DFIR Training Blog



Be careful to not judge the world only by the sliver that you see

There comes a time in this line of DFIR work where any of us, or all of us, stand to make a judgment on what the world of DFIR is as it relates to our work. Be prepared for this to happen to you, but don’t let it.

No profession is immune to the perceptions of the practitioners to bleed into their outlook of the world. For example, law enforcement officers who work a particular type of crime may begin to see the world stained by that crime, such as working the digital forensics end of child exploitation cases.  Narcotics detectives go through the same thing.  Practically everyone that a narcotic investigator will contact (outside of law enforcement) is somehow related to the drug trade, which can tend to color their world as contaminated with drug traffickers.

In the DFIR world, working any type of case or incident will eventually lead you to believe any number of things that are may or may not be necessarily accurate. If you are hired to respond to security breaches, then you will only be seeing breaches in your line of work and may start assuming that everyone is doing it wrong. But, you are only seeing the sliver of those doing defense wrong because someone doing it right probably won’t call you…

This is because you are looking at your line of work as if you were watching a football game from behind a fence, between two slats of wood. You only see a sliver of the game and are missing out on everything else.


Do not believe that this cannot affect you, even if you “just” work civil cases. I say that not to dismiss civil cases, but to stress that because everyone is susceptible to seeing a sliver of the whole, and making uninformed decisions. The danger is that when you begin to believe that every case (civil or criminal or internal) that you have involves some sort of wrongdoing, you will start down the path of having preconceived notions that can affect your analysis and your conclusions.

The day that you pick up a hard drive, an image, or a file and automatically assume that “bad stuff” must be on it (otherwise, why would you have it?), is the day you have to sit down and reflect on the big picture, not the sliver of the whole, and get your mind back to where it belongs. Don't be a hired gun, but be a neutral, disinterested party, focused on the truth of the matter based on the evidence you found through the clues that led you there.

Easier said than done.

Here are a few things that I do to keep me focused on the facts of the case, and outright remove preconceived beliefs or notions that can creep into any case:

Assume that others have preconceived beliefs and expectations in what “should” be found in the data, and to not be affected by it.  

*  Plaintiffs and defendants need evidence to support their arguments, and typically believe it to be in the data that you have. You don’t need the data to do anything except to tell the story as it sits, as if encased in amber, unchanging and unmistakably clear. The data tells the story, not you.

*  Listen to your client’s story, but search for the truth. Trying to prove their story may guide your work to fit their story, which may or may not fit the facts that you find or the facts you subconsciously overlook if they don’t fit the client’s story.

*  Know from the beginning that you may have to give bad news to the end client (prosecutor, defense attorney, etc…), because the data may paint a completely different picture than they expected. I tell clients this upfront, that whatever I find is written up as I found it, regardless if helpful or harmful to the case.

Assume that there may be no data worthwhile that you find at all

*  If you can’t find the evidence, and you looked everywhere using everything you have, it’s probably not there.

*  If you didn’t find it, then that’s all you can do. Maybe you missed it, maybe it’s not there, maybe it never was. You may never know. But you know that you didn’t find it.

*  Accept this from the beginning before starting any work. You may have a ‘nothing hard drive’ insofar as evidence. If you assumed that something must be on it, you could look for years and start finding things that aren’t evidence at all, but try to write it up as related to prove to yourself that something must be on the media. Either it is or it isn’t and you won’t know until you look. Don’t assume one way or the other before you even start.

Remind yourself of the big picture

*  If you live and breathe your work, your life will become your work, and everything you see will be judged by that. Look at the big picture. Not every company does bad security. Not every person is a pedophile. Not every computer has bad stuff on it. It is just most of the cases that you work. The world is bigger than that.

*  We tend to think that we (as in “me” or “you”) are the only people who do this stuff right. Anyone else we meet, well, they don’t know what they are doing. We believe this because when we meet others, it is usually during times of disaster to fix things that are broken or find the bad things that a bad person did. When you do this a lot, it feels like everyone must be incompetent or bad, when in fact, most everyone is doing a good job and knows what they are doing, and are good people. We just see the storms, not the daily grind that everyone does for their job to keep things working.

Expecting the worse, every time

*  When called for a case (or whatever it is you get called to do), do you cringe because you know it is going to be bad? This is a sign of preconceived notions. Even a 1am call with a panicked person on the phone only means that there is a panicked person on the phone. You have to figure out if there is reason for panic, and not expect the story to be exactly as told to you in the beginning. You are the detective (or the firefighter) to figure out the story, not rely upon someone else’s version of it.

*  Any call to do anything is just the first step to figure out what happened. Regardless of what someone tells when you don’t have the facts, assume nothing until you get hands on the data. Your final product will be cleaner and more accurate that way.

Build your reputation as one at calm with the world, with decisions based on the facts that you find

*  Screaming fire when there is no fire is not the sign of a professional. Also, declaring that bad things happened on a computer when there are no facts to support it surely ends any doubt that you are not a professional either. Speak to the facts, give your opinion when asked. And remember that your opinion is based on the facts and your personal experience, training, and education. Opinions based on emotion are personal beliefs without basis in fact. That means that you are going to be wrong.

*  Focus yourself on being the person that if given electronic storage media, you (1) will do your best to find the facts, (2) give the facts as they exist in the data, and (3) keep your opinions to those facts. This directly affects attribution claims, user-activity allegations, and conclusions you may have all based on the facts at hand. You can’t testify to something that you hand no firsthand knowledge, so keep it to what you personally know.

Remember, when the world is on fire, people want answers to fit their beliefs. Don’t fall for that.

*  It is so easy to be pressured to do a quick job and find just the facts that fit the allegations (either to prove or disprove, whichever you are being hired by to do). Time may be short. People may be yelling. The world may feel like it is on fire, but remember, the fire drill will end and that is when everyone who had been yelling at you to hurry will later ask you why you rushed and didn’t do a perfect job.

*  Unless you are getting shot at or bombed, take the time necessary to do the best job that you can, knowing that the same people demanding that you do a rush job will be the same people complaining later that you did a rush job . Re-read that part again.

The point of this is a friendly reminder that if you work in a field in which serious decisions are made based solely, primarily, or even partially on your work, do a good job. Someone’s business, safety, livelihood, or liberty is at stake and you need to get it right.

Remember that you are looking at the field through a slit in a fence and not seeing the whole picture. Pull out the canvas and brush. Paint the picture using facts, and let the facts of what you found tell the story as it happened, as everyone can see for themselves, as it cannot be disputed, because the data is what the data is . Don’t make it otherwise.


Written by :Brett Shavers

{rscomments option="com_rsblog" id="67"}