Brett's Ramblings

Font size: +
6 minutes reading time (1147 words)

Some things about training, education, and learning in DFIR

In theory, if you know what you are doing and are competent, that is all you need.  In practice, being competent is rarely enough. You probably need documentation....

The importance of documentation was hammered into me for years by my employers as a government employee (military and LE).  Courts made sure that anything that I did not realize was important to document before testifying, better be documented next time.  

TL/DR aka Cliff Notes: Don't just download some DFIR tool and use it. Create documentation to justify your self-training/education/experience in using that tool, especially if you will be facing a jury or hiring manager.

 One example I had early in police work was that of drug field tests (not the kind you see on TV, where the cop puts some unknown substance on their tongue and says, "That's good stuff").  Getting trained on how to do field drug test wasn't something that we'd get in the academy, or as a normal part of the job.  Most would just follow the instructions on the test kit and call it good.  I think I may have been the first person in my department to be eaten up on the stand for a drug test in my report because I said, "I followed the instructions on the kit", yet had no formal or informal training in it.  My field test result was confirmed by the state lab, but I was badgered for a bit on the stand by the defense attorney on the drug test because I had no formal training in how to do it.  I did nothing wrong, I followed the instructions perfectly, the case was fine, but I didn't like getting attacked for something minor like not having a piece of paper showing 'training'.  

Here is what I did that day after court.
 I found the most senior narc in the department, who had testified to field testing drugs, who had taught narcotic work at the academy, who did major cases, and most important, someone who would spend a few minutes with me.  The senior narc (who was a Commander at the time), spent 30 minutes teaching me what I already knew, but also gave me some things that I did not.  Before I left his office, I had a department head memo detailing the 'training' I just received with a brief bio of the Commander who taught me.  That memo went into my training record, which I would use any time I were to testify to a field test of drugs in a case.  

Having gone into narcs years afterward, I created a formal in-service class and taught every patrol officer in field-testing to make sure they didn't get eaten up on the stand for not having any training in field-testing drugs.  It's a little thing, a memo or a training record, until it's a big thing.

I apply the same concept in the DFIR world.  Every breakout session at every conference I attend incurs labor on my part.  I write up the specific session, with the name of the presenter, with notes I take, plus the time spent in that session.  If there is hands-on, I document that as well.  All the better if there is a booklet of the sessions that I get in the swag bag to keep me organized.  I have a spot on my shelf with these for reference. For anything that I learn on my own, guess what...I document that too.  I never ever get on the stand to testify about something I did in which I do not have documentation at the ready.  If/when asked, I know:

  • The names of the presenters that I have learned from at the specific courses and conferences I've attended, and/or
  • The number of hours that I have researched practiced with a tool or process (learning hours, not case hours), and/or
  • The tools that I have written (itty bitty things that I have written) and the tests done with them.

I have documented formal education/training and documented informal training.  Anything that is not documented, I don't even refer to it.  I don't comment on it.  I don't list it.  If you have ever been on the stand to testify about your training, education, and experience, then you know that if you don't have documentation to support it, you will be under a microscope about it.  If you are new to DFIR, you are lucky because you can start saving your documentation now.  If you have been doing this for some time and not been saving your documentation, then you have lots of work to do.  

For anyone who doesn't feel the need to keep training records or documentation, either you don't have court appearances in your planned future, haven't met the devil of an opposing counsel yet, or are in a job you don't ever plan to leave.

I tend to create online courses for the benefit of getting something on paper for those wanting something on paper.  I believe we can do this job without taking a class or getting a degree.  I believe that if you are in DFIR, you are smart enough to learn on your own.  Actually, if you can't learn on your own, you may have a difficult time in this field.  But that's not how it works if court appearances or job interviews are in your future.  You need paper, and lots of it.  Degrees, certifications, conferences, courses, and personally documented research & practice.  The learning is implied if you do these things.  Competence is assumed if you have them.  All becomes clear when you employ them (clear as in, your employer will see if you actually know what you are doing or not). 

If you are in a position of authority, leadership, or mentorship, teach others something.  In classes I teach, whether a LE course, college course, online course, or in person at coffee, I implore the learner to take seriously what I am saying in documenting what I am teaching them, because it may become useful later.  In one way that I have used this in my testimony is that I have specifically stated, "I have been trained in the use of this tool by the developer of the tool."  Or, "I have been taught this forensic process by name of person, who developed the process".  Or even, "I have been trained by the person who wrote a book on it."  This is all the better if you are the author, tool or process developer, but second best is being taught by the tool or process developer, or the organization that developed the tool or process you used.  

In a perfect world, everyone accepts that we are competent because we say that we are and we can prove it.  In reality, even proving it is sometimes not enough if you don't have a document that says it. 


Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Dragnet: 2018
Windows Forensic Environment - Newest project is c...