DFIR Training Blog



You’re not really doing forensics if you’re not doing forensics

I had a neat opportunity to speak on The Many Hats Club podcast this week. Thanks to @ cybersecstu for the invite!

One point that I brought up in the podcast, which I know is going to rub someone the wrong way is that ‘you are not really doing forensics if it is not a legal case’.

What I mean by this is that if someone works in DFIR ( as in anywhere in the field of DFIR ), and the work they are doing has absolutely nothing to do with a legal matter, or potential legal matter, and will never see a legal complaint regardless of what is found in the data, then it isn’t really forensic work. Before the darts come at me, hang on a second and hear me out…

Definitions matter

Forensics ” generally is meant to apply to “ legal ”.  

On top of that, “ evidence ” is also meant to apply to “ legal ”.

Just my personal opinion: It ain’t forensics if it ain’t a legal matter.

Some may be really hot about my opinion and ready to throw the darts that I am wrong because you believe that you doing forensics even though you have nothing to with any legal matter. My intention is to split a single hair, not to set someone's hair on fire.

But here is the thing; I agree that the methods, processes, principles, tools, and intentions are most times, nearly identical.  Meaning, if I do ‘forensics’ in a legal matter and someone else does the  identical procedures in a non-legal matter, the physical actions we take may be exactly the same.  The primary difference is that in one instance, legal evidence is being obtained to potentially be used in a legal matter (civil or criminal) and in the other instance, it is not. Even though the actions, training, skills, procedures, and processes are potentially exactly the same, one is forensics in the true sense of the definition and one is not .

I would go so far to say that most of the work in DFIR is forensics in that practically anything can become a legal matter. However, I know that this distinction is not lost on attorneys or clients. Some clients or bosses demand that an incident become a legal matter (when it isn’t) and some demand that an incident not become a legal matter (when it is or should be). If you work in government, pretty much everything is going to be a legal matter, including national security and military operations. Even when the national security work rarely sees an open court (same with military operations), the DFIR work is forensic because the work (covert ops or combat) is basically a legal case.

For me, when I am getting paid to touch devices or data, I know up front if I am working a legal matter or internal issue. My physical actions are always the same to meet forensic standards, regardless if there is potential for a legal case to develop or just to look at an terminated employee's laptop. The actions are the same, but one is ‘forensics’ per definition and the other is ‘forensics’ only because the processes may be the same ( which is not forensics by definition ).

Some work that I do is by definition 'forensics' and other work is not. You can't tell the difference by the processes I follow, but there is a difference by definition.

To the point…

If you work in the DFIR field and never had the opportunity or misfortune to be involved in a legal matter, you can easily move into the legal side of things with experience if you doing your work in forensically-sound methods in non-legal cases. Do the work as if you know without a doubt, that you will be served with a subpoena to testify to everything you did.   Do it right. Write it up. Every time.


Written by :Brett Shavers

{rscomments option="com_rsblog" id="43"}