Christa: Hello and welcome to the Forensic Focus podcast. Monthly we interview experts from the digital forensics and incident response community, on a host of topics ranging from technical aspects to soft skills. I’m your host, Christa Miller.
Our inaugural guest this month is Brett Shavers, a digital forensics examiner whose experience includes a law enforcement career investigating cybercrime, and serving as an expert consultant in civil litigation cases. Brett has more than 1,000 hours of formal digital forensics training from a variety of US federal agencies and forensic software companies. He provides private consultations to government agencies and law firms in sensitive legal matters. He’s also an award-winning author of several digital forensics books, such as Placing the Suspect Behind the Keyboard; Hiding Behind the Keyboard; and The X-Ways Forensics Partitioners’ Guide. Brett also manages the digital forensics online resource www.dfir.training.
Brett, welcome! Happy to have you on the show.
Brett: Hey, glad to be here. Thanks.
Christa: Awesome. So in the interest of time, I’m going to jump straight into my Q&A here. So starting off, your career spans this wide range of experience, and the tone of your blog and social media activity reflects that range. What jobs and experiences do you feel have been most influential on what you do now, and the advice you impart to others?
Brett: I think… I joined the Marines when I was really young, like seventeen years old, and then went into law enforcement after that, and what I’ve learned, and what I try to tell people from that experience, is that unless bombs are dropping on your head, or someone’s sticking a gun in your stomach, just relax. Nothing is that bad to worry about and stress over. So that’s probably the biggest thing I like to tell people is: just calm down a bit, everything is difficult at first, it takes time to learn it, and then you get good at it. So that’s probably the biggest thing.
Christa: OK. That’s challenging, though, because it feels like the stakes are high in a lot of investigations. A lot is riding on what you do or don’t find, the skills that you’re bringing to the job. So, any specifics on how you help the people that you manage to kind of calm down and look at the bigger picture, and get that perspective that they need?
Brett: Probably the easiest way is just to ask yourself: “What’s the worst that can happen?” I mean, there are bad things that can happen, obviously, if you do a bad job; but if you really boil that down to what’s the worst that can happen – is someone going to get killed? I mean, if it’s not that bad, if someone’s going to die… you could lose your job, obviously, but still, if you make a mistake that bad, it’s still not life or death mistakes.
So if you just start it from there, then the rest is easier to manage, I believe. If the worst that can happen is you mess up a case, you can learn from it, and you can do another case better, the next case better, and learn from that one as well.
So like I said, unless your life’s on the line, everything is a lot easier to worry about than something going wrong because of an analysis, or because you missed something.
Christa: So that leads into my next question. Looking at all you blog and tweet about mental health issues like burnout, overcommitment, finding the balance, even callout culture and related topics: what’s the most important thing that you want practitioners to take away from all these collective insights? We talked about that a little bit, but in terms of managing your own stress level from day to day, and sort of the day to day, I guess, of managing these issues?
Brett: Yeah, I think we’re all probably Type A, in this field, because we want to get things done, and we’re impatient. And that works against us by being impatient. So when there’s… like, mobile device forensics, if you’ve never done it before, then you want to do it, and learn it, the patience level to get to that point when you’re competent at it is probably longer than any of us want. If we can realise that with patience, we can learn whatever we need to learn – want to learn. We just can’t jump over eight flights of stairs; you have to go step by step, to make sure you have a good foundation.
So I think a lot of the mental health, and stress, and burnout – a lot of it comes from [how] we want to do so much, and we don’t have the patience to take it the right way, to go through the reasonable training; we skip basic foundation training, for example, we try to go straight to advanced training, because “I’ll learn the fundamentals later.” And the end result is, you don’t learn anything. And now you’re double stressed out because you’ve wasted a lot of time, and money, and effort.
So I think the best way I could put it is, just being patient. It takes time to get where you want to be. And every one of us knows something more than somebody else, and they know something more than we know, because the field is so broad. So being patient, and realising that everything takes time: I think that can really influlence how your stress level can be controlled.
Christa: Do you feel that there’s a challenge – going back to what you were saying earlier about building on the foundation of what you’ve learned and your experience on different cases – do you feel that there’s a bit of a challenge where an examiner might think that, “Hey, I’ve got all this experience in one area, digital fundamentally is the same technology,” and so do you feel there’s a temptation for examiners to jump ahead because they feel like they have a good foundation, but then they find that it may not be what they thought it was?
Brett: Yes. And I’ve done it myself, as well. I think we all kind of do that, because technology… a computer’s a computer, a hard drive is a hard drive, and so you would think that, since I know what this hardware is, in this field, that means I can use my knowledge in another field.
There’s some crossover, but there’s always going to be some things that are unique to… whether it be DF or IR or infosec, whatever, or security… that yes, you can bring some things over, but you still have to have the foundations. So I think by skipping the foundations, you’re doing yourself a disservice. And if you’re an employer, or you’re self-employed, you do everyone a disservice as well, if you’re assuming that you know enough, and therefore you skip the basics.
And basics are hard! When you’ve done this for more than a couple of days, anything that’s basic feels like it’s wasting time, it’s like, my gosh, I’ve already learned this, or why do I have to go through this again? Why do I have to do this basic stuff that I know already? But there’s always going to be something in that basic foundation that you did not know, or did not know as clear as you should have known. So I think as long as we always stick to the basics as we move across this field to different areas, bring our information or knowledge over. By skipping the basics, we’re going to be behind, really.
