over the world (some didn’t show up and missed out!). I gave a special offer at the end of the webinars for a live, formal course in the DFIR Investigative Mindset and the course was full by the second day. Probably the extra stuff that I put in the special offer had some influence, but I like to think that it is because these first folks want to excel in their DFIR casework.

After both of these webinars, I had a half dozen conversations via email and a couple of phone calls from attendees who wanted to talk about this class and topic before signing up (they all missed the boat to sign up...).

Here is the gist of the conversations, and I’m not saying anyone is right or wrong, or that I disagree, but here are some of the comments:

  • Will this get me hired?
  • This is taught already in forensic training courses, right?
  • Isn’t this what I do already?
  • I have “x” years in law enforcement, so what is different that I need this?
  • Why is everything so expensive in this field?

On the getting hired question from one person working to get into DFIR, my recommendation was to learn the technical DFIR skills first. Like how to do forensics first, then come back to how to investigate. You can’t work construction if you don’t know how to use a hammer and other tools. Once you learn how to use the tools, then you can learn to design an entire house, then a commercial building, then a space shuttle. Learn the physical skills and then develop your mind to do everything.

As far as being taught already, I can say from my personal experience of a thousand+ hours of classroom training, that very little of mindset is taught overall. Specifically, there is no training on a DFIR investigative mindset, other than maybe an hour of instruction in an entire BS degree program. Nearly all law enforcement investigation courses, like homicide investigation, are simply checklist instructions on how to investigate. Check for this, check for that, and very little on how to think or how to think about thinking.

Those who do have a mindset of investigating are still missing a lot if they are only learning by trial and error, which means lots of mistakes to remedy and suffer from, and never learning some key concepts. This includes those in law enforcement who have assignments in “investigations.” The school of hard knocks is not fun, can’t be avoided, but you can make the knocks a little softer.

Oh yeah, the question on why everything is expensive in DFIR…my answer was that it is what it is, and probably this is a good thing. If it were completely free to learn all you need to work in DFIR, then how valuable is that information? How much effort do most people put into “free stuff” when there is no incentive to treat it preciously? Yes, you can learn almost everything for free, taking the long route, learning some wrong things, and missing some important things.

But when you invest in yourself, or your organization invests in you with an expectation of getting a competent employee, you take it more seriously, and you learn. If you spent $1.50 for an umbrella at Disneyland because of sudden rain, you will most likely toss it in the trash at the end of the trip. Why? Because it was cheap. It kept you dry, but it was cheap.

But if you had to spend $50 for an umbrella at Disneyland, I bet that you would not throw it away, and you would probably take care of it for a long time. You invested in an umbrella; you didn’t just buy it or find it on the street. It was probably better made than the cheap umbrella too. Think of when you went to an expensive restaurant. Same concept. Food is great because of the care to prepare it and you enjoy it more by focusing on every bite.

The same goes for DFIR training or any training and education. Let’s take SANS as an example. SANS puts out hours and hours of great content on YouTube. The videos are relevant, pertinent, and practical. Yet, reflect on the last time you watched one of the videos (maybe it was yesterday or this morning). Did you focus intently the entire hour or two hours? Did you take notes? Did you turn off your phone? Did you not check your email during the video? Or were you distracted by watching Netflix on another monitor, sending emails, playing a video game, or just having the video play in the background as background noise?

Compare that with paying $6,000 or more for a SANS class, especially if it came out of your pocket and not your organization’s account! I assume that you will soak in every minute. You will learn. You will take notes. You will remember. You will put the training to use. And you will not regret the investment because the return is so much greater than watching SANS on YouTube. Free or cheap generally means free and cheap, and we treat it as such intentionally or unintentionally.

Have you ever registered for a free webinar and didn't watch it? How about registering for a class that costs $3,000? Would you skip that like a free webinar or free online class?  I am beating this dead horse to make a point that to invest in yourself, you usually have to force yourself to treat your investments wisely.

My opinion on self-learning and classroom learning       

Self-learning is mandatory in this field and probably mandatory in every job you can think of if you want to improve. Self-learning is one of the best ways to learn as you physically are involved in the act of researching information and mentally will remember better.  However, it is the slowest and most painful way to learn. This is like hitchhiking across the country with an out-of-date map and no money. You will go the wrong way sometimes, trust strangers for help, and eventually you might get there. But it will take a long time with lots of bumps and bruises.

The classroom (if the content is practical!) is a shortcut for getting from Point A to Point B in the fastest time possible. It is quite literally being told the answer. This would be like buying a first-class ticket to fly across the country. Buy the ticket, take a seat, and relax. You will be there in a few hours.

With a training class, including from a software vendor that only teaches their tool, once you go from Point A to Point B with the formal instruction, your self-learning can take you from Point B to Point C and beyond. Every hour of formal training shortcuts your overall travel time in overall learning. I am sure that after you finished a class in your favorite forensic software, you learned to do even more with it by self-learning in practice and casework.

If you only learn by self-learning, you will be behind those who put effort into classroom learning and bolster their classroom knowledge with self-learning.

The only DFIR Investigative Mindset training course on the planet

I’m going to push this concept forever, or at least until it is a mandatory subject in every DFIR degree program, listed in job advertisements, and as an expected skill in DFIR. I’ll keep teaching this mindset until the cows come home because I sincerely believe in it being equally as important as technical skills.  

If you want to be one of the first to be notified of the next scheduled class, submit your email here as I will have another one scheduled about a month after this one (March or April). It is a live class, so limited seats because interactive to force learning (to get more than what you invested!).


If you disagree with this concept being a mandatory DFIR skill, I am open to debate. One reason is that I think that I am right based on the past years of researching this subject and my experience. But more importantly, I want to know if I am wrong by seeing evidence of the contrary. I rather be proven wrong than think I am right but am wrong.

mindsetbookAnd a book

I’m about to wrap up a book titled (guess…) “The DFIR Investigative Mindset” and it should be in print by March at the latest. I’m shooting for February. The tech editor is an active LE forensic investigator. The reviewers are PhDs teaching forensics, active LE forensics working amazing cases, former LE working incredible civil cases, and outstanding private forensic examiners, all who have worked on perfecting a DFIR Investigative Mindset in their careers. I might ask for one more reviewer, but I'll see at the time.

A note about this book…

This book is volume 2 of the Placing the Suspect Behind the Keyboard series. Vol 1 of Placing the Suspect Behind the Keyboard should be out toward the end of this year, which is an entire year behind due to casework and some exciting projects that I couldn’t turn down, much like tossing a bunch of toys toward a Golden Retriever puppy. The good news is that some very cool contributors and sponsors hopped in to make it a good DFIR book in working a case from front to back.


Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

ChatGPT destroys the planet