Brett's Ramblings
Case studies are more helpful than you may think
Today’s presentation on a case study was an example of what I have been doing for many years – figuring out how other people do the job…
I first started doing case studies when I made narc detective years ago. I can’t lay claim to having had the worst training officer in the narc world, but I would pit him up against anyone as being bottom of the barrel insofar as teaching a young narc how to do his job without getting killed in the process. That’s when I started doing case studies. It was a selfish attempt to save me from being killed.
I pulled as many adjudicated narc cases that I could get my hands on from the records room. I printed off old cases from microfiche, photocopied affidavits and reports, and interviewed the detectives that ran the cases. My sole purpose in life at the time was trying to find out how to run a case without getting killed while doing my job at the same time of having little in the way of supervised guidance. By the time I had figured out how to do the job, I had probably put my life at unnecessary risk a dozen or so times, all the while the ‘senior’ narc standing there watching me with a cigarette dangling from his mouth. Those were not fun days. Some may call this ‘trial by fire’. I called it “this sucks”.
But I learned to learn by reading the cases of what others had done. I analyzed everything in the reports and affidavits, from the decisions made to the tactics used. By the time I actually went through formal training for narc work, I pretty much had it figured out. The formal training just solidified what I spent months learning by case studies.
Fast forward to my digital forensic days.
When I started in digital forensics (“computer” forensics at the time…), my agency had a big donut as the number of forensic examiners in the agency. A big donut = 0. My agency not only never had a forensic capability, but rarely even sent out a computer for analysis. I think we had one forensic exam completed by a private examiner…once. At the time, I thought I could do magic because whenever I said "computer forensics", administrators would automatically roll their eyes and talk about anything besides computers.
So, I started the first forensic unit. Guess I how I learned to do the job… Case studies. By the way, it worked out fine. I did cases. Administration was happy. Bad guys went to prison. The unit grew after I left, so there's that.
The technical part of forensics is not difficult. I believe most anyone can figure out how to pull an artifact from a storage device. A disk is a disk is a disk. A file is a file is a file. But running a case, when every case is different from the last? We have plenty of software and plenty of sources of information that tells us how to do the technical part, however we lack the documentation on how to run a case. A solution: Case studies.
I have found a few case studies on YouTube over time, but all that I have found are those doing a case study who never actually ran a case. Looking at a case from the outside misses a lot of important details and many assumptions have to be made. I wouldn’t evaluate a pilot if I’ve never flown a plane. Running a case (much like piloting a plane I would imagine) involves a lot of physical labor, organization, fortune-telling, guessing, planning, interpreting, and managing data, people, and events. That’s how I look at case studies. I try to look at the case from the perspective of the investigator (or special agent) in order to understand the decisions made and methods used. Then I see if I could have done anything different or better. Then I put what I learned to work and make sure that it does work. It also doesn't hurt to also know the legal restrictions in running a case. If you don't know the subtle differences between civil and legal cases, or the legal authority as a law enforcement officer or citizen, you'll be skating on thin ice every day in every case.
This is my intention with making my personal case study notes public. Take a look at a case through the eyes of the investigator/examiner. Watch how a case unfolds and how an investigator can take the case from start to finish. Learn how someone else does the job and draw the best parts of it for your job. There are few better ways to see how a case is worked other than reading the actual case and how it worked.
Interesting enough, with today’s presentation, a thriller author emailed me with a dozen questions about how computer investigations work and how to incorporate complex details into a work of fiction. The short answer I gave was that it isn’t easy to get right if you don’t know how it works. If I were to write a book about a pilot, it would be the worst book ever because I’d get all the details about being a pilot wrong because I have only flown and jumped out of planes, but never piloted one. For the writers out there, I’d take a look at some case studies to see how it is done in the real world, and then bend it a little for the fictional world.
As to more case studies, I’m hoping to have feedback with a survey I added to today’s case study. If enough people think it is worthwhile, I’ll make it a series. If not, I’ll still do the case studies, but it’ll be the same way I’ve been doing them for the past 20+ years….quietly by myself…
Side note:
The limited time frame for this initial online case study was done for a reason, and I totally understand many people can't make it within the short registration period. Some of the reasoning is to limit the number of people, get a gauge on if this will be worthwhile to produce, and make a plan to support a series of case studies. I also wanted to limit the number of those I am practically giving away the 13-hour Placing the Suspect Behind the Keyboard course as well.
The difference between when I do a case study by myself and when I create an hour's worth of video and slidedeck is on a scale of 1:5 in time spent, so with that, let me know if this is something of value for you.
About the author
Comments 2
By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/
Posts List
Tag Cloud
Search Blog
Most popular posts
Magnet Forensics Conversation
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training by subscribing at https://www.dfir.training/subscribe-3 and get access to multiple online courses in digital forensics with included ebooks!
More posts
-
When OSINT is turned into the Baseball Bat of Internet Mob Justice
We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we…
Thursday January 14
5566 hits / 0 comments
-
I took a look at Instagram's Terms of Service so that you won't have to.
Who really reads the Terms of Service anyway?Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply…
Saturday December 26
8534 hits / 0 comments
-
White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user
I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). Here is my white paper analysis.#1 - If...
Wednesday December 16
4652 hits / 0 comments
-
How long does it take to get into the DFIR field?
Question I received: How long does it take before I can expect to get into a DFIR career?Answer: It depends!It depends on your available resources +…
Thursday November 12
14893 hits / 0 comments
-
An expert is just one page in a book ahead of you
Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded…
Friday October 30
5825 hits / 0 comments
-
Should you improve your DFIR skills on your personal time?
Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at…
Friday September 04
28344 hits / 0 comments
-
TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.
Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find. You know that the cheeseburger is unhealthy,…
Tuesday July 07
24019 hits / 0 comments
-
Jessica Hyde and I talk about forensic stuff
Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics. In case you missed it, here it is!
Thursday June 11
10735 hits / 0 comments
-
Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection
A “new” article on imposter Facebook accounts was published today in the Philippines. I put “new” in quotes because this is not a new issue,…
Sunday June 07
2662 hits / 0 comments
-
You do not want to work in DFIR.
The fantasySo many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows…
Thursday June 04
3278 hits / 0 comments
-
COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.
The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…
Saturday April 25
16859 hits / 0 comments
-
Mini-WinFE 10 and WinFE 10 Updated
The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for…
Sunday April 05
10816 hits / 2 comments
-
Eat your broccoli first
Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…
Saturday January 18
30971 hits / 0 comments
-
The Second Decade of the 2000s is almost over!
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
Thursday December 26
10720 hits / 0 comments
-
Public Records
I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…
Thursday December 12
5221 hits / 0 comments
-
The Five Stages of the DFIR Career Grief Cycle
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
Tuesday September 10
36764 hits / 0 comments
-
Our World is Going to Turn Upside Down with DeepFakes
The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…
Sunday September 01
4455 hits / 0 comments
-
If you are comfortable in DFIR, you might be doing it wrong
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
Thursday August 29
4803 hits / 0 comments
-
Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
Saturday August 17
6431 hits / 0 comments
-
Personality of a computer
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
Wednesday July 31
5082 hits / 0 comments
© 2021 Brett Shavers