If there were a Mount Rushmore or people in DFIR this person would be on it.
He has been in the scene for a long time and runs the excellent resource https://www.dfir.training/
“All things Digital Forensics/Incident Response, DFIR. Software, hardware, training, education, white papers, blog lists, social media contacts, service provider directory, books, jobs, Wikis, forums, digital forensics artifacts, and more. All resources FREE.”
You started off in the Marines and then joined police force and I am interested to find out how you made the transition to Cybersecurity/DFIR?
The transition wasn’t easy. I had been working undercover for almost 10 years in more cases that I can remember. I was traveling all over the country and out of the country assuming undercover roles as a drug trafficker, arms trafficker, human trafficker, hitman, and money launderer. Most of the operations were fairly safe, but some were quite hairy as I was hanging out with outlaw motorcycle gangs, heads of international criminal organizations, and people who killed people. I even had some “T” cases, which if you know what the “T” means in the intel community, that things get even more out there with the type of work…
At the same time, I was a SWAT member, which when combined, took up a lot of my time and looking back on it, I was in the line of fire more than most in law enforcement.
All the while with a wife and kids who didn’t see much of me at home…
Then I heard about “computer forensics” from a federal agent who I was working a case with. After listening for about 10 minutes, I decided that this was something I wanted to do. My police agency did not have any forensic duties and didn’t want any part of it. As I was assigned to federal agencies full time, I took advantage of as much forensic training as they had to offer, sitting in classes for almost a year in total, again, all over the country being taught by lots of federal agencies and vendors.
It took more than a year of training and convincing detectives to let me examine devices in their cases before my agency decided to agree in adding a forensics duty to my list of assignments. Even then, there was no budget for anything and luckily, due to federal grants and training, my agency benefited. However, I was still full-time assigned to federal agencies working international cases and the forensic work was taking up a lot more of my time.
So, I guess in short, I finagled my way into government training, paid for more training out of my pocket, and persisted in creating a forensic capability in my agency to the point where my agency had enough of me pushing that they finally gave in. Lots of effort. Lots of rejections. Lots of time spent. Lots of my own money spent. But in the end, my former agency now has full-time examiners that started in a small, utility closet with donated computer gear. And after 15 or so years, I left law enforcement to do this work full-time.
How have you seen digital forensics change since making the transition and how do you see it changing in the future?
I came into digital forensics in the very early 2000s. At that time, the GUI tools were starting to mature, but I was still using a lot of command line tools too. Everything was “pull the plug”, and looking back on it, we really didn’t know that much!
As we have learned more about forensic analysis and our tools improving constantly, change is inevitable. If we are ever stagnant in training or processes, this field will fail. Imagine doing this work like we did in the 90s! I can’t wait to see the changes in the next decade!
You run the site https://www.dfir.training/ which I love, how has that come about and grown over the years?
I started to manage this site some years ago when it was mostly an RSS feed and software list. I was using it mostly as a resource to keep me organized, but changed it from the original site to fit what I needed.
And I kept adding information to it that I would come across, like software that I would use or new software that I wanted to use. I added training events and more resources and eventually the traffic became so heavy that the site would go down from being overloaded on the little hosting plan that it had. The hosting has been upgraded quite a bit from then since some days sees over 10K unique visits! Last year was 40K downloads on the site, so it gets quite a bit of use.
I am happy to see that dfir.training is one of the resources used by many alongside other great sites like forensicfocus.com, aboutdfir.com, and dfirdiva.com and with sponsorships.
Does it take up a lot of your time?
It did take up a lot of time in the beginning. Now I have help, which is nice, but I still check every page and listing to make sure the information is as correct as possible. Not long ago, I began accepting sponsorships from vendors of well-known tools, which helps justify the time needed to run the site and because of support, I foresee it staying around even with the site passed forward after I inevitably leave DFIR. That won’t be for a while tho..
You are the writer of several books, any plans on the next one, have you started to work on it already?
I just started two books this year and plan on both being published next year. One book is a second edition of my first book that I published in 2013, Placing the Suspect Behind the Keyboard. When I wrote this first book, I generalized a lot of forensic work in order to have a book that helped someone work a case from start to finish. With the second edition, I am going deeper into casework and forensics, using more tools and processes than I did in the first edition. This will be “the” book to start with in working investigations that involve electronic data, which will have so many tips and investigative methods that anyone who is stuck in a case can be inspired with it. The intended goal is that this book is the reference book in working cases, like a guide of what to do first in a case, then next, and then close the case.
Around the same time that I started this book, Mark Spencer of Arsenal Recon spoke to me about a book that he wanted to write. I turned him down several times until we got into details of his book. After this one conversation, there was no way that I could turn it down. This is such a difficult book to write as it is unlike any other forensic book that I’ve read. When the book gets more finished, more information about it will be released, but for now, all that I can say is this book will be a great one in many unexpected ways.
When I first started in my role at Sophos, I was desperate to learn everything NOW, and in doing so I think I hindered my actual learning which gave me a few months of really bad imposter syndrome, but I heard a podcast with you on it speaking about being patient and not trying to get ahead of yourself that was good advice at the time, do you think the mental health side of things is spoken about enough in Cybersecurity/DFIR?
Most of us in this field are impatient, and I believe that this is a good trait because you want to get things done and not waste time. But it also tends to make us want to skip the “easy stuff” so that we can get to work on the harder things. Unfortunately, skipping the easy things makes the harder things impossible to do well or do at all. We must remember that we must learn to crawl first, then walk, and then run. If we do it correctly, we will become highly knowledgeable and skilled, and we will have long careers. If we try to run from the start, we’ll have lots of mistakes and end up with a short and frustrating career.
