Being Naked in Digital Forensics

Most of us want to be good at DFIR, no matter what small slice of the DFIR pie we do. We take training. We read. We theorize. We test theories. We do the work. But we become stagnant no matter how much more money and time we spend on training and education. This is because we keep to ourselves.

We want the same thing: to do good casework!

But we don't talk publicly about our failures. We are so good at not talking about how we screwed up a case or went down the wrong analysis path that we think everyone else is perfect and we suck.

The truth is that we all mess up. Some of us make more errors than others (that would be yours truly!), but by keeping our mistakes and errors to ourselves, we prevent truly learning from them. But who can blame you? The moment you talk about any mistake, the odds that you get called out for being 'dumb' or 'incompetent' are pretty high. Some will laugh at you, even though they would never admit to making the same mistake. Others will try to discredit you, especially opposing counsel in your cases. It is no wonder that it seems everyone knows everything and is error-free! We don't hear about any mistakes!

Cred to Magnet Forensics for allowing my keynote topic

Magnet Forensics gave me the opportunity to talk about mistakes in DFIR, particularly my mistakes, in front of a huge crowd. There was music, big screens, and bright lights on the stage for me to "brag" about my mistakes and errors in DFIR. Luckily for me, it was only an hour because I can make an 80-hour course on how many times I have learned through the school of hard knocks.

My primary goal in the presentation was to show that we all make mistakes, that it is embarrassing to bring them in the open, and it is even risky to let opposing experts have something to attack you later in legal casework. The secondary goal was to show that if you want to be better than the next person, the only way is to be transparent in what you know, and what you don't know, and that you are not only human in making mistakes but an expert because you learn from your mistakes.

Learning from your mistakes (and not repeating them) is the number one indicator of constant and continual improvement. It is not taking a training class, not getting a degree, not posting on social media. When you prove your theory wrong, and you accept the results, you learn more than just being wrong. You learned that you can self-correct and move forward.

When you make an error or mistake and suffer from it, the pain from that mistake is burned into your brain to never do that again. Avoidance of pain is a powerful motivator. Pain includes public embarrassment, especially if you are an introvert, which many of us in DFIR are. That includes me. And we tend to keep these to ourselves. We don't talk about it. We don't post about it. We hide it.

Back to the Keynote of Mistakes

I picked only a few of my mistakes and errors that I assumed many others had also made. If any of these are ever used against me in a trial, I am fine with it. In fact, it was because of a recent trial where a defense attorney tried to use my publicly written words (from over 10 years prior!) against me in testimony that I learned not to worry about that tactic.

The timing for me to talk briefly about this at a keynote (at Magnet Forensics in Nashville no less!) was excellent timing. So, I virtually got naked by talking about my mistakes and errors to illustrate we make these mistakes, but this is how we excel in competence. To hide or deny making mistakes is not a sign of a scientist or analyst or investigator. It is a sign of someone who appears to not be able to learn from mistakes which is the opposite of what you want.

Right after the keynote, several came up to me and said that they were glad to hear of my mistakes because they made some of the same ones. For days afterward, I was emailed by others with the same statements. Some even gave me examples of their mistakes that they learned from!

Do not fear mistakes being used against you, unless you never learned from them. Be brave in writing, posting, publishing, and speaking about what you know. If you are proven to be wrong in something that you thought to be true, gracefully accept it and improve.

That is the sign of becoming competent in DFIR. 

My opinion of the Magnet Forensics Nashville Summit

The Magnet team puts on a great conference, from the venue to the evening events. It felt like a team-building exercise where all the attendees were part of the Magnet team.  Nashville is an awesome venue to have any conference by the way.  The music experience is everywhere.

I grabbed Jad as he was on a mission to go somewhere and gave him my honest opinion of Magnet Forensics and of the summit. I let him know that he did an amazing job of growing Magnet Forensics and the summits that Magnet has been putting on are fantastic. Although this was my first time meeting Jad, speaking with him,  I knew that he made a lot of mistakes. I know that he must have learned from all of them because of how much a little shareware app has grown to become a driving force in DFIR.