Brett's Ramblings

Font size: +
9 minutes reading time (1822 words)

Aren’t we neglecting something in DFIR?

The technical piece of DFIR is not difficult. If you know what you are looking for, and you know how to find it, the work is actually easy. I do not say this to mean that anyone off the street can do this work without training or education. I mean this as in once you are technically competent, the actual work allows you to excel even more so, technically, because it becomes easier.  But this is where a bottleneck holds up progress in the DFIR cycle. The presentation phase of DFIR work is the only piece that turns the most competently proficient forensicator into a little kitten.

The Too Long: Didn’t Read version of this post

If you can’t effectively tell the story of your DFIR work, your DFIR work doesn’t matter, no matter how good you are.

Now for the important details

Since I am a visual learner, colorful infographics and flowcharts make it easy for me to understand a concept. In DFIR, we have lots of these, for which I am grateful. Cycles of this, that, and the other, all showing easy-to-follow workflows.

One problem with an infographic is that the information is generally very minimal. For DFIR, we have many visuals that broadly display a “Cycle of DFIR” as:

  1. Create a plan of the work
  2. Do the work
  3. Evaluate the work
  4. Repeat

This is good. Practically every infographic related to DFIR, or the Intelligence/investigative cycles give varying visuals of Wash > Rinse > Repeat.  The one-piece that I see little on is that of the importance of being just competent in the presentation as in technical. And eventually, the presentation is the end of an investigation or response. No case is never-ending. Some are longer than others, but eventually, there is an end of some sort.

Who should be chosen as the best person to present a finding or case?

Every person on your team must be proficient to some extent in the presentation of their interpretation of data. Data can be a single artifact or the entirety of an incident/investigation, and everything in between. Not being able to effectively present evidence nearly negates doing any work at all. Let me say that again: If you can’t tell the story of what you did, then nothing you did matters.

You may have done the most awesomeness of DFIR work in the world, but if you can’t relay the story of that work, it was for naught. This applies to any work. If a police officer makes an arrest of the most violent felon in the community but cannot effectively present the facts of the investigation to a court, then the violent offender might not be convicted and go free. If a forensic analyst finds the key artifact on a storage device but is not able to describe the why and how of that artifact, then that artifact is meaningless along with the effort to find it.

The reason that ‘we’ do not take presentation seriously is that ‘we’ understand what we did. We understand what happened. And we expect everyone else to know exactly what we did without us having to explain ourselves. This is partly due to ego (see my post on ego in DFIR).

Presentation Training

Where are the courses in presentation? How about courses in court testimony? Sure, I have seen one or two over the past decade, but nothing as compared to the technical courses available. Not even close. Yet, every technical training course in the world is useless if the presentation is not up to the same level of competence. It is one thing for a policy to state, “Evaluate the actions taken” and quite another to train and give someone the experience in relaying technical information to another.

The newest and most junior person on a team must be able to present their work to their supervisor or trainer. Expect the presentations to be better over time, and this is up to the seniors to critique the juniors.  An attorney-friend of mine always preferences his questions to me with, “Forgive me, but to make sure I understand what you are going to say, pretend that I am a fifth-grader.” My friend-the-attorney is on the genius level of IQ and knowledge, but he has his ego under control enough to make sure he is going to understand what is coming.

Report writing is presentation?

I’ve not met anyone who loved writing reports. I have seen some do more work to get out of writing a report than the time it would have taken to quickly knock out a sheet of paper with words on it. Report writing is a presentation and should be taken just as seriously as speaking in front of 500 people or the CEO of your organization.

Report writing is also a fantastic training opportunity for junior DFIRers. If someone can effectively get the words on paper, they most likely will be able to get the spoken words out as well. Both of these take practice. It will never be perfect. But it will improve over time. And it will keep improving as long as the practice and experience continue.

Are you in charge?

Train your team to present! You will benefit your team more than you can imagine with just a few minutes at a time. Have a team member write up a half-page of an artifact (or anything) and explain it to everyone. Be sure that every person is verbally engaged in debriefs and evaluations. Encourage and require every person to present their work, their opinion, and their suggestions in both a written and spoken format.

Your team will grow by leaps and bounds when every person can articulate their reasoning, their opinions, their findings, and their conclusions. If there is one person that cannot do this, you have a weak link that will minimize the work of the team, regardless of how technically competent that person may be.

Motivating your team

Sometimes you may have a team member that does not see the importance of being able to explain effectively. Expect it. They simply don’t care that someone else doesn’t get it. This is your weak link and one way to motivate someone who doesn’t want to present their story (ie, their work), is to require it. I’ve not met good senior leadership who wouldn’t take a few minutes out of their day to help their organization, specifically helping someone in the organization that may need it. With this, I have had juniors who just didn’t get the importance, ultimately get the importance when being told to explain their work to the ‘big boss’ and that the ‘big boss’ better be able to understand the story in less than 2 minutes. Motivation achieved!

Becoming a better storyteller

Speak in front of others. Speak some more. Then when you think you got the hang of it. Keep speaking. If you happen to throw up occasionally, you are on the right track. (see my post on Puking in DFIR). I am speaking at a few events in April, May, and later this year. All are virtual, but the experiences of presenting are just as important to me as the information that I hope to convey to others. There is no point in your career where you don’t have to practice presentation skills because you obtained competence. Competence is like a sinking boat. Once you stop scooping out the water of a sinking boat, it will sink. Same with presenting DFIR information: once you stop doing it, your competence will wane.

When does presentation happen?

Ultimately, at least with a legal or internal investigation, there is a final presentation. This is the last chance to fully tell the story of your analysis. The final presentation should be a culmination of all the other presentations that should have occurred during the investigation to team members.

There are intermediate points in any analysis where periodic updates are given, questions asked, course directions changed, and leads followed. Use each of these opportunities as experience in storytelling as you adjust the story to the varying audiences you have. The same story told to your team will need to be told much differently when told to decision-makers who are outside of your technical world. These are valuable experiences that teach you how to change the pace, flow, and language based on your audience when telling the same story. This is a skill that can’t be bought and more importantly, can’t be faked.

About that motivation

If you are like me, whenever you get a task assigned, or volunteer to do something, tension starts. You want to do a perfect job. You don’t want to make any mistakes. And you over prepare to expect the worst.  This is what happens when you agree to present on a topic. Hours to prepare over weeks for a short presentation. Then checking your presentation. Then research again to make sure nothing changed since the last time you checked your information.

In addition to re-learning the topic, however, is that the experience of presenting will make sure that your next presentation will be even better. So, every presentation that you see someone do, keep in mind that that presentation was probably better than the last one, but won’t be as good as the next one.


To those who helped me

I will openly admit that I have held some serious grudges in the past with team leaders. I distinctly remember one of my squad leaders in the Marines who ordered me to describe a field mission to my section leader because I didn't put the effort to explain it well enough to my squad as asked.  To be honest, I put no effort in it to my squad as I thought it was a waste of time.  After all, we had been planning that thing all day together....we all knew what we were going to do. That was a painful lesson to learn, but was needed. I used the same lesson many years into my law enforcement career. For those who helped me comprehend the importance of telling a story, I hope to repay that patience of dealing with me with my continuing to help others learn the same lesson.

Tell the story of your work so that it is understood. Decisions are made from it. Your competence is judged by it. And depending upon your job, you could have someone's life, liberty, or livihood hanging on the balance of your spoken words.


Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Well, I didn’t see that coming…
The forensic process begins before processing fore...