Brett's Ramblings

Font size: +
2 minutes reading time (488 words)

When you think you know enough

If you ever have a day in the DF/IR field when you think you know enough, take the rest of the day off and reflect a bit before doing any more work.  The reasoning is that we can never know enough, in the DF/IR field or any field.  Usually, there is something that kicks me right where it hurts and screams at me, "DUDE, YOU DON'T KNOW ANYTHING!  YOU BETTER KEEP LEARNING!"

When that happens, I quietly back into a dark corner and reflect upon how I either (1) screwed something up or (2) didn't have a clue as to what I was doing but thought I knew.  My goal is to reduce the number of times this happens to me.  One of the ways that I do this, and I've blogged about it before, is reading cases.  I just uploaded Case Study #4 today.  It was an easy, clear cut case with college students changing their grades.  The thing is, when you get an easy case, and if you don't put forth the same amount of focus as you do with a complex case, you will be kicked in the behind for doing something stupid or missing something that was really obvious.  

Occasionally, I may print out an entire affidavit and write all over it with notes if it is a really good case.  Usually that happens when I miss something easy on a case that I should have caught. I go overboard to get my mind back into focusing on analysis and investigations.  So, when I did today's case study, I picked an easy case and still I reflected on my mind being in the game, especially on the easy cases.  You don't want to mess up an easy case.  There aren't any excuses to miss the easy stuff.

I've been getting great feedback on the Case Study series for the same reasons I'm talking about.  Sure, DF/IR students learn a lot from case studies, but for those working cases, you have to keep your head in the game constantly.  Read cases.  Compare how you would have done the same case.  Would you do anything differently?  Anything better? Could you have worked it at all?  When you ask yourself these questions, your focus is sharpened.  When you read what others do, your brain is processing the case as if you are working it.  Other than working a case and learning the hard way, case studies are the best way to learn casework, do casework, and master casework.

But don't forget. The second that you master DF/IR work, take the rest of the day off... 


The Black Friday extreme promotion I had expired yesterday, but since Phill Moore mentioned it on his blog today, I'm extending through Sunday.

Use this link to turn $1,129 in online courses to only $95. 

The promo includes X-Ways Forensics, Case Studies Series, Placing the Suspect Behind the Keyboard, and Internet Investigations.

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

X-Ways Forensics & eDiscovery
DFIR Mentors.  You just might be one and not know ...