The following transcript was generated by AI and may contain inaccuracies.
Desi: Welcome everyone to this episode of the Forensic Focus podcast. As always, you’ve got Si and Desi as your cohosts, and this week we’re joined by Brett Shavers who, as we were just saying offline … We’re both fanboys of Brett’s, and there’s a lot of people that were very excited we’re interviewing him.
He is the author of DFIR Investigative Mindset, which is an excellent book if you haven’t got your hands on it, and it’s not too much of a read. So I think, what is it? It’s only 200 or so pages. Yeah, about 222 pages. And I’m still getting my way through it, but it’s a great read. Welcome Brett. Thanks for joining us.
Brett: Thanks for having me.
Si: And we say that you are the author of that which you are obviously, but also the fairly definitive “Putting the Suspect Behind the Keyboard.” And also, and this is one of my favorite and often referenced books, is the X-Ways Forensics guide. It’s pretty much the official manual for a tool which is used in a significant number of organizations across the world.
It’s really a pleasure to have you on and to be able to talk to you about the work that you’ve done. Saying you were old earlier, and I didn’t mean it in any way. I’m so sorry for that. Yes, we are, but I’ve been in the industry for a while then I’ve been familiar with your books for a while, but how did you get into this? How did we start off? Why are you a forensics guru to the rest of us?
Brett: I’ll just be able to keep my head above water like everybody else with the technology. I did undercover work for about a decade, I guess, in US law enforcement where buying drugs and guns, and I bought some humans. I was a hit man a couple times and a bunch of different things for that. And toward the-
Si: I’m gonna ask, just on the basis of this, you were buying these people in real life. This wasn’t a digital “I’m logging into the Black market and buying some drugs.” This is meeting some shady guy in the back of a bar somewhere and asking him-
Brett: Yeah, a bar, a nice boat. Anywhere, parking lot. I’ve bought pretty much anything that’s been illegal, I guess you can think of, and sold probably just the same as well, but where there’s an arrest, not just letting drugs on the street or selling people. But yeah, a lot of those operations and a lot of the criminal organizations that I did were international or transnational, I guess you look at it that way.
So I had a lot of different crime groups, outlawed motorcycle gangs, some Asian crime groups and that sort of thing. And that, the last part of that decade, one of my co-case agents was a federal agent, and he was gone for a few months, and I’m working the case by myself.
He comes back and I said, where you been? And he said, all I can tell you is I’m marketable. And I go, what does that mean? And he had gone to FLETC, which is the computer forensics federal training. And he told me all about it. And I said, yeah, that’s probably a lot better than the job that I’m currently doing because there’s a lot of close calls and I had guns pointed in my gut and that sort of thing.
And so then I started to work my way into that field. My agency didn’t have any forensic unit, didn’t care about it. Budget’s always a problem. So I begged, borrowed, and stole. Took a lot of free training, practiced a lot. I imaged all the computers in my department as much as I could find for practice, and eventually did some cases and learned that it’s a lot harder than I expected it to be.
And a lot more important than I thought it would be. And it got me in the direction that I’m now. So that’s the short story. I didn’t wanna be killed on the street selling things or buying things. But computers, never know. They’ll probably kill us one day too. But that’s where I’m at.
Si: It seems like just not yet a sensible way of preserving one’s existence. I have to admit. But did you have a technical background at all before you came to it, or was it purely through that training?
Brett: I took a basic class in high school, so that’s how old I am when we had BASIC in high school. And that was the extent of it. I joined the Marines at 17. And my wife says, I just walked around the woods a lot. So no technical background in the military. It’s just us. So I came into law enforcement, and after seeing what forensics could do, that’s where I got into it.
Desi: And talking about how it’s hard and like you spend a lot of time imaging and getting good at it. We saw your recent blog post that “You Don’t Belong in DFIR.” And I was reading through that last night as well. What kind of- ’cause I agree with it, I like the image that you have on it – DFIR being the tip of the spear in cybersecurity.
And when you do think about it in the context of it being used for law enforcement – ’cause I think contextually it’s bastardized a little bit and used just in general in cybersecurity – but what was the motivation for writing this blog? Was it something that had come up? But it sounds like it’s a long time belief as well.
Brett: Okay. Culmination of people online complaining about it is difficult to get into the field. And I think DFIR, and I always put a slash between both ’cause it is a separation, but it has some Venn diagram in there as well. And I think IR is just as probably tougher for me. I’ve done IR work. I don’t like it. That’s why I stick to the other side.
Desi: Yeah.
Brett: But I know it’s just as important because you have businesses and you have people and families who rely on income from having jobs and businesses. So that’s very important. And it is the tip of the spear in that realm. But you have different types of pressures. You got people breathing down your neck, like literally on your neck, telling you to hurry up.
Desi: Yeah.
Brett: And you’re, and I think it’s even harder because you’re trying to predict human behavior. Like, what is this person trying to do? Or what’s happening? What’s happening right now? And how do I prevent it? Am I gonna miss something? Where as the forensic side, you’re looking retrospective, historical, the world’s not ending. It’s, and I have this dead image on my desk, so you have more time to be more methodical. So there’s different pressures on both.
So for the tip of the spear, that’s why I really put both in there and I know I wrote the article where it’s more like the law enforcement side, but it really does lead over to both. And I get questions, emails, “How do I get in? How come I’m having such a hard time getting into DFIR?” And I come to the conclusion that it’s really not an entry level job. It’s not something- it’s Indy 500. You can’t expect to take a 40 hour how-to-drive class, and then you’re racing at hundreds of miles an hour. When you get into that car, you have to be able to drive hundreds of miles an hour from that first second, or you’re gonna die.