Christa: So it’s like due diligence, basically.
Brett: Yup. It’s every check box. You have to go through it.
Christa: Sure. Yup. So, many of these issues come up for managers – mental health issues in particular are difficult for them in terms of managing stress around budgets, around team dynamics. Workloads and other issues can make it difficult to balance everyone’s individual needs and still maintain either the profitability or the efficiency of their lab. What do you think is the most important thing for managers to take away from your observations and their own learnings, as they go along as managers?
Brett: I think for managers and leaders – sometimes they’re not the same thing, although they should be – I think they have to consider the people that are doing the job that they need to have done, the task they need to have completed. And I’ve worked with bad managers and great leaders throughout the years, and it’s easy to know which one is which; it doesn’t take long to figure out “This is the worst person I’ve ever worked for, and this is the best person I’ve ever worked for.”
So if they have their people in mind, they’ll have a more effective team, a more efficient team; tasks will get done with better care and quality; and you’ll have happier people. So if you have the slave driver, who just wants to get things done, and yelling and screaming, and always criticising, and not considering the person on their team: that team eventually is going to break apart, sooner or later. But the manager, or the leader, who takes their people’s… you know, their personal lives and their work lives… in effect, because everything is connected. You know, if someone’s having a bad personal life, for some reason, it comes to the workplace.
And not being aware of that, or not caring about those things, really kind of disrupts the team. So I think the biggest thing is taking care of the people, because it’s the people that move a company. It’s not a company… you can take a company the size of Microsoft – and Microsoft is a huge company – but really, there are only people in there that are making that company move forward. And you can bring it down to the smallest company, as well.
Christa: I’d like to close, I guess, by talking about DFIR.training. It’s grown by leaps and bounds since you started it three years ago. What’s the plan for the site, and what’s your grand vision for it?
Brett: You know, it’s grown, it’s kind of morphed. I took it over from someone else over two years ago, and I think in the beginning it was like, a news site, RSS feeds. So what I started to do, for my own benefit, was putting things on there that I keep on my own servers, as far as references, resources, and that sort of thing. And I figured, I’ll just put it on a website, where other people can share. [That’s] how I organise it.
Because the internet is… it’s chaos when you’re trying to find something. Google makes it easier, obviously, you can find what you’re looking for by searching. But it’s still chaotic when you’re trying to find a specific thing to digital forensics, or incident response, with an artifact, or a resource, or a reference.
So the whole gist of it is to bring some order to the chaos by curating these references and trainings. The thing I think is useful and valuable [is] to bring it into the website. So it may not cover 100% of what everyone needs, but I think the plan is to get over 90% of what you need, will be found in DFIR.training, whether you’re starting from scratch and you don’t know anything, or where to go. Other things would be if you’re writing a report or a paper and you’re looking for some references and citations, you can go to the site and there’s your references and citations. And of course, software as well. There’s over 1,000 software tools, and not all of them are commercial or freeware, but they’re listed just in case there’s a tool that you can’t find, that maybe you can find easily with that website.
So the gist of it is to make it someplace we can go to get what you need for DFIR. And if it doesn’t have it there, it probably has the link to go someplace else.
It doesn’t have a forum, because other sites, like Forensic Focus does that well – so that’s probably one thing it’ll never have. But everything else is there, as it is, and it’s all free to use.
There’s a digital forensic artifact database that I’m working on, it’s kind of in early access mode right now, but in a few months I’m going to release that one publicly, so you can actually search for an artifact. Or if you don’t even know what kind of artifact you’re looking for, you can search for, like, “user activity”, and then there’s a list of artifacts that are related to user activity, you can narrow it down to deletion and so forth. Within that artifact description you have a link to the software tools that are specific to it: references, white papers, that sort of thing, to the artifact.
So for someone who’s learning forensics, this would be one of those things that you could just go, type in your artifact, and everything is just laid out for you, training videos, references, resources, citations, software, to make it a little bit easier.
And if you’ve been doing this for a while, it doesn’t hurt to always… before you’re writing something down in a complaint or an affidavit, to reference a peer-reviewed citation from a forensic artifact database.
Christa: Absolutely, yeah. How can members of the community contribute? I imagine, as a one-man show, you wouldn’t turn down help. Is there a particular way that people can contribute, or anything that you’re looking for in that regard?
Brett: I get emails on what to add, that sort of thing. And people can add their own software through the web page itself, there’s a button to add your listing.
Brett: So if there’s software that someone wants to add, they can add it themselves. I get emails on other things to add to it. And some things are on the back burner – I mean, they’re great ideas to add, I just haven’t got to it. So I’m taking every idea to add. So a simple email, if there’s something to add, or if there’s a correction, or something that’s old, outdated, that’s easy enough to take off.
But as far as anything that… if you go to the website, and there’s something that you wish was on it that’s not on it, I can easily put it on it. Just send a quick email through the contact page on the website. If I can do it right away, I’ll do it right away, and if not, I’ll just let you know that that one is actually going to take a little bit more time and take longer to get to. But everything else I kind of put on pretty quick.
Christa: OK, good to know, thank you.
Alright, that about wraps it for our time this month. Thanks again, Brett, for sharing your insights, and thanks to our listeners for joining us. Be sure to share this episode on your favourite social media accounts; follow us if you haven’t already @ForensicFocus; join the conversation on our forums; and let us know what you would like us to cover next.