Excuses to Avoid DFIR Training

BS
boxing

Blog

Published Date
April 13, 2021

Let me get one thing out of the way right off the bat!

Take this Basic Technology course before something happens to it!  #1: It is free. #2: It is taught by Brian Carrier. #3: It covers at least one gold nugget that you can use forever.

Actually, there are many gold nuggets, but I promise that at least one will make the time worthwhile. Even if Basis were to change this to a paid course, totally worth it. I’ll get into another Basis Tech course that is paid for later.

About those excuses to avoid training…

The short story is that there are few good reasons to avoid taking DFIR training. When the opportunity presents itself, you should be thinking of ways to make it happen instead of thinking of ways to make sure that it doesn’t.

Here are some of the reasons that I have collected over the years. I will admit to using some of them on occasion.

  • I’m too busy.
  • I already know that topic.
  • It’s too expensive.
  • It’s free, so probably not worth anything.
  • I am not paying for training. My employer should pay.
  • My employer won’t pay for it.
  • I won’t get anything from that course.
  • I don’t want to travel.
  • I don’t want to take an online course.
  • I don’t want to sit in a class.
  • I learn better on my own.
  • I’ll read the manual instead.
  • That topic is too boring.
  • Training is a waste of time.
  • I’m afraid that it is above my level.
  • I’m afraid that it is below my level.

The thing is that every excuse above is valid if you use it because training (specifically, the lack of) is not going to affect anyone but you. You can take training or not. Even when you attend training, it is up to you to learn something of value, including if you are in the worst training course that you ever seen. Your responsibility is to find something of value to make the time worthwhile. Find something! Anything!

When you stare at that registration form

Some DFIR courses are no-brainers. When you see the course posting, you already decided to enroll. Cost be damned, you are going hell or high water. And you sign up right away before the class fills up.

For other courses, you tend to stare at the registration form and evaluate if it will be worth the time and resources. We can’t take all the courses, but we should continually take some courses for not only professional development but to also keep up with the field.

With the current online training offered due to COVID-19, the availability of training that you didn’t have before probably increased 10x.  

So, staring at the registration form, the major decisions to make are:

  • Can I afford it? (Or will my employer pay? Or is it free?)
  • Can I make the time to attend?
  • Does it fit in the skill jar of what I need to learn?

With online training, gone are dreading to book flights, wait in airports, sleep in hotels, eat out every meal, pack and unpack and pack and unpack a suitcase, take cabs and shuttle buses, and be away from home. For some, I will agree that they prefer to be away from home and work for “training”, but that not what I am talking about.

Why take any training at all if you can figure it out yourself?

There is a scale of effectiveness that is influenced by internal and external factors. Internally, your ability, capability, and motivation determine how fast your competence has the potential to improve.  These are mostly under your control. If you are motivated, you are well able to do anything you want to do.

The external factors include things like your access to tools, training, and teams. By “teams”, I mean mentors, professors, coworkers, friends, competitors, and anyone who can give you DFIR advice.  This is your training team. Feed them well. Treat them well. And give as much to them as you receive from them.

Access to tools usually means lots of money may be involved. Never underestimate the price of licensed software. For tools, there are plenty, and I mean plenty, of free and open-source DFIR tools that can do practically anything that you need to do in DFIR. Never underestimate the power of a FOSS tool.

Training is the other external factor where a financial cost might be hefty. And the time involved is costly in ways that affect finances as well (vacation time, time away from billing, time away from work).

Because of all of these factors, many of us (me included) tend to figure out how things work on our own. This is fine. This is expected. This should be done. This is a great way to truly learn concepts. BUT, if you rely solely on being self-taught, the money that you save will be negative in relation to time spent .

Here’s one personal example: I was emailed a DFIR question in use of a software which I gave the best answer that I remembered from a training course. My answer turned out to be correct. The response was that this examiner spent HOURS trying to figure something out that I learned in a course years ago. That was an entire half-day wasted, trying to figure out a process and feature on a real case. I don’t know if he billed the client for that half-day of not knowing what he was doing, but regardless, he is now 4 hours behind where he could have been.