I have been seeing mental health being a topic recently, and fortunately there are presentations on this topic at conferences now. I am not a mental health expert, although I do have training in it and have experience dealing with 911 calls of mental emergencies when I was in police work. I am fully aware of the devastation mental stress and mental illness can have.
In today’s world, I believe maintaining good mental health is important and difficult in overall life, not just in this field. If we can accept that mental stress is normal and that mental health requires self-care and sometimes professional care, we can deal with it and help others deal with it.
I wrote a blog post on burning out in 2018 that still applies today (https://brettshavers.com/brett-s-blog/entry/only-race-cars-should-burnout). The most important tip in the blog, in my mind, is that if someone tells you that they are at their limit, believe them. Too many supervisors and friends will blow these comments off, only to regret it later because they could have done something to help the person at the time. This also means that if you are admitting that you are stressed, burned out, or on the edge, you have just made the most important realization that you will accept help.
If the person or organization that you asked for help doesn’t, go to the next one.
What do you think is a good path into DFIR, is there any skills you would recommend learning as fundamentals?
The best path into DFIR is the path that fits the person wanting to get in. My path was that I had several near-death experiences, and a few ‘almost got kidnapped and killed’ experiences in undercover work that I had to create a path that didn’t exist. I had no college degree, no computer experience, no spare time, no spare money, and no mentor or guidance. I had a dozen other obstacles. It was tough and a long road!
Others may have easier paths. I know of many in law enforcement who simply applied for the positions that were already created in their agencies. Once selected, they had all the training and path cut out for them. Their only hard part was being selected (and of course learning the trade!).
It all depends on what one is willing to risk and the effort to put out. Either you make your own path, somewhat like I did, or you follow the path of another. Following the path of another could be getting a college degree in a DFIR subject, do internships, and apply for jobs. This path is already available for those willing and able to do the college route. There is a military route, which comes with its own risks and rewards. There is a law enforcement route, again coming with risks and rewards. And there is the ‘make your own path’, whatever that turns out to be.
It has blown me away and still does daily how welcoming the DFIR community are and how much they will help each other out, has it always been like this or was there a change at some point?
In my experience, it has always been this way. In one sense, this is good, but in another, some get spoiled by it. The goal of true DFIR is placing the suspect behind the keyboard (Book plug! Ha!), and I say this with sincerity because those wanting to do DFIR work are those who want to solve problems that most always involves a victim. The victim can be a business or a person. Sometimes, the victimization is the worst that can happen to a person and other times it may be a purely financial cost to a business.
We tend to believe in justice and lean toward being the protectors in society. DFIR is just a means to that end. Protectors help others. So, when people want to join in your effort in the DFIR community, the natural response is to be welcoming. You could look at it that there is an army of DFIR folks fighting a battle and when someone wants to join the battle, they are certainly welcomed in.
Going back to my comment of being spoiled, I have a concern that some misinterpret the openness to help others as meaning that others will do the work and learn for them. I have seen some simply wanting a DFIR job without wanting to put any of the effort needed. This is a difficult job. It is difficult to learn, difficult to get a job, and the actual work is difficult. Without putting the effort in, it is an impossibility to get in or stay in.
One thing to remember about DFIR is that there is zero room for error. You must be right in your analysis. Otherwise, the wrong person could be found not guilty and will continue to victimize others. Or just as bad, the wrong person could be found guilty and lose their liberty for years or even their life! Or a business could wrongfully bankrupted.
This is a serious business. The work can be exciting, but we can’t fool ourselves that we can be lazy, negligent, or reckless in our skills and work because the effect on others is awesome.
If someone came to you and said “I want a job in DFIR, I will start looking in 2 years. What can I do and where can I go in this time to be ready?” how would you respond?
The first thing I always suggest is to find the specific and exact job that you want to work. If you do anything other than that, you will double the time to get a job, learn all the wrong things, and might get a job that you really didn’t want simply because you didn’t know what you wanted.
Once you find the job title, then the path becomes clearer. There is a huge difference between the “DF” and the “IR” in DFIR regarding the actual work and jobs. Within both DF and IR, there are many different jobs that do different things. Once in DFIR, you can see the differences as if it were as clear as the difference between a Police Officer and Fire Fighter. Both jobs are First Responders (ie: “DFIR”), but totally different in training and daily duties (ie: “DF” and “IR”).
An analogy would be wanting to be a doctor or mechanic. Wanting to be a doctor is vague. Wanting to be an eye doctor is more specific. Wanting to be an eye doctor in the Navy is even more specific. From there, work the path backwards.
I have spoken to college students about their career desires and after the conversations, they found that they choose the wrong program. I’ve spoken to some already working who realized too late that they thought they were working to what they wanted but were on the wrong path. Many wanted a DF job but took an IR route without knowing it.
What’s the plans for the rest of the year and into 2023?
Lots of things! Two books are a priority to get done, and big changes coming to the www.dfir.training website coming up too. There is some research that I may release publicly next year, depending on where the research takes me over the next months.
Most importantly, I plan to enjoy life and make life enjoyable of those around me. I think we all should do that.
Be sure to check him out at all the places below 🙂
- DFIR.Training website = http://www.dfir.training/
- DFIR.Training Twitter= https://twitter.com/DFIRTraining
- DFIR.Training YouTube= https://www.youtube.com/c/DFIRTraining/videos
- DFIR.Training Facebook= https://www.facebook.com/dfirtools/
- DFIR.Training Instagram= https://www.instagram.com/dfirtraining/
- Brett website = https://brettshavers.com/
- Brett Twitter= https://twitter.com/Brett_Shavers
- Brett Instagram= https://www.instagram.com/brettshavers/