Desi: Yeah.
Brett: So the point of it is you have to build up your experience and your skills and move into it. But that’s my opinion. It can always be, sometimes there’s luck. People can get in obviously, if networking and-
Desi: Yeah, it’s funny. Like while I was reading this post last night, I was actually talking to a couple of people on LinkedIn that just randomly connect and always are like, “Oh, how do you get into IR? How do you get into cybersecurity?” And I think there’s a cohort coming through now, and this is quite a good blog to get them to read as well, but it’s not an entry level job.
But they think that going and doing a Master’s or a Bachelor’s at university will get them into it, because it’s formal education. But then when I’m like, “Okay, but you wanna get into a technical field, so what have you done technically to hone your skills and get your foot in the door?”
And they’re like, “Oh no. I don’t like doing any of that stuff, but I want to be an IR person.” I’m like, “But it’s all technical at the entry level.” So you’ve done this theoretical Bachelor’s, which is great. I think getting a Bachelor’s is a good thing. But it’s not gonna get you into IR. And I think that’s the gap in some of the messaging, ’cause I think universities are selling that. They’re like, “Hey, you do our Bachelor’s. We have a 90% job success rate for our students.” But they’re probably not saying that the people getting jobs might be getting jobs at fast food joints still when they’re coming out. Like it’s not in IR, the employment ratio is not-
Si: -necessarily directly related to your degree. Yeah. I’m gonna say I was gonna comment similarly and Desi sits on one side of this beautiful field in the IR space, and I sit very firmly, like you, I don’t need the stress of someone breathing down my neck. I don’t need the- I do it, I’ve done it occasionally, but it’s “Oh, this is really critical now where our shareholders are gonna kill us.” And it’s “Yeah, that’s great. I’ll go back to my nice criminal case over here that’s not going to court for another three months. That’s brilliant.”
But I came to this, I was a systems administrator first. I spent literally decades as a security specialist and then got into forensics, and the- I do some defense work now. I do quite a lot of defense work now, but you’re reading the reports and you’re like, “You just genuinely have no idea how a computer actually works, do you?”
You’ve sat the FTK course, you’ve done perhaps a couple of bits of additional learning, and then you’ve made a statement which fundamentally undermines the basis of computing here. It’s like you’ve not read any of Turing’s papers, you’ve not understood the computability of numbers or any of this stuff. And therefore, I’m going to take you apart because you don’t know your stuff. So it definitely is that, and I think the vendors have done us a dirty by- and X-Ways is the one that hasn’t – but a lot of the other ones have done us a dirty by going “Here, click this button. You get evidence.”
Brett: Yeah. I think tools are great, compared from way back when, when we were doing command line, everything, or Norton Disc. It is nicer to have push buttons and I think that’s necessary. But like you said, we have to know the underlying- what is it actually doing and where is this data, how did it get generated, where does it live? Where do I find it? And like you said, I’ve come out of a trial before and the opposing expert came up to me and asked me where did I find these messages on this phone. And in my mind I’m thinking you didn’t find them. It’s-
Desi: That’s a scary thought though, isn’t it? And it made me think-
Brett: At the same time, what else did I miss? Because if they missed it, then I probably missed something too. So there is that level of- we have to know what we don’t know out there as well.
Si: Yeah. And it’s funny ’cause we complain- I complain, I think we complain as an industry, that the disks are getting bigger. And it’s “There’s no way I’m ever gonna look all the way through a five terabyte disc.” And I’ve got cases with 10 terabytes worth of data, and it’s unworkable. But it’s not like I ever sat and looked through a 1.44 meg floppy end to end either. It’s a little bit illusionary that data is ever particularly manageable. So yeah, tools and the search and the question of what is it that we’ve missed is always a thing.
Brett: Yep.
Si: Or misinterpreted. Yeah. I have a great fun exercise with- when I teach, and you teach students, and you give them this piece of material to examine and they go, “Oh, it must have been created this way.” And you’re like “No.” ‘Cause I know how I created it and it wasn’t that way.
Yeah. You’ve written the definitive X-Ways book. How did you get into the relationship with X-Ways?
Brett: Lemme see. I don’t get too much detail on, when I was trying to get into forensics and law enforcement, I was working undercover and I was assigned to a federal task force, and I would sneak off to training and I wouldn’t tell my agency, but my federal task force would send me.
So I’m working cases on the East coast when I’m living on the west coast, I’m doing everything remotely, buying and selling things. I’m having people do arrests for me and I’m looking at software, trying to find software, and one of the ones was X-Ways forensics. And my partner and I were- this is before there was any training, I think X-Ways version, I can’t remember what version it was.
The first version of X-Ways forensics had come out and we had emailed Stefan and asked, is there any training? And he said, no. So we said, how would you like to come to Seattle? We’ll pay you to come to Seattle. And so he came to Seattle and he gave a class on X-Ways and it was a 40 hour class, his first class. And there was like no breaks at all. We had a 30 minute lunch. It was something crazy. And so it was really intense. It’s brutal. And watching what X-Ways could do at that time compared to now, it’s just a drastic difference. But at that time it was like, “Oh my gosh, this is incredible.”
