Brett's Ramblings

Font size: +
4 minutes reading time (794 words)

If you are comfortable in DFIR, you might be doing it wrong

I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the course already and this class is probably too basic for me…on the first day…in the first hour…and I was in the first row…I was a little uncomfortable.

I spoke to the instructor afterward about the course being well-done, with an effective delivery, and I learned more than enough to make the time and cost worthwhile. It was a good course and I have already benefited from the cool tips that I saw, including from what came out of the course from other students.

Side note: Did you catch that I said “students”? If you go into any training thinking that you know more than anyone else, you aren’t a student. A student is one who studies and learns with interest. That includes the instructor.

This is the crux of this post: Several people in this class, including the instructor, asked why I spent money and time in this course when I could be in some super-secret-and-advanced-digital-forensics-training given by the best-instructors-on-the-planet kind of class that costs tens of thousands of dollars. For me, it only makes sense to keep up on the foundations of any field on a regular basis. I mean, there isn’t any reason that I can think of to work on anything beyond foundations if the foundations are not solid. Foundations are like vegetables. They spoil in time.  As you wouldn't want to eat a rotten apple, you wouldn't want to do any DFIR work with spoiled skills. You have to be fresh in your foundations.

An extreme example of this is the commonly used (and accurate) phrase that complacency kills. All military service members know this. All police officers know this. All doctors and nurses know this. Anyone who works in a field of life-and-death know that complacency will cause someone to die. Like I said, this is an extreme view, but accurate in the fields where people have died from mistakes caused by complacency. I've personally seen it as you may have as well.

In the DFIR world, complacency may not kill a person, but it can certainly kill a case or your job. If you ever want to know if you have become complacent, ask yourself, “Am I comfortable?” If you are comfortable in your job, in that you have the answer for everything, and for that which you don’t know you assume that it is not important, you may be getting too comfortable in your skills. Maybe you are that good, but as for me, whenever I think that I am “that good”, I take a step back because I know that have crossed the line between confidence and complacency.

You can see the chain of how this happens as soon as you become confident in your skills.

*  Confidence leads to cockiness.

*  Cockiness leads to comfort. 

*  Comfort leads to complacency.

*  Complacency leads to carelessness.

At that point, anything you touch is at risk of failure. The good news is that most of us avoid heading down that path because it is easy to discover how much you don’t know with any given scenario, just as long as you have an open mind of accepting that you don’t know what you don’t know. The bad news is that carelessness can sneak up on you without warning until something bad happens if you don't keep alert.

If you think that those in the DFIR field are exempt from continuing having to keep up on the foundations of the field, you are wrong.  Would you want your doctor to have never refreshed the foundations of general practice medicine or are you fine with your doctor last seeing foundational medical instruction twenty years ago?

When you see me in any training, do not expect that I know anything or everything that will be presented in the course (probably…I know nothing or at best, not enough). I read and re-read “basic” forensic books all the time. I refresh myself on my notes that I have taken in classes, because I tend to more clearly understand what I wrote after I have experienced those skills in work afterward. I repeat tests that I’ve previously done, most always before testifying or writing a report on my findings where I cite those personal tests. I take and re-take "basic" forensic courses.

Sure, you may be an expert at an advanced topic, but be sure to have the foundation solid.

So if you are comfortable, make yourself uncomfortable and hit the foundational books and courses, that is, unless you are on vacation. Then by all means, be sure to make yourself comfortable.



Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Our World is Going to Turn Upside Down with DeepFa...
Everything I Needed to Know about Working in DFIR,...