Yes, he could have asked me after the first 10 minutes, but I don’t recommend that approach of always asking someone for answers for things that should be known or could be figured out before asking, like searching the Internet…or the software forum...or taking a course…

Minutes add up

When I take any course, I take copious notes . Much of what I write, I have no idea what it may mean but I assume one day it will be important. In every course, I learn one or two things that save me minutes on real cases.  It might be a feature in a software that I would not have found by myself, or maybe a process to carve out unique data that I was doing a slower way. These minutes saved accounts for hours over just a few months. Those hours saved are automatically applied to more time to work on cases.

Back to Basis Technology training

 If you caught it in time, the Autopsy Basics and Hands On course was free. If you missed it, it is no longer free. The course is the same, just now it is a paid course. At $495 for an 8-hour course, you’d think this to be on the higher end of the training, but this is the way that I look at training. Some courses reach close to $10K. Some are $25. Some are half an hour, and some are weeks long. Whether or not the course is worth the money and time depends solely on whether it is worth it to you.

For the example of the Basis course, if you never used Autopsy and plan to never use it, then $495 is outrageous just as the 8 hours to complete the course is. But, if you have been using Autopsy or considered seriously using it for casework, $495 and 8 hours is a drop in the bucket. You’ll probably save a total of weeks of “self-learning” in just one day of your time. The difference is being able to work a case from the start compared to fishing around a program and reading help files, and even then, missing half of what the application was designed to do.

Another reason for training

Other than increasing competence, being more effective, having a more thorough examination and analysis, and becoming more versitle as an examiner, training hours go toward professional development.

Consider that if you were going under the knife, that your doctor said the last training or update for this particular surgery was a decade earlier, would you feel comfortable? Wouldn’t you rather that your doctor at least attended a conference on the subject? Or maybe researched it enough to write a journal about it? Or teaches other doctors how to do it? This is what courts and clients see when the examiner hasn’t had a training class or attended a conference in years. It is one thing to describe self-learning, but quite another to fling out some training certs that show you completed training in the very thing that they are questioning you about.

That hidden feature

Have you ever had something, like some tech equipment or a new car, where after some time goes by, you discover a “new” feature? Something where you say to yourself, “Wow. Why didn’t I know that before?” DFIR tools are no different.  Being shown a feature is much better than inadvertently finding out years later that you were missing out the whole time.

Moving toward pleasure or away from pain

Your motivation to learn is either to enjoy the benefits of learning or avoid the pain of not learning. Either way works. Here is a painful story to illustrate this point:

This is a story of a legal case where a computer professional uses a specific tool as part of his job, on a regular basis.  When asked in a deposition if he used a certain feature of the tool, he didn’t even know that it existed, and therefore, didn’t use it. When asked if he knows the version of the tool, he didn’t even know anything other than the brand name of the developer. When asked if he completed any training on this tool, the answer was that he read the “FAQs”, but never took any training. This case is going to trial………….no matter how much training his employer gives him now on that tool, it is too late. The damage has been done. The evidence is already tainted, and some evidence has been destroyed.

Imagine the different outcome had he been trained and knowledgeable in this software tool. A day of formal training could have practically made this a non-issue. Instead, it is the issue.

You can either use training to feel good that you know how to do the job, or you can take training to avoid the pain of being on the stand and sweating out the afternoon with questions that you can’t answer.

In case you believe that no one can teach you better than you can teach yourself

Consider that even Roger Federer has a trainer. In fact, every single high-performing sports athlete that you see has a trainer. Actors too. Doctors too. High performers demand more of themselves to learn as much as they can. It may make only 1% difference, but that 1% is the difference between being competent and incompetent, or good and best.

User comments

There are no user comments for this listing.