And then I go to another forensic training on these calls at FLETC where we get EnCase, FTK, a bunch of other tools, and we get a test image. And we’re all working on the same image, but we can use whatever tool that we want to use. I wanna use X-Ways ’cause I just took the training. I think I like it, right? I got the guy next to me using EnCase, another guy using FTK. That was version I think four in EnCase at the time, maybe five.
And we’re doing data carving. And on my image I’m coming in with a lot of pornography. Adult pornography, not child. Had one of the IRS agents teaching the class walking behind me and she accuses me of surfing porn on the internet, right? The computer doesn’t have internet access, number one. And I said, “This is from your image.” And EnCase and FTK couldn’t find it. We all were trying to carve for it, and I’m going, “Wow, this is neat.”
So it turns out that image was created by one of the instructors, his personal computer, and X-Ways actually carved out a lot of pictures. They grabbed our images and canceled that test for that day. Now I’m sure FTK and EnCase do a great job of the same level of data carving, but at that time, X-Ways was the only one. And we did the whole classroom test for that. And I was like, “Oh, I’m impressed. I like X-Ways.”
And talking to Stefan here and there, I mentioned the manual and I said the manual’s not that easy to read. I guess it’s trying to find how do I use it. In his opinion, which I don’t disagree with, is you should already know how to use it. So the manual is not gonna teach you how to use it. So that’s where the book came. It’s “I need to take a lot of notes here.” And I took a lot of notes and I eventually said it probably needs to be a book. So that’s my X-Ways introduction.
Si: And what version are you on now? It’s only 20. I certainly own at least two myself. 20?
Brett: Wow. 21. And it keeps getting these releases every other week it seems like.
Si: Yeah. That’s true. Yeah. The updates keep coming in. That’s very fair. Yeah. And that’s impressive. You are a prolific writer, both in terms of posts that I’ve seen on LinkedIn and in terms of books. How much time do you actually devote to- I’m gonna say putting pen to paper, the metaphorical thing I’m trying to get at here.
Brett: I could do, I should do more, but not that much daily. It’s usually just an intense moment of, “Okay, let me sit down and get this one done. Let me sit down and get this chapter done in a couple days, or let me write a post tonight.” So it’s more intense work than instead of… I guess more consistent is better, but I’m consistently- I guess I’m consistent at intense work, rather than every day.
Si: And saying that, am I not mistaken that you’ve got another book coming out this year?
Brett: Yeah. Yeah. That should be a really good book. It’s different than I think any other forensic book that’s been written. So it-
Si: It’s Investigative Strategies, I’m seeing driven by the title on your post. I came to this from a very technical background. It is interesting the way the field is split between law enforcement- sorry, Desi, we’re gonna go off on a little tangent here, into forensics. But it’s an interesting split between the law enforcement guys who have come from that detective investigative mindset versus those of us who come at it from a very technical perspective.
And I think we’re both trying to learn each other’s fields. How do you- I’m gonna say, how do I phrase this question would be a good start? What’s your opinion about the necessity of an investigative mindset? You’ve written a book on it, so I’m gonna guess this is fairly important to you.
Brett: I think it’s most important. And I think Desi, one of your shorts came up on my feed one time you were talking about what’s called infinite pivoting or something, and you said something about “Oh yeah, thinking like, if I was a lazy hacker, how would I get in?” I think that’s right?
Desi: Yeah.
Brett: And I thought that’s exactly one of the ways of thinking. Law enforcement does that all the time. It’s if you look at a burglary of a house, it’s “Say, how did this person get in? Well, lemme check the windows. Lemme check the door, lemme check this, lemme check.” So you’re wondering how they got in, and if it’s lazy, maybe the back door’s open. So it’s the same kind of thinking – not to be a criminal, but to think like a criminal or the adversary. That’s one way to think about it.
And I think that’s very important. ‘Cause you can be technically expertise in everything. You can read a SQL-lite database and know everything. But if you can’t understand human behavior of why somebody did something, or you know the motive, you’re not- you’re gonna miss some things of how- you’re gonna miss some things of the case.
And a criminal investigation obviously, is even more important because you really have to prove somebody did it. Technically, you can say this happened on this machine, right? It happened. Well, in the IR world, that’s fine because we shut it down, we contained it. The business is running, we’re good to go. But on the other side, the forensic side and law enforcement, even civil litigation, it’s “We know what happened, but who did it?” ‘Cause that’s what the whole thing is about. Is someone- there’s gotta be justice. Either someone stole some IP or there should be some justice. Someone assaulted somebody, there should be some justice.
So it’s important in both aspects, but it’s really important on a forensic side. But I really believe it helps the IR side because if you can start to understand how breaches are happening, you can see, “This definitely seems to be like an insider attack because it’s got whatever indicators” or “This one seems to be coming from someplace else,” and you can handle it. Your path is gonna be different when you’re looking at the work because you have an idea of where it’s going by the evidence, not by just guessing, but it’s “This is what I think, let me check. Yep, there’s some clues. I think I might be on the right track.”
Desi: Yeah. And we were saying just before this as well ’cause my, now that I’m in insider risk and insider threat, like the difference between someone external, like from an IR perspective and then an insider, is very subtle in a lot of the evidence, but then there are certain behaviors.
