Today’s presentation on a case study was an example of what I have been doing for many years – figuring out how other people do the job…
I first started doing case studies when I made narc detective years ago. I can’t lay claim to having had the worst training officer in the narc world, but I would pit him up against anyone as being bottom of the barrel insofar as teaching a young narc how to do his job without getting killed in the process. That’s when I started doing case studies. It was a selfish attempt to save me from being killed.
I pulled as many adjudicated narc cases that I could get my hands on from the records room. I printed off old cases from microfiche, photocopied affidavits and reports, and interviewed the detectives that ran the cases. My sole purpose in life at the time was trying to find out how to run a case without getting killed while doing my job at the same time of having little in the way of supervised guidance. By the time I had figured out how to do the job, I had probably put my life at unnecessary risk a dozen or so times, all the while the ‘senior’ narc standing there watching me with a cigarette dangling from his mouth. Those were not fun days. Some may call this ‘trial by fire’. I called it “this sucks”.
But I learned to learn by reading the cases of what others had done. I analyzed everything in the reports and affidavits, from the decisions made to the tactics used. By the time I actually went through formal training for narc work, I pretty much had it figured out. The formal training just solidified what I spent months learning by case studies.
Fast forward to my digital forensic days.
When I started in digital forensics (“computer” forensics at the time…), my agency had a big donut as the number of forensic examiners in the agency. A big donut = 0. My agency not only never had a forensic capability, but rarely even sent out a computer for analysis. I think we had one forensic exam completed by a private examiner…once. At the time, I thought I could do magic because whenever I said "computer forensics", administrators would automatically roll their eyes and talk about anything besides computers.
So, I started the first forensic unit. Guess I how I learned to do the job… Case studies. By the way, it worked out fine. I did cases. Administration was happy. Bad guys went to prison. The unit grew after I left, so there's that.
The technical part of forensics is not difficult. I believe most anyone can figure out how to pull an artifact from a storage device. A disk is a disk is a disk. A file is a file is a file. But running a case, when every case is different from the last? We have plenty of software and plenty of sources of information that tells us how to do the technical part, however we lack the documentation on how to run a case. A solution: Case studies.
I have found a few case studies on YouTube over time, but all that I have found are those doing a case study who never actually ran a case. Looking at a case from the outside misses a lot of important details and many assumptions have to be made. I wouldn’t evaluate a pilot if I’ve never flown a plane. Running a case (much like piloting a plane I would imagine) involves a lot of physical labor, organization, fortune-telling, guessing, planning, interpreting, and managing data, people, and events. That’s how I look at case studies. I try to look at the case from the perspective of the investigator (or special agent) in order to understand the decisions made and methods used. Then I see if I could have done anything different or better. Then I put what I learned to work and make sure that it does work. It also doesn't hurt to also know the legal restrictions in running a case. If you don't know the subtle differences between civil and legal cases, or the legal authority as a law enforcement officer or citizen, you'll be skating on thin ice every day in every case.
This is my intention with making my personal case study notes public. Take a look at a case through the eyes of the investigator/examiner. Watch how a case unfolds and how an investigator can take the case from start to finish. Learn how someone else does the job and draw the best parts of it for your job. There are few better ways to see how a case is worked other than reading the actual case and how it worked.
Interesting enough, with today’s presentation, a thriller author emailed me with a dozen questions about how computer investigations work and how to incorporate complex details into a work of fiction. The short answer I gave was that it isn’t easy to get right if you don’t know how it works. If I were to write a book about a pilot, it would be the worst book ever because I’d get all the details about being a pilot wrong because I have only flown and jumped out of planes, but never piloted one. For the writers out there, I’d take a look at some case studies to see how it is done in the real world, and then bend it a little for the fictional world.
As to more case studies, I’m hoping to have feedback with a survey I added to today’s case study. If enough people think it is worthwhile, I’ll make it a series. If not, I’ll still do the case studies, but it’ll be the same way I’ve been doing them for the past 20+ years….quietly by myself…
The limited time frame for this initial online case study was done for a reason, and I totally understand many people can't make it within the short registration period. Some of the reasoning is to limit the number of people, get a gauge on if this will be worthwhile to produce, and make a plan to support a series of case studies. I also wanted to limit the number of those I am practically giving away the 13-hour Placing the Suspect Behind the Keyboard course as well.
The difference between when I do a case study by myself and when I create an hour's worth of video and slidedeck is on a scale of 1:5 in time spent, so with that, let me know if this is something of value for you.