Today’s presentation on a case study was an example of what I have been doing for many years – figuring out how other people do the job…
I first started doing case studies when I made narc detective years ago. I can’t lay claim to having had the worst training officer in the narc world, but I would pit him up against anyone as being bottom of the barrel insofar as teaching a young narc how to do his job without getting killed in the process. That’s when I started doing case studies. It was a selfish attempt to save me from being killed.
I pulled as many adjudicated narc cases that I could get my hands on from the records room. I printed off old cases from microfiche, photocopied affidavits and reports, and interviewed the detectives that ran the cases. My sole purpose in life at the time was trying to find out how to run a case without getting killed while doing my job at the same time of having little in the way of supervised guidance. By the time I had figured out how to do the job, I had probably put my life at unnecessary risk a dozen or so times, all the while the ‘senior’ narc standing there watching me with a cigarette dangling from his mouth. Those were not fun days. Some may call this ‘trial by fire’. I called it “this sucks”.
But I learned to learn by reading the cases of what others had done. I analyzed everything in the reports and affidavits, from the decisions made to the tactics used. By the time I actually went through formal training for narc work, I pretty much had it figured out. The formal training just solidified what I spent months learning by case studies.
Fast forward to my digital forensic days.
When I started in digital forensics (“computer” forensics at the time…), my agency had a big donut as the number of forensic examiners in the agency. A big donut = 0. My agency not only never had a forensic capability, but rarely even sent out a computer for analysis. I think we had one forensic exam completed by a private examiner…once. At the time, I thought I could do magic because whenever I said "computer forensics", administrators would automatically roll their eyes and talk about anything besides computers.
So, I started the first forensic unit. Guess I how I learned to do the job… Case studies. By the way, it worked out fine. I did cases. Administration was happy. Bad guys went to prison. The unit grew after I left, so there's that.
The technical part of forensics is not difficult. I believe most anyone can figure out how to pull an artifact from a storage device. A disk is a disk is a disk. A file is a file is a file. But running a case, when every case is different from the last? We have plenty of software and plenty of sources of information that tells us how to do the technical part, however we lack the documentation on how to run a case. A solution: Case studies.
I have found a few case studies on YouTube over time, but all that I have found are those doing a case study who never actually ran a case. Looking at a case from the outside misses a lot of important details and many assumptions have to be made. I wouldn’t evaluate a pilot if I’ve never flown a plane. Running a case (much like piloting a plane I would imagine) involves a lot of physical labor, organization, fortune-telling, guessing, planning, interpreting, and managing data, people, and events. That’s how I look at case studies. I try to look at the case from the perspective of the investigator (or special agent) in order to understand the decisions made and methods used. Then I see if I could have done anything different or better. Then I put what I learned to work and make sure that it does work. It also doesn't hurt to also know the legal restrictions in running a case. If you don't know the subtle differences between civil and legal cases, or the legal authority as a law enforcement officer or citizen, you'll be skating on thin ice every day in every case.
This is my intention with making my personal case study notes public. Take a look at a case through the eyes of the investigator/examiner. Watch how a case unfolds and how an investigator can take the case from start to finish. Learn how someone else does the job and draw the best parts of it for your job. There are few better ways to see how a case is worked other than reading the actual case and how it worked.
Interesting enough, with today’s presentation, a thriller author emailed me with a dozen questions about how computer investigations work and how to incorporate complex details into a work of fiction. The short answer I gave was that it isn’t easy to get right if you don’t know how it works. If I were to write a book about a pilot, it would be the worst book ever because I’d get all the details about being a pilot wrong because I have only flown and jumped out of planes, but never piloted one. For the writers out there, I’d take a look at some case studies to see how it is done in the real world, and then bend it a little for the fictional world.
As to more case studies, I’m hoping to have feedback with a survey I added to today’s case study. If enough people think it is worthwhile, I’ll make it a series. If not, I’ll still do the case studies, but it’ll be the same way I’ve been doing them for the past 20+ years….quietly by myself…
Side note:
The limited time frame for this initial online case study was done for a reason, and I totally understand many people can't make it within the short registration period. Some of the reasoning is to limit the number of people, get a gauge on if this will be worthwhile to produce, and make a plan to support a series of case studies. I also wanted to limit the number of those I am practically giving away the 13-hour Placing the Suspect Behind the Keyboard course as well.
The difference between when I do a case study by myself and when I create an hour's worth of video and slidedeck is on a scale of 1:5 in time spent, so with that, let me know if this is something of value for you.
By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training by subscribing at https://www.dfir.training/subscribe-3 and get access to multiple online courses in digital forensics with included ebooks!
We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we…
Who really reads the Terms of Service anyway?Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply…
I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). Here is my white paper analysis.#1 - If...
Question I received: How long does it take before I can expect to get into a DFIR career?Answer: It depends!It depends on your available resources +…
Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded…
Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at…
Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find. You know that the cheeseburger is unhealthy,…
Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics. In case you missed it, here it is!
A “new” article on imposter Facebook accounts was published today in the Philippines. I put “new” in quotes because this is not a new issue,…
The fantasySo many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows…
The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…
The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for…
Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
© 2021 Brett Shavers