So if you’ve got a baseline of that user, things like their browsing habits – like if their browsing habits on the internet don’t change, it’s more likely to be an insider than someone else, ’cause the persona on the keyboard versus the person… And is the person really gonna know that this guy is really into the Yankees? And searching them on the internet all the time, day by day while they’re doing their job? Probably not. So yeah, like little subtle things like that because I guess some of the stuff that I do now does eventually go to court ’cause companies will take individuals to court for litigation.
Si: Yeah. I’m gonna say it’s a fascinating one. I came up- ’cause like I said, I worked in security for a long time and I remember specifying, against government set standards, but specifying the logging and monitoring that needed to go onto a system. And I get there now and I’m looking at it, I’m going, “Oh my God, that’s not nearly enough to actually point to an individual.”
And I’m coming up against it. I’ve got a case, I’ve got an ongoing case where yes, the guy’s user ID has been used to access something. But because of all of the other, the failure of pretty much every other single control in the rest of this space, there’s not actually a way to pin it on him. Which is a nightmare in terms of security. It’s a nightmare in terms of forensics. It’s just absolutely appalling. And yeah, actually that aspect of “Putting the Suspect Behind the Keyboard” – he says plugging a book quite conveniently – is absolutely critical.
And this is where your book has been fantastic and continues to be, is because of that investigative mindset, that fantastic set of suggestions and ideas and ways of approaching that that you’ve obviously worked on over a long period of time from real world experience. What would you characterize as the main sort of ways of actually approaching that?
Brett: These are hard questions because, and I got some answers, but just as a kind of a background on this mindset. In 2008-ish or so, I was given a workshop to, was it DFRWS? It was whatever DFRWS and this is that one. Yeah. So way back then it’s a room full of PhDs and I have just a few years of doing forensics full time. And one of the professors in the front row, she asked me a question.
She said, “It sounds like you’re saying everyone needs to have investigative experience as law enforcement.” And I said “No.” And she, and they all basically said it sounds like it. And I go “I don’t think you have to. I think you just have to have the thinking, the mindset to do it.” And she said “How do we teach that if we’ve never done it?” And I said, “I don’t know.” So I didn’t know, honestly.
And for years, and I wrote it in that first book that I wrote, I think I wrote a few pages of, “You have to have the investigative mindset,” but I didn’t really flesh it out enough. But over the years trying to find and research, how do you teach this? ‘Cause I was teaching at different universities and I’m thinking “How do you teach this?”
Other than in law enforcement, you go out in a police car, you have a case, a crime, a 911 call, whatever it is, you become a detective, you gotta figure it out, right? And you learn through trial and error and eventually you become an investigator if you really focus on it. But in this world, we don’t really have that kind of experience or training of, “This is how you think, this is how you handle this evidence.”
So that’s what this book, I think the whole premise of it is, here are the things, the tips of how to think when you’re doing these technical investigations. ‘Cause it’s one thing to be technical. I say technical is easy because you can learn to do forensics on YouTube. If you’re gonna learn a lot of wrong things, you’re gonna learn a lot of old things. But if you know where to look, you can learn, you could pay and have someone teach you “This is the current right way to do it.” So you can do that.
But the investigation part is difficult because how do you get that experience of “I’m gonna go and investigate stuff.” I can’t. Because how do I do that? And if I have an image, how do I know human behavior? So there’s not much training. And I know we talked about vendors before, push button tools, and there’s been complaints about vendors need to teach forensics. They need to teach these things.
And I disagree, because if I’m gonna take a class in X-Ways, I’m gonna spend three, $4,000 on the tuition and a thousand for travel and all the other things, and if they spend a day or two on “Let’s talk about human behavior. Let’s talk about psychology, let’s talk about…” I’m gonna say, “Look, I just need to know how to- where’s the button at? Where’s that right click gonna take me? Where?” So I think the vendors have to teach their tools because we’re paying them to teach their tools, but we’re missing that other part.
And with the college education, they don’t typically teach that either. You may have a critical thinking class as an elective or maybe some critical thinking within a class. And critical thinking is just one aspect of an investigative mind. That’s just one thing to look at. It’s like an umbrella and there’s that, you got a bunch of other things in there, biases to deal with. And so I think that’s what this book came about and I wrote it, 200 something pages and it took a while to condense this topic into something that’s easy to read.
So my point was you can read it in the weekend, you can go through it and if you’ve been doing this work for a long time, you can say, “You know what? I’m validated in a lot of the things I’ve been doing. I feel better, more confident. And I learned a couple things.” And the other side of the coin could be, “Wow, this is the way that I should be considering to think. I didn’t know I had these biases.” I do have, ’cause we all have biases, and now I know how to mitigate it. “I know how- I’m not a detective, but I can see how that works.” So I try to make it a readable, entertaining kind of thing, but also important, I guess useful. A useful book.
Desi: Yeah. Yeah, because I’m still like reading this book. I’m still early, like less than halfway. And it definitely- you could breeze through this in a weekend for sure. What I find myself doing is actually read a chapter and then I am like sitting in my office lost in thought, thinking about what the chapter was, and then I end up, and then I go, wait, I read something in that chapter, and then I go back and I can’t remember where it is. So I’m rereading chapters, which is, this is the first book that I’ve done that. Normally I’ll, like, when I think about I-
Si: I want this noted on the record, Brett, you’ve made Desi think.
Desi: Oh, and I love- because I really love- I’m very passionate about education. Like I’ve worked at an education company before for gamified cyber learning. I think that’s fantastic. I think that’s how a lot of people should learn. But then there still is, like you said, the gap between how do you teach someone to investigate when it’s outside of the cases that you are teaching. That is, I think, the key point.
