If you work in DFIR, you are an investigator.
To think otherwise is to do yourself and your cases a disservice. By this, I mean that the most basic task in the DFIR field is to find out what happened, and this is the purest definition of an investigator: find the truth of the matter .
Your specific job function may be completely different from many others in the same field, that is to say the DF might be a world apart from the IR. But for any practical discussion, the entire purpose of DF/IR is to employ an investigative process to uncover, discover, analyze, and interpret clues in order to reassemble the past. Whether the “past” is a breached system or reconstructing a crime that was committed using a computing device, the investigative intention is the same.
If you already had investigative training before getting into DFIR, you have a head start in the process, but you are still not immune to the pitfalls common to all. The highest trained, most experienced, and most gifted investigator can fail just as anyone else can (and will). You are only as good as your last investigation as is common to be said. The intent of this post is to reduce your risk of failure by acknowledging that you can fail.
Much has been written on the investigative process and the constant efforts of working to be an unbiased, fair, open-minded, fact-finding, critical-thinking, and clue-chasing investigator. A failure in any of the foundations of the investigative process will deliver you into a rabbit hole that you might not be able to escape.
Side note: A rabbit hole in the context of an investigation is to be completely off track in your investigation without even knowing it. You may passionately believe that you are on the right path, following solid leads, and putting together a great case, but in reality, you are completely lost without even knowing it. Believing that you will not ever end up in a rabbit hole is exactly how you will never get out of a rabbit hole after falling deep into one.
Competent investigators, and I mean this to apply specifically to everyone in the DFIR field, have open minds and actively work to combat every internal factor that can compromise critical thinking skills. We cannot control the data that we interpret, but we can control ourselves. But as humans, we err, make mistakes, and assume things to be true based on information that we should not blindly accept as facts. Acknowledging that you can make a mistake not only reduces the risks of making mistakes, but it also allows you to catch a mistake after making one. This is how you can get out of a rabbit hole.
As of today, you are one of three types of investigators. One is the investigator who has fallen into a rabbit hole. Second is the investigator who will be falling into a rabbit hole. The third type of investigator is the one currently in a rabbit hole and does not even know it. I have been all three at one time or another. Which are you?
Application to DFIR?
There is no job in DFIR that does not involve looking at a past event in order to analyze and act upon an interpretation of the data in that event. An event is anything that has electronic evidence: A word processing document. A file access. A download. A hyperlink click. An email. A digital photo. A system file artifact. Data packets. Anything. Everything.
Looking at something as common as a system artifact, such as a LNK file to piece together history must be done with reasonable investigative processes, otherwise, it will be as if you are driving across country without a map, GPS, or road signs. You will end up somewhere, but it will not be where you wanted to go.
Falling into investigative traps only leads to bad outcomes. Some outcomes are worse than others, but none are good.
To convict an innocent person due to a bad investigation results in deprivation of life and liberty, and devasting impacts on families. To wrongly attribute an attack to a nation-state based on assumptions or biased interpretations of data can result in international sanctions or even war (cyber or otherwise). Both of these are great injustices. Conversely, to not come to a factual conclusion where the perpetrator is not identified because of failed investigations, the result is a lack of justice.
Professionally, any person in DFIR can end their career with one rabbit hole of a case regardless of past successes, training, experience, education, or competence. Credibility can take nearly half a lifetime to build and only half a day to break. Be vigilant in your work!
As important as your professional reputation is, you as a person are more important, at least in my view. I have taken a lifetime of effort to make sure that every person that I ever booked of a crime was actually guilty of the crime for which I arrested them. I have put a lot of people in handcuffs as part of investigative processes and safety but never booked anyone without clarity of heart and mind. The same holds true for every digital forensics case that I have ever worked and currently work. I endeavor to live my life knowing that I did right by what was right and that I did not contribute to the wrongs done by others. I am sure that you feel the same because you do this work.
Simple, yet particularly important investigative tips
If you never read a book on investigative processes, I cannot recommend enough that you do. You may not have any interest in law enforcement investigations, but it is the principles of law enforcement investigations that will benefit you. There are other things that you can do as well, like DFIR case studies. Read what others have done and get into their mindset. See what they saw. Read what they did. Learn from their mistakes and from their great accomplishments. I put together a list of tidbits below just to give you a head start of putting you into an investigative mindset.
--Question the answers.
--A single point of evidence is a single point of failure if you base all your decisions on it.
--Know that you have biases.
--Know what your biases are.
--Control your biases.
-- Know what should exist but does not. Know what exists but should not.
--A hunch is not evidence.
--A hunch is not a fact.
--A belief is not evidence.
--A belief is not a fact.
--Know what you know.
--Know what you do not know.
--Know that you do not know everything.
--Filling in missing pieces with assumptions does not make it true.
--Be prepared to have your mind changed.
--Be ready to have your mind changed.
--Accept that you can be wrong when you think you are right.
--Work with facts.
--Interpret the data as the data presents itself.
--Work backward to put the pieces together. Start with the result of the incident and trace back to the source. Murder cases start with the body. DFIR starts with the evidence files.
--Starting at the (assumed) origin of the incident means that you will always find evidence to support your assumption. And you will be wrong.
--Just because you spent a lot of time going down the wrong path does not mean to keep going down that path. Stop. Turn around. Start over. Do it right.
Training, Education, & Experience
Read. Write. Study. Practice. The investigator that chooses to stop learning has a big rabbit hole waiting to fall into. The investigator who continues to read and learn and put into practice good investigative principles will see the traps and rabbit holes long before falling victim to them. They also are able to both pull themselves out of a trap and save the case.
I can see where some working in DFIR may feel that “investigative methods and processes” are irrelevant to the ones and zeros, or data packets, or prefetch files. I advocate the opposite, that when data is placed in front of you with the intention that you are to figure out what happened, that you have an investigative mindset, employing all the traits of a competent investigator, and put the facts together. We do this all the time with timelines, but timelines are but a small part of the big thing that you are doing. You are an investigator, reconstructing the past, in order to take some action on what happened. The “what happened” part of your work always traces back to a person. This is called investigating.
Locard's Exchange Principle
Every law enforcement officer and private investigator knows what Locard's Exchange Principle is. Every DFIR examiner/analyst should also know as this is not something new, yet it is something rarely (if ever) taught in any forensic course. Harlan Carvey wrote about it this principle in 2005, yet I constantly find many of us in the field either (1) never heard of it or (2) don't believe it applies to any DFIR job. So when I see someone advocate knowing this basic investigative knowledge, as Nicole Beckwith did on Twitter today, I get happy feet because these "small" things make the biggest differences in casework.
One of the things I am asked in reference to DFIR is "What advice would you give someone just starting out?" This is an easy one for me... Understand two things: Locard's exchange principal. It is most commonly referenced in physical evidence but also applies to digital ...
— Just Another Nerd @ ? (@NicoleBeckwith) May 2, 2020
You are probably already there, and if not, very close
Reading posts like this shows that you are curious by nature and seeking out the answers of how to be a good investigator and do your DFIR job better. You are probably a good investigator already, and just keeping your skills sharp by seeking more information. That is very cool. By the way, anyone, and I mean anyone, can become a great DFIR investigator. You do not need to have jumped from planes or dived in oceans or climbed mountains or worn a badge. All you need to do is put your mind to it, and I know that you can because you just read how to do it.