DFIR Training Blog




I’m going to show you how you can impress bosses, clients, and courts with your work being as professional and smooth as a well-rehearsed rangers-delta-seal-recon-swat operation.

We in DFIR use quite a few military and law enforcement terms to describe our work. From “red teams” to “battlefield forensics”, we tend to absorb the cool words to describe the work or even to glamorize it more than describe it. That’s all fine and dandy.

But of all the borrowed terminology, the most important military and law enforcement process that everyone in DFIR should fully incorporate is communication. Boring subject? Nope!

You already know that communication in the workplace is important (at home too..). But I am not talking about the social aspects of communication, but rather the tactical and strategic interactions that directly affect your tasks at hand before you even start.  This is the one area where we in DFIR can borrow from the tried and true methods developed by both military and police work. Not just a fancy word, but the actual method of briefing .

I’m going to use the term ‘operation/op’ as the description of any event where you alone or as a team collect evidence or respond to an incident. Every time you leave your desk or go hands-on-keyboard to handle a DFIR case/incident, you are conducting an “op”.

The short story on how to do it better with your ops

  1. Brief the op.
  2. Brief-back the op.
  3. De-brief the op.

The longer version if you want to do this thing right

I have been in more than a few DFIR operations where there was no plan other than to “seize evidence”. No objectives. No assignments. No what ifs. Nothing other than bring your stuff and seize evidence. All of these types of operations have been in the private sector and every single time I was stunned that any company operates in this manner. Mind you, I’ve been contracted many times to supplement companies for specific tasks and I have seen only a few that treat operations as if they are tactical events to accomplish an objective.

Most of the time, nothing out of the ordinary happens. Data collected. Job done. But a few times have gotten out of hand and make for great campfire stories. Some of the amazing DFIR op disasters that I have seen are:

  1. Evidence not collected (left on site, ignored, or assumptions that someone else would do it).
  2. Evidence collected more than once from the same devices.
  3. Loss of gear (left on site).
  4. Forgetting to bring gear (left at the office).
  5. People standing around with nothing to do.
  6. People running around with too much to do.
  7. People asking questions on what to do and how to do it.
  8. People running to the nearest store to find hard drives and screwdrivers.
  9. Meetings getting called during an op to figure out how and what to do in the op.

If you have experienced any of these, this blog post is for you.

An ounce of prevention is worth a courtroom of testimony

Reduce the risk of your op problems by training your team regularly. You don’t need formalized or scheduled training to build competence as much as you need continual reinforcement of procedures as time allows. When there is downtime, turn that into training time.  Even a few minutes of an adhoc training session, where one member of your team who has more experience in a subject matter gives a 10-minute discussion to the rest of the team about that subject.

Easy things work fine. Like “computer approaches” or “latest and greatest tools” or “anything that everyone should know”.  Make this a regular part of the job and eventually, it becomes the norm. When a team member is tasked to speak to the rest of the team for 10 minutes (including writing up a single sheet of notes on the topic), everyone grows and is being prepped for the next op for when it comes.

Formal training is necessary for personal growth, but unless your entire team takes the same course at the same time, your team is not being trained; only the person in the course is getting trained. That is called individual training…not team training. Team training takes place at the team level, as a team.

When the op comes, be ready!

If you haven’t prepared for it before it happens, then prepare for it before you start the op. Most of the time, we have some time for preparation. We get a call to handle the op (whatever it may be, collection or response or ?) and there is that gap between the call and when we put hands on data. Take advantage of that gap!

In the SWAT world, SWAT most always is slow out the gate because they want as much information as possible before booting a door or throwing flash-bangs. They want to know everything in as much detail as possible. Unless lead is already flying, SWAT makes the time to get the information to plan for the op. Sometimes this can be months in advance and other times only minutes*.

The Briefing Process is an entire process

  1. Brief the op.

I bet you know how to handle any op. Seriously. I have no doubt that when you arrive on site, you can handle practically everything. But that does not mean everyone else can. The solution is to brief. Whether it be minutes or longer, brief the op. You won’t regret it.

If you ever think that you are briefing too much and with too much detail, just remember that you can’t brief too much. Try jumping out of a plane in the military without a briefing and checking of gear..you can’t. You check your buddy’s gear. Your buddy check’s your gear. A Jumpmaster checks everyone. No one exits an aircraft in-flight without being briefed. The same goes with any tactical ground operation or waterborne operations. Gear is checked. Everyone knows their specific task. Everyone knows the secondary plans. Everyone knows the rally points. Brief the op .

  1. Brief-back the op.

This is a key component.  This is a key component.  After you (the team leader or manager or whoever is running the op) give the plan brief, you ask for the plan to be recited back to you. One by one, each person on the team repeats their task as it was given to them by you. No matter how simple of a task that was assigned, each person brief backs their assignment.