I can teach someone to do an image and a case and go, “This is this case,” but then it’s still a very large leap to then let them do their own case on something completely different and then go, “Okay, I need to not only apply all the technical skills that I learned and learn new technical skills if there’s new data I come across, but then also think about how to investigate that whole case by themselves.”
And I was very fortunate coming up that I had really good mentors. And I feel like that seems to be the key way for a lot of people to get into this field, which is probably why it’s not entry level, because you need the aptitude to learn off people when there’s so much uncertainty in getting this skill.
Si: Yeah. I’m gonna say I’ve been very fortunate, in the same as you, as I’ve had excellent mentors. And one of the universities that I work with – and Desi, you’ve spoken to her as well – Ms. Sarah Morris has worked very hard on putting together training scenarios, which are reflective of the real world in terms of investigation. If not, obviously none of us wants to do CSA cases as part of our training, but we’ve created this sort of training scenario that is set in a fictional world that has its fictional criminals and its fictional things in order to do that.
And recently she ran a crime scene simulation where they had to go in and actually look for stuff. And astonishingly, some of the students didn’t get it. They didn’t understand that this is about investigation. They just wanted the hard technical stuff. They didn’t see the point of all of this. And it’s such an all-encompassing field that we need to be looking at what the requirements are in order not only to prove a case, but to make a point, but to investigate, to find out, look for additional links, look under the- lift the keyboard up and see if the post-it note is there with a goddamn password on it.
Because we’ve all spent- I remember this years ago, it was like I got a device sent to me and I was like, do we know what the password is? And they were like “No, we haven’t got a clue.” Open the device – 1, 2, 3, 4. And it’s “Yeah, okay, fine.” Let me in straight away. But the point is that if you have no concepts about things like, what are the most popular passwords? What are the likely human things, you can’t start to do any of the technical stuff if you can’t get into the damn device or haven’t found it in the first place.
So yeah, it really is a hugely important aspect to build this mindset. And it’s funny because I came from originally a computer science background and I studied artificial intelligence as well, which perhaps is my redeeming feature. ‘Cause I had to wonder a lot about how things think.
You don’t ask these questions in computer science. You look at algorithms, you look at data, you look at normalization of databases, you look at programming languages and whether you can put them down into BNF form and all sorts of stuff like this. But you don’t actually look at people, and we forget – and I’m gonna say we – we forget that this is what this is about. We are not looking at computers, we’re looking at what people do with computers, whether it’s IR or DF.
Brett: It does come down to that. I think one of the concepts – I think that if I tell one person one thing to do this job better, is to look at the computer and the data as if a person did it, right? Every action, a person did it, even if it’s malware, someone wrote it to do something. So everything goes back to a person.
Technically, we look at things like the end point is the machine. That is our end stop. We’re going all the way to the wall of the drive. This is the end of the drive. This is the end of our case, but it’s not. Somebody touched it for a reason and they touched it somehow. And I think we’re looking at, we’re investigating a person. We’re not investigating a computer, we’re not investigating a smartphone. A person touched this, a person handled it and the person used it to commit a crime, whatever it may be.
And I think if you have that perspective and that mindset of “I’m looking to track a person down,” even on the IR side, I think especially because you’ll never find those people usually. ‘Cause it’s somewhere else. But to have that perspective, I think makes a big difference. And I brought that back from doing undercover work, buying drugs and let’s say, cocaine, for example. When I looked at cocaine, my thought process is I know the whole process, manufacturing process, the smuggling process. I know how people use it. I know how much money they’re making from it. All these things about it.
So whenever I would see some cocaine or buy some cocaine, in my mind is, I know the people who were stepping on the leaves, the kerosene, all these things. I know how it got there, and that’s how I would approach all my cases of knowing more than just “I have some powder in my hand.” It’s more than that.
A computer’s the same, it’s more than a smartphone. This thing was used to victimize a dozen people. This computer was used to victimize a thousand people. So who did that? Or what group did that? And thinking like that, then I think you can start to crack that wall of technical expertise by saying “I’m just gonna use these tools to get to that person,” right? Instead of, “I’m having fun using these tools. Oh, look what I found. I found this deleted file. This is great.” I say that’s great, but what sense does it make?
And I know on the law enforcement side, one of the differences compared to, let’s say a computer science graduate who doesn’t have any experience. On the law enforcement side, it’s more like, “What evidence do I need to prove this case, right?” I got 10 terabytes of data. Do I need 10 terabytes of data? No. I need the evidence within that 10 terabytes of data to prove that somebody did it, that somebody legitimately did it. Whereas on the computer science side is “I wanna learn everything I want to. I’m gonna break apart everything I can and I’m gonna have a 500 page report and look how good I am.”
And yes, it is a hundred percent technically accurate, better than what the law enforcement guy could do, right? Because the report’s a stick compared to this tree. But what is more important for the case? IR is the same. You can go through the whole network and you can map it all out and say, “This is what we got and I got all this stuff.” But the answer that the C level employee, the executive level is, “Wait a minute, is it fixed or not? I just, is it fixed?”
You know what I’m saying?
Desi: Yeah. It’s a lot of the time, ’cause like most organizations will just wipe their network when the investigation’s done and restart. But it’s that risk versus reward of if we spend more time investigating, what are we gonna get out of it? And if your answer is “Not much,” then it’s “Okay, investigation’s ending, we’re resetting the network,” right? And then we’re going from there. So it’s that- it’s always that balance and yeah, it sounds the same in DF.
