During a recent workshop, one person in the class kept asking me for the magic bullet to work his case. By that, I mean that he kept asking me over and over again for the answer to one of his cases. A ton of ‘hypotheticals’ and another ton of ‘what ifs’ and a half ton of ‘that does not apply to my case’.  One thing about these types of questions is that nothing is going to solve the problem when you don’t know what the problem is in the first place. Another thing is that there is no one answer to solve someone else's problem in their case that you can give, not usually anyway. You can guide and suggest, but having the answer isn't typically going to happen.

So then this happened

The second part of the workshop was a discussion of past case studies and then current cases from the class (whoever wanted to volunteer their cases). The guy with all the questions, had none during the volunteer-your-case time. Others did, but not him. Oh well, I had been hoping to dig into his case directly, and when the class was over, the detective was gone out the back door. Probably not the happiest student since he left right after the class was over. We did get some really good ideas going on some cool cases that I wish I was working...

Fast forward a month.

The dissatisfied detective emailed me. He figured out what to do in his case, which worked, and it was nothing that I had given in the workshop. I thought that I was getting a complaint until he described that when I was discussing case studies, one thing led to another, to another, and he thought of something on his own, which was the key to overcoming an obstacle in his case. He was halfway complaining that I didn’t give him the answer, but conceded that I had helped him find it on his own. That was the entire point of the case studies session by the way; Figure it out yourself, with a tad bit of inspiration.

To the point

Had it not been for him listening to case studies (past cases and current cases) from a variety of different perspectives, he most likely would not have been inspired to come up with his own solution. At best, the solution might have come to him weeks or months later had he not listened to the class discuss case studies, and at worst, never at all.  For that, I’ll take a little credit to providing the spark for a fire.

Here is the thing with case studies, particularly with DFIR-type case studies; unless you did the case yourself, you’ll not have all the information on how the case was worked. But you can get a feeling of the flow of the case, a few pointers on how someone else ran it, and maybe grab a spark of inspiration on one of your cases.  All you need is a spark, not an explosion.

I’ve been making some case studies available through videos, in which I talk about the main points of cases that I find online. Talking about my cases doesn’t make as much sense because I already know what I was thinking.. It is the other cases where I want to find out how other people think, how they plan, and how they implement investigative strategies in their cases. With the videos, my intention is to show how I look at cases, criminal or civil, and things that I learn. If I could go back in time, I would do all my cases 10x better than I did, simply because I continue to study how cases are worked by others, gain ideas, and get inspired by innovative methods.

The forensic part of casework is ‘easy’, in that as long as you know how to do X, Y, and Z in an analysis, you can examine any piece of electronic evidence. Yes, analysis can be tedius, monotonous, eye-straining, and frustrating, but it is essentially easy when you can work tools to do what you want done with the data.

Do you know the difference between an average analyst and a great analyst?

One just examines electronic media and the other works the hell out of a case.

As a side note, I am working toward becoming a great analyst one day. I will never get there, but I won't stop trying until I do, which I may not get there, but I will keep working on it. I hope you get the point of that :)

Tips

{source}
<ul class="favth-list-circle">
<li>- There is no limit on the number of great examiners.  Whoever wants to be one, can.</li>
<li>- There is no restriction on who can be a great examiner. Identity = irrelevant.</li>
<li>- This all applies to you.</li>
</ul>

{/source}

Examples

Here’s two videos on case studies to get a feel of what I mean. I have more videos, and making the time to keep them coming, but this should hopefully drive home the point of what I mean when I say that you, yes you, can break a case regardless of seriousness or size. From theft of petty cash to cyber-terrorism, a case is a case is a case. You just need to work the hell out of it.

{source}
<iframe width="560" height="315" src="https://www.youtube.com/embed/5GBOaZ9XB80" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

{/source}

{source}
<iframe width="560" height="315" src="https://www.youtube.com/embed/ArWmQjh9YgI" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

{/source}

More case studies here, and more coming: https://www.patreon.com/DFIRtraining