You will be surprised every time that someone can’t repeat their assigned task because someone wasn’t paying attention. Brief backs prevent problems and reinforce understandings of assignments. A brief back doesn’t take the length of a briefing as it is just a confirmation of what was briefed.

  1. De-brief the op.

After your op, de-brief it, for all the good and bad that happened. Don’t point fingers and complain but be direct.  Each person should feel safe to own up to their mistakes in order to prevent future mistakes . The goal is to improve. If you never de-brief, you will continue to have the same problems.

De-brief as soon after the op as possible.  If not the same day, the next business day. Don’t wait because memories fade and the importance fades with it. De-briefs can also result in writing better op plans, better procedures, and better training goals.  After-action reports are awesome for improving your policies and procedures to prevent future mishaps.

The single person op is still an op

Just because you are handling an op by yourself does not mean that you ignore briefing yourself. No, I don’t mean talking to yourself, but I do mean having a plan that you create and review. When you write the objectives on paper and list your tasks, the odds of missing something greatly decrease. Each time you assume that you have everything you need or assume that you understand everything you are expected to do, you run the risk of looking like the traveling circus is in town.

Write it down or you may as well not say anything at all

Nothing says preparation like documentation. There is no need to go full blown SWAT Op documentation unless you have a full-blown SWAT DFIR op.  But you can develop a standard form that covers the most common types of cases/incidents that your team handles. Documentation sometimes scares people because it may be discoverable, which is strange to me because documenting your effort to not make mistakes seems to be much better for discovery than winging it with no documentation.

Teams and Teams within Teams

SWAT is a team of teams, meaning, within SWAT you may have an entry team, gas team, breaching team, medic team, sniper team, and so forth. These teams within the team can be a single person and also single persons who are assigned to multiple teams (an entry team member can also be a medic, etc…). DFIR is no different in that you can have a Linux team, an AppleOS team, and so on. But you must designate your people formally in the brief so everyone knows their assignment and duties.

Once the teams have been assigned, there is little if any delay to handle any obstacle that might come up during the op because everyone knows their job and assignment. Otherwise, it’s a clown show with people running around with too much to do with others standing around with nothing to do, and some things don’t get done at all. Then, if it gets really bad, the op gets stopped while everyone meets in a conference to start over.

Increase your odds of success

Failure to plan is planning to fail. Without planning, you are relying on training and experience to handle the unexpected. If a team member is short of training and/or experience, the odds of failing just multiplied exponentially.  If for no other reason to make up for a lack of training or experience, plan ( brief/brief-back/de-brief) your ops for those who are deficient in those two areas. It is too late to train when the op comes, so take advantage of the briefing so that the op will give positive experiences to build upon.

Use and abuse your military/LE folks.

If you or other members on your team have military or LE experience in planning ops, take advantage of their experience. Each branch of the military has their own way of doing things, but generally, the foundations are similar enough to modify to DFIR work. Be prepared to go overboard in the beginning, but eventually, you will have a method to the madness that suits your organization.

When you have no time to plan, you still time to plan.

This is something that doesn’t exist. There is always time to plan. Always. There is never a time to not plan.  Even in police work with an active shooter scenario, there is planning. The plan might take 3 seconds to make between two officers (“I’ll take point. You take the rear.”), but there is a plan before jumping into it.  You don't need a requirement that a briefing occur in a formal setting, or that it be a minimum amount of time. It just needs to cover what can be covered in the time available in a place that is available.

DFIR may never have a SWAT-type, life or death emergency, and although much of our work is monotonous and repetitive, we should make a formal plan for handling our responses.

Too much effort?

Anyone who believes that they are above a plan, or above having to recite their assignment that was just assigned 10 seconds earlier, is someone who has chosen to stagnate their competence.  You won’t find a military operator or SWAT member who will ever feel that they are above planning, even after a thousand operations. Attempting to reach perfection does not mean you will ever reach perfection as perfection does not exist; but it does mean constant and regular improvement in your skills. What more can you ask of yourself and your team than to be a little better every time you go out?

*When I was on SWAT, we trained 6 months for the WTO in Seattle, for as many potential scenarios that we could come up with (like hostage rescues, active shooters, etc..). None of these types of scenarios happened during WTO, but we certainly planned for them!  Conversely, I’ve been called out to a robbery turned hostage incident where the planning was showing up at the bank and immediately put on a “Go Team”, which basically meant hoping nothing goes wrong while the rest of the team makes a better plan, otherwise, the Go Team is the team that goes with a bare bones plan!

Written by :Brett Shavers

{rscomments option="com_rsblog" id="127"}