Si: The interesting thing in DF is actually we gotta remember who our end client is. And yeah, it’s not actually somebody who has the foggiest idea of what you’re talking about. The end client is a jury. And a judge. And I’m not gonna be rude about judges ’cause I’m gonna have to stand up in front of some of them, but juries definitely don’t know what you’re talking about. And you’re going to be presenting incredibly complex technical ideals and ideas. And if you’ve got a 500 page report that details everything, you’ve lost them from the outset. You need to be succinct and to the point and about the things that are critical in there.
Brett: Yeah. That’s the other major point is I don’t think we teach enough to convey information that people can understand it because it’s ego, I think, is the thing where “I’m smarter than everybody else in this room and I’m gonna prove it.” Where if you’re really smarter than everybody else in the room, then you want to make everybody else just as smart, right? So they can understand.
And I’ll give you an example. I was in a federal court. And the crux was on backup tapes, right? And I’m not an expert on backup tapes, I know what a backup tape is, and that’s how they work and sort of thing. And so I go on the stand and I give my spiel on my perspective on the backup tapes in this case. And then the opposing expert goes up and she gives her spiel. And it’s really technical and I’m taking notes because I’m, “Oh man, she’s killing me. She really knows backup tapes very well.” And I’m going, “Okay I’m gonna be called on this one, I’m sure.”
And the judge had stopped her midway and said and asked her a question, and she gave this long convoluted answer, and he asked her again, and he asked her a third time, and she kept giving these long answers. And he turns to me in the back of the courtroom and he said, “Can you explain to me what she’s saying?” And I said, “I think she’s saying this.”
And I asked her, “Is that right?” She goes, “Yes.” And he says, “Okay, now I got it.” And I thought, “Okay, this is a good day.” And so, the technical part is important, but like I said, if you can’t help the end client… And I think the end client goes all the way back to the victim. Whether it be a business-
Desi: The business. Oh, yes.
Brett: Yeah. Or it could be a falsely accused or who knows. Even the defendant could be a victim, if it’s a false accusation, that sort of thing. So we don’t have to explain to the victim. We gotta explain to the court, or to our C level and different things. So some IR should be a criminal investigation because if it’s gonna bankrupt the company, regardless of what you do, well, you might as well go all the way and get some justice out of it. So conveyance is, I think, a big deal that we miss.
Si: Yeah. Yeah. And again, in the technical scenario, one of the things that isn’t taught particularly well, generally speaking, is report writing. They’re told the technical details, but not how to construct that into a sentence that actually makes sense. So definitely want to watch-
Desi: I am not sure whether it’s structured the same way in DF for you guys, but I find, like when I came in and kind of the entry level job, it was very much like the focus on the technical and getting all the information and then putting that technical information into a report. But then it’s not until you hit like the principle level, which is like three, four levels above the entry level, that they then start to teach the skills to go, “Okay, now you as a principal, you need to convey that to C-Suite who have no idea what you are talking about.”
And why is it that you wait like those five, six years until you hit that level that you’re starting to do that? Like they don’t, and there was no education pathway when I was doing it. But even, I think technical training now like we’re saying it’s starkly missing on how to write a concise report in DFIR.
Brett: I think part of that is a lack of peer review in a private world, private sector, especially. In a police world, the patrol officer writes a report. It goes to a sergeant who approves it or sends it back, and then it goes up the chain into the computer and eventually goes to a- if it goes to trial, a prosecutor’s gonna read it. The defense attorney’s gonna read it, the jury’s gonna hear it.
All those things happen, and after a police officer goes through one of those, if it goes to trial, and then the report’s being read and torn apart, that’s probably the biggest lesson of how to write a report after you’re getting smashed on the stand of “I’ll never write that way again.” And you learn that way.
Desi: Yeah.
Brett: On the private world, it’s you write a report and people- I’ve seen it. People will read it, and I know, and they’re looking at it saying, “It’s not really that good, but I don’t care. It’s not my report.” And they’ll send it off and there’s no feedback. And I think if we have more feedback or some- and I think I wrote in this book as well, is some peer review is always a good thing. Show it to your buddy.
Si: Yeah.
Brett: And like on the book that I’m writing now, it’s a completely different book as far as how it’s written, but I asked my tech editors and beta readers to kill it. If it doesn’t sound right, it doesn’t read right, if it’s too difficult, it is worthless material, so beat it up. You won’t hurt my feelings. I’ll cry in the corner later, but-
Desi: I think I’ve shared this story before, but, and like talking about peer review, and I think I’ve shared this to you Si as well, but I had a very good mentor in my first job. She was an amazing boss and is now heads up one of the biggest cyber teams in Australia. But she- I wrote this report and instead of giving me any initial feedback, she sent me a meme back, and it was the 1970s film of Godzilla where it was like the prop set was Godzilla in a cart on its side, and then the caption on the meme was like, “Your report was so bad that you gave Godzilla a stroke.”
And that was my initial feedback from my first ever professional report and I was just like, “What is this?” And she was just like, “We’re having a meeting to discuss your report writing.” And it was good. Like I honestly, my reports got much, much better after that. But it was very astute feedback.
