This is an evidence storage device.

Mistakes in any career field are inevitable. And much like car accidents, the severity of a mistake can range from a simple ‘oops’ to something more disastrous and permanent.  In the DFIR field, errors and mistakes will usually fall in the more serious of the bad results because a DFIR investigation typically involves life, liberty, or the pursuit of happiness being at stake.

The dilemna is that DFIR work must be accurate and true, but we know there will be errors and mistakes.  

What about this ‘evidence storage device?’

There is not a time where I touch physical or electronic evidence that I do not pause for a split second and remind myself of what I am touching. This instantly puts me in the frame of mind to focus, to evaluate, and to plan what I need to do with that evidence.

This is no different than anytime I touch a firearm. Or drive a car. Or pick up a baby (although, has been a long time since I held a baby…).  Touching anything that can or will have an incredible impact on others or myself is not a simple thing.  Seeing a reckless driver on the freeway shows me a person who doesn’t get it and a wreck is in the future.  Seeing a forensic examiner haphazardly handle drives shows me that mistakes will be happening at some point in that examiner's case.  

There is rarely a training or talk that I do where I do not give the same ol’ advice in the form of a self reminding statement, like, “This is an evidence storage device.”

An evidence storage device, whether it be a flash drive or a server room, stores evidence.  It is a key component to a DFIR investigation.  Recognizing that you can ruin the investigation by altering or destroying evidence should be the most motivating factor in taking care of it.

Stupid basics?

I dare you to say to yourself, every time you touch evidence, “This is an evidence storage device” and not have that one sentence give you some motivation of care that you didn’t have prior.  This is so basic but essential to preventing mistakes.

Vince Lombardi, when training the Green Bay Packers, began training with his statement of “This is a football” to reinforce that mastering the basics is the magic of the advanced skills.  Lombardi went on to win 5 NFL championships and never had a losing season....due to focusing on the basics.

The intention of saying to myself “This is an evidence storage device” is to remind me that no matter how times that I handled evidence correctly before, today could be the day that I mess it up by being complacent, lazy, or overconfident. 

Any DFIR investigation (you might call these “exams” or “analysis”) involves at least one alleged victim. Your duty is to uncover the activity on the devices, which will either prove or disprove the allegations.  When you do this wrong, when you err, and when this happens because of your lack of care, you will be the one victimizing the victim a second time. 

On my desk, no matter where I have worked, I have had a small disk drive sitting on it. On this disk drive is a sentence that I wrote that says, “This is an evidence storage device - Brett Shavers.”   It is a constant reminder to me that any storage device may have evidence on it and I am its care-keeper, its examiner, its interpreter, and its voice.  I am accountable to what happens to it and for accurately telling the story that exists on it.

The next time you touch evidence

Try it.  Say to yourself or say out loud, “This is an evidence storage device.”  See if you feel different.  Question if you look at the device with a more careful and attentive eye than if you simply and robotically picked it up.  If you do, you will have greatly reduced your chances of making an error in that case, because your focus is on the evidence.  Isn’t that where your focus should be?

So, if you are ever asked why you say, “This is an evidence storage device” when you touch evidence, the answer is simply because you want to reduce the risk of making mistakes.