Brett's Ramblings

Font size: +
5 minutes reading time (971 words)

Overcommitted in DFIR

I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not mean that they took on more than what they could handle, but that they started down a path, committed themselves to it, and refused to adapt to the changing environment.

Here is one example that I have seen in police work: Officers were dispatched to a drive-by shooting with a description of the shooters and vehicle. Reasonably, and expectedly, two officers pulled over a car that matched the make, model, and color of the suspect vehicle. Since it was a shooting, they conducted a “felony traffic stop” which means guns out, ordering occupants out the car, one by one. They were committed at this point in a high risk stop. As soon as the first occupant was ordered out of the car, both officers knew that they had the wrong car (they told me such afterward).

The thing is, they kept going forward, knowing they had the wrong car, but had to ‘finish the felony stop’.  They were overcommitted without room of adapting to a dynamic environment. I’ve seen this on a few occasions, not many, but enough to know that it happens.

The point

This happens in DFIR too, and I have seen it happen more often than I have ever seen in police work (or in the military). The way that I have seen it happen is on smaller scales of seriousness (no one has guns pointed at them..), but larger scales of wasted time only to get to the wrong objectives. I have seen this in peer reviewing reports in that I can tell that an examiner was hell bent on going one direction in an analysis, forcing a tool to do something that it really shouldn’t be doing, following leads that have nothing to do with the case objective, and completely missing blatantly obvious clues along the way. They are overcommitted in plugging in a dongle and driving through a media on a pre-set course with no room for deviation. This happens a lot in with students when teaching classes and is expected as a learning experience. But don’t let it happen to you.

As for me, I have gotten on the wrong track on occasion, but I have no hesitation to realize it, cut my losses in time already spent, and get back on track. Every time this happens, I end up in a better place in the analysis because I realized that I had become overcommitted.

How it happens

Basically, you hop on a train that has one track to one destination and you refuse to get off once you realize that you are on the wrong train. Some of the ways this happens include;

Your favorite tool

We all have a favorite tool or two. Sometimes that tool is not fit for the task you need. Either don’t start out using it when you shouldn’t, or as soon as you realize that you need a different tool, stop drop roll and change tools. The sooner you realize you need a different tool, switch to it.

Your “system”

Yes, it is easy to get into a rut and start an exam by looking in the usual places for the usual things in the usual order that you always do. Stop doing that! Each case is different. Each case needs to be evaluated with a ‘custom systematic’ method of analysis. Otherwise, you will miss evidence and not even know it.

Your blinders

Don’t start out thinking that you know what happened because you will keep looking to prove what you think rather than prove what actually happened on the system (or to the system).  By “blinders”, I mean that you intentionally don’t look at what you should be looking at because you only want to see what you want to see. As soon as you realize that you are doing this, guess what? Stop it, back up, and do the real work that you started out to do.

How to realize when it happens

As soon as you see yourself spinning wheels and getting nowhere fast, stop and reflect on what your initial goals were, the plan that you laid out, and just as important, the things that you saw along the way. It is what you find along the way that determines which way you go. Much like a tree blocking a road requires you to find a new route, when you find evidence or leads in your exam, adapt your previously well-thought out plan to what you find. Otherwise you will be stuck, spinning wheels, going nowhere.

Your benefit to re-group and re-start

You won’t waste as much time as you would have had you not just stopped, reflected on what you are doing and seeing, and adapting your plan to the evidence you have at hand. This advice works for practically any aspect of life by the way, but it is particularly helpful in forensics because it is so easy to get off on a wrong start or drift away from where you should be when looking at data.

Your next case

Plan how you want to attack it. Gather your tools. Prep yourself that your plan will probably change, which means your approach may change, your tool choices may change, and the route you take to solve the objective may change. Know that up front and you can save days and days and days of effort. As a side note, don't worry about the time you wasted, as long as you get back on the right track, because it is not wasted time if you adapt to the evidence you find along your route to the objective. You may even end up in a better place.


Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Working in DFIR is glamorous, but mostly only to t...
'You're guilty unless you can prove it'