Si: Yeah. Yeah, my wife is a project manager and she deals with comms a lot, dealing with from the people at the bottom to the people at the top. And if I ever give her anything of mine to read, it comes back with comments like, “Why isn’t there a full stop for three paragraphs? Why do you not understand punctuation?” And I’m like, “It’s been proven that the longer a sentence is the more intelligent the person writing.” She’s like “No. It doesn’t work. Just, it’s too long. Put some fucking punctuation in.”
Brett: My first private sector report was- I got an IP theft case. And the attorney is in New York. I’m on the West Coast. He’s on the East coast. And I did a police report basically on this forensic exam and I emailed it off and the attorney called me maybe 10 minutes after I emailed it, and he’s dropping a lot of F bombs and it all come down to “Did my guy do it or not?” And I said, “Yes.” He goes, “Just write that.” And I learned, I guess that’s what they want is “Did they do it?” Yeah, the technical goes in the back. Just give the answer upfront.
Desi: Yeah. So I think like we’re coming up to the hour now, but what is your feedback for people? Like you said, you get the question all the time about how do I get into DFIR, and my recommendation is I think some technical training, like your book. I recommend a lot to people even in the space that have been in a while. But what is the answer that you give to the people that reach out to you quite a lot?
Brett: You must be technical. You have to be technically proficient. You have to be able to do the actual technical work. And I’m not to rely on- not to bash a vendor training for a tool training, you have to have tool training, but you have to have exact training on “This is what the registry is, this is how you pull the-” you have to have that information first. The basics. You gotta have the basics, you have the fundamentals. And a lot of people wanna skip that.
There’s a lot of cert hunters where “I’m just gonna get the cert. I’m not going to even take notes in the class. I’m just gonna pass.” There’s so many classes you can take. You’ll get the cert ’cause you showed up and that doesn’t prove you learned anything. And you put it on a resume and it makes hiring bad because now you’re hiring someone who doesn’t really know what they got the cert for. Technically proficient is probably the number one thing. And then second is this part, the how do I work a case? And I know IR doesn’t really look at it like casework. “Hey, we have an incident.” It’s actually a case.
Desi: Yeah. You, the process…
Brett: Is the same. Here is our problem, right? What is our objective to solve this problem? What tools do we use to solve this problem? And how do we wrap it up? So we have to have that mindset of how do I work a case, right? And with the people, there’s someone who did it, a group did it, a person did it, whoever, accidentally or on purpose. You have to have that secondarily, but you have to have it.
And I think they’re both important because you can hire a technically proficient person, but it’s not gonna do the job. It’s “Oh, we keep getting these reports of data. Now we gotta look at what you did and figure out what it means.” You wanna have people who can do both. And I think you have to do both. And I don’t believe one is- you can be stronger in one than the other, obviously. But if you can solve the problem, if you can have a law enforcement person who doesn’t have a computer science degree, but they can solve all these cases at a less technical level, but they solve ’em quicker, faster, cheaper, more accurate, then that’s great.
You can have a technical person who doesn’t have the law enforcement experience, but if they can jump in, ’cause they know where the data lives, they understand, they live and breathe it, like it’s almost born into a computer almost. And they can quickly get it that way. If you have those two, that’s all you need. It’s just that don’t skip these things.
If you think- I’ve talked to a lot of people who say “Oh I know enough how to investigate a case.” For me, there’s not any really investigative training for thinking. I’ve taken a lot of investigative training by title, like homicide training, homicide investigator, narcotics investigator. And almost all of ’em are checklists. I took a blood spatter class, right? And it’s “Here’s the ruler, here’s this and laser, and here’s what it means.” And I equate that to a tool vendor training where it says if you see a pop up, you click B, and then you’ll get your answer C.
That’s good technically, but what if it’s Z? Where’s my answer to that? We have to teach: if you don’t see that, well, you’re gonna have to use a strategy of thinking rather than tactical skill. So to get into it, I think you really have to have both. Start with the technical, because if you can’t- if you can’t pull a registry, it doesn’t matter how good you can investigate. But if you can pull a registry, you still have to know how to investigate. So don’t skip it. You gotta have it.
And don’t expect to be given- I can’t imagine an organization hiring somebody new and handing them an IR incident that could bankrupt the company or lose millions of dollars. That’s not gonna happen. Same with the criminal defense case. You got a guy facing murder, maybe he’s innocent, and you give it to somebody who doesn’t know technically- the guy might be convicted. You have to have both.
Si: Yeah. Yeah. I still worry, even when I get cases now, I’ve got 10 years experience. I’m like, “Do I know enough to do this?” It’s like that?
Brett: Yeah.
Si: I totally get that. And it’s the appropriate leveling of resource. But I think you said something very interesting, which is actually collaboration is a huge tool that we don’t leverage enough. Which is that, if you are in a position to be able to leverage an investigator and a technical expert and stick ’em together in a way that makes them work, I think that’s it. And I think that’s one of the great things about DF actually, is it’s the fantastically friendly and compliant community that we have, that people will step up and go, “Actually, you know what? I’ve seen this.” If you ask a question, people will say, “I’ve seen this before. This is where you need to go.” So yeah, I think there’s some really good things that can be taken away from that.
Desi: And you touched on there as being the fundamentals of the technical side, like of knowing a registry and stuff, and then on the investigative side. And that’s a really interesting point. ‘Cause when I think about IR, it does case management, I think in general, very poorly. And that would be a fundamental skill of that.
