10 Ways to Ruin a DFIR Investigation (Fighting DFIR Monsters)


Published Date
July 31, 2019

Only 10 ways? Probably a lot more. But these are the top 10 that I have seen (some that I have experienced!) that can make a DFIR case go in a direction that you rather it not go; downhill!

  1. Collection

If the data collection is “wrong”, the analysis only goes downhill from there.  The many ways that “wrong” can go include: Failing to reasonably protect the data, not collecting the relevant data, not safeguarding the data, altering the data, or using inappropriate data collection tools or methods. Anything that can taint the collection that is unreasonable adds to the risk of ruining an investigation.

Tip: What is reasonable in one situation may not be reasonable in another, so case specificity is important to articulate when anything strays from a perfect collection. Also, not every collection is perfect, because every situation is different. That means a change in how data is collected does not necessarily make it unreasonable.

  1. Plan

More aptly defined as ‘not having a plan’, or ‘having a bad plan’.  If your DFIR investigations are run by winging it, without having a plan, your risks are extremely high in making errors that can be avoided. At a minimum, have a flexible plan that addresses identification of electronic evidence through analysis of relevant data.  An example of a ‘bad plan’ is to preemptively decide to capture full disk images of everything you come across, even when a full disk image may be the worst solution in a specific situation.  The DFIR Winging It Monster wants you to run-and-gun it because planning is too boring.

Tip: Flexibility in plans is key. Using the example above, planning to capture full disk images may be a good plan when you have an expectation of what you will be encountering on scene, but if the scene is different than expected, be flexible to address the realities of what you are presented to handle. Planning is an integral and exciting part of the entire case.

  1. Time

Time, in the manner of being pressured to hurry, will cause you to overlook evidence, make incorrect assumptions and interpretations, and create poor quality work. Work at the speed that you can do good work. Being subtly or overtly pressured to work faster for the benefit of a supervisor or client will eventually be at your detriment in the future if your work product suffers. No one yelling at you today will take blame for you tomorrow because they rushed you. It is your responsibility to be accurate in your work. The DFIR Rush Monster wants you to hurry at the risk of you making mistakes.

Tip: Communicate with those who expect an analysis or process to move faster. Some aspects of an investigation/analysis cannot be rushed. Much like you would not want a heart surgeon to rush operating on your heart, you don’t want the analyst to work so fast as to miss evidence that is instrumental in a case.

  1. Objectives

Not having objectives results in not solving any problems. Cases where the objective is something like, “Give me everything” will result in getting nothing, because “everything” is not an achievable objective.

Tip: Communication (this is an ongoing theme) with stakeholders in the case must know the objectives. More than just an objective of finding evidence, but specific to prove or disprove a person committed a crime, or identify the person who committed the crime, or identify the person who sent an email. Without a specific objective, forensic analysis is a fishing expedition.

  1. Symptoms over cause

Address the symptoms, but find the cause, otherwise more symptoms will occur again and again. Identifying a breach is extremely important, but so is finding the cause of the breach. Was it a phishing attack? An insider job?  Finding the cause reduces the risk of subsequent problems.

Tip: Ask yourself ‘why’ and ‘how’ something happened and find the answer.  Every incident has a ‘why’  and ‘how’ that you should search for answers. If an employee stole company data, knowing the “how” may lead to solutions to prevent it from happening again with other employees.  

  1. Documentation

If you didn’t document it, it didn’t happen. If you document too little, that may cause problems. If you document too much, that may cause problems. If you do not document at all, that will cause problems. Knowing how much to document is case specific. Some cases require extensive documentation and others do not. The “how to" document a case is also case specific. A felony investigation will require extensive documentation and appropriate methods of documentation compared to a minor internal corporate incident (such as theft of change from the lunchroom's coffee jar).

Tip: Failure to document today ensures that you will not be able to remember tomorrow, so write it down today. Use consistent documentation methods to protect your notes. Digitize paper notes; take photos; keep a running log; use software designed for documentation. And know what your end customer needs for documentation, whether it is a corporate employer or government entity.  Your role in an analysis will also determine the extent of your documentation, such as being a private consultant, expert witness, or case agent in a criminal investigation.

  1. Tools

Use the right tool for each job. No one can build a house using only a hammer, and no analyst can work a case using only one tool. Favorite software/hardware tools are great to have, as we each have tools that we prefer. But don’t force a tool to solve a problem that the tool is not designed to solve. The DFIR Tool Monster has one tool, one tool only, and wants you to use that one tool on everything.

Tip: Have a toolbox of tools. It is fine to always use your favorite tool as much as you can, until you come across a scenario when a different tool will be best. Have options or everything you see will be a nail for the only hammer you have.

  1. Assumptions

Fight the DFIR Assumption Monster every time it raises its head! Assumptions are easy to have, especially when you are given details of an incident (or crime) and have preconceived beliefs before you start your analysis. Your bias will affect your analysis and incorrect assumptions will affect your end-product.

Tip: You need to know as much about the incident as possible, which may include a list of suspects and assumptions of what happened. Use this information as clues but focus on the data and interpret based on what you see. You are not to prove a belief, but rather show the facts. Fighting the DFIR Assumption Monster is a constant battle at every step of any investigation.

  1. Scope

The DFIR Scope Creep Monster tries to attack everyone.  This DFIR monster wants you to have an unwieldly amount of non-relevant data to make your analysis impossible. One analysis goal is to weed out unnecessary and irrelevant data. Scope creep results in more data and goes against a primary analysis goal of looking for relevant data, not all data.

Tip: Using your objectives, determine the scope of your analysis, and keep a watch on it. When you see that your scope has increased with no reason other than it is growing beyond your initial plan, pull it back. Realize that the DFIR Scope Creep Monster is working to ruin your case by overloading you with unnecessary data.

  1. Communication

The running theme of communication deserves its own place on a 10 Ways of Ruining a DFIR Case list, primarily because communication is that important. There are many instances of emergency situations, where you feel like you must dive in, eyes closed, and start forensicating data, without any semblance of goals and objectives, or taking the time to ask questions, i.e. communicate, with stakeholders or witnesses. The DFIR Communication Monster only grunts, doesn’t communicate, and doesn’t want you to communicate either.

Tip: Even when life or limb is imminently at stake, communicate first. Otherwise, work will be done that didn’t need to be done. Work that needed to be done won’t be done. Information will be found that is irrelevant. Information that needed to be found, won’t be.  Communicate in the beginning to know what is needed (the objectives) and communicate during the analysis to relay what you are finding that may be relevant. Case direction can change based on what you find and the only way to know is if you communicate your findings along the way. Lack of communication from any party makes the risk of failure likely.


Slow down. Use your brain.

Running-n-gunning only works in Hollywood movies for dramatic effect that does not imitate real life. Real life investigations and casework have consequences for sloppy work, and the analyst is the person that pays that expensive bill. Tip: Don't create that bill because you will be the one paying for it if you do.

User comments

There are no user comments for this listing.