Could you think of – other than like setting up an appropriate case management system of like how you store the data and how you- when I think back to my IR days, like the amount of times that we weren’t probably storing the evidence just in case…
‘Cause I think some of those could have turned criminal and they would’ve come back and been like, “Hey can we get a more detailed report on this?” And we didn’t have images or that kind of thing. Like what other kind of fundamentals can you see on that side of the house that IR- and DF, I think DF probably has it down pat, but what are those that IR could think about?
Si: Yeah, I dunno. So I just think you guys are like, got it sorted. But maybe not.
Brett: One of my frustrations with IR work is- here’s a big difference with IR/DF. In digital forensics, you get what you get. It’s here’s the evidence. It is what it is. Maybe it’s corrupted. Maybe it’s all these different things, right? You get what you get.
With the IR world, before something happens, you can set up everything to collect whatever evidence you want, right? It’s like “We’re gonna set this up and if something happens, we know where the evidence is gonna be. We got these logs set up, we have all these things set up.” So then it becomes a forensic exam. Now we have perfect evidence because we designed the capture of the evidence of what we want.
The DF guys, it’s like a criminal case. It’s “This is the computer that was in the back of the trunk of a car, and that’s what we got.” And the IR side is “This is our system and we set up everything and we can capture what we want. We can ignore what we want.”
So if you’re looking at it like “Just in case something is gonna be criminal we might want to prepare a little bit,” right? So that makes DF guys really happy. If they’re coming in after the fact of an IR that becomes a case, a criminal case or a civil litigation where the DF comes in, they go, “Wow, this is nice. You guys have everything preserved, set up as if from the start you were prepared for this.”
And it’s “We weren’t really prepared. We were prepared for it, we’re hoping it didn’t happen, we got it.” But I’ve walked in where drives are being wiped on a legal case. And the IT guys were saying, they’re doing me a favor by cleaning everything. I’m going “No. That’s not a favor.” So I think having the ability to set up the evidence trap, I guess that’s what I would call that – a trap to catch evidence, I think is the neat thing in IR.
Si: I think there’s one stage more than that, that IR has over us, which is the opportunity for continual improvement. Because I was gonna say, I’ve worked in security, stuff happens all the time. Okay. You got hacked today. That’s great. You’ll deal with it. You’re gonna get hacked tomorrow. It may be one week, it may be three weeks, maybe three months, but it’s gonna happen again.
You know that you’ve got lessons learned from that, that you can take back and you can reply. We are not gonna get the same murder twice. Yeah. It just doesn’t happen. So you can’t go back and apply continual improvement and say, “Next time what I really want you to do is capture this.”
Desi: Yeah. I love how you guys have this perfect image of IR, and I had this perfect image of DF because, and I think maybe this is a lesson that people can take away because I’ve walked into cases where you’ve got this thousand plus endpoint network and you’re trying to track this adversary through the network and they’re like, “Don’t worry.
We collect all of our network logs and it’s everything there.” But then you realize they’ve got, I won’t name the vendor, but there’s- and probably all vendors do this anyway, but they’ve got a particular edge device that is collecting all these logs, but all it does is it collects the external IP and then it maps external IP to an internal IP and then puts that to the endpoint. But there’s no translation log because it’s not turned on by default.
So then you are like, “Okay, all of the logs are now useless.” ‘Cause they don’t know which end IP maps to the internal IP. ‘Cause they have no logs for the translation. And I guess that’s the lesson learned. And the lesson learned is if you want to set all that stuff up, probably run through a scenario of someone breaking into your network and going, “Hey, can we get- can I actually track this through the network?” But it is funny that we all have ideas that we’ve solved all our problems on the other side of the fence.
Si: But the moral of the story actually is that war gaming is good.
Desi: Yeah.
Si: Running through a test scenario which you’ve set up will start to highlight some of the areas where your procedures are weak. Not all of them. You will learn the particular areas that are weak the first time it’s used in anger. But genuinely, war gaming, trial runs, practice runs are very important.
Yeah. I think we have come to the top of the hour now and I just wanna say again Brett, it’s been an absolute pleasure talking to you. And again, huge fan. I have your books and I will continue to get your books because they are such good quality and good value and I recommend them as Desi does apparently. Which is fantastic news. Just to say to all of those who are listening today, thank you very much for listening to the Forensic Focus podcast. We really appreciate your custom, loyalty, I don’t know, pick a word, but coming and listening to us anyway because we thoroughly enjoy doing it.
We get to talk to people who we admire and have the opportunity to learn. And we hope that you pick up some things from this too. You can find the podcasts available on all good places that you can find podcasts, of which are a list. If you’ve ever listened to the podcast before, you will know I cannot remember or recall in any way, shape, or form, but probably include Spotify, iTunes, and other sources of stuff. We do have actually a YouTube channel.
Desi: You can actually get the list, I saw, from our website. So if you check out our website, I’m pretty sure the list is there so you can link out to everything from there.
Si: Brett’s books are available from all good booksellers, Amazon, etc. They are available in Kindle, I believe. If you do not wish to buy a paper copy, is that correct or am I talking out? Except for this one?
Brett: Yeah, except for this one, which is fair enough.
Si: But I would thoroughly recommend the paper copies. They are very high quality print and are definitely pocketable and carryable to a location of your choice to read on the beach, in the car, in the pub, whatever your preference is. Brett, thank you so much. Desi, a pleasure as always. And we will call this recording a recording. Thank you very much indeed.
Brett: Thanks.
Desi: Thanks everyone.
