Button pushing in DFIR


Published Date
March 26, 2021

One of those common questions asked by attorneys to the DFIR professional is “Why do you charge so much? All you are doing is pushing buttons.”

The easy answer is always, “True, but you have to know which buttons to press.”

The more detailed (and accurate) answer involves not only which buttons to press, but which tools to choose that have those buttons, when to press those buttons, what to do when there isn’t a button for what you need, correlating data to events and events to data, testing theories, interpreting data, and putting all of this together into a coherent, concise, and understandable presentation that may dramatically affect a person’s life or business or even a country!

Most of the time, we in DFIR get it right. I have only seen so few in DFIR intentionally “do bad”. By “do bad”, I mean that they intentionally try to sway the results of an analysis to fit a narrative. Those that do this don’t last long in this community.  The vast majority of us tell it like it is. That means informing your boss or client that analysis shows them (or their clients) are at fault if that is the case.

Steering a ship takes only a few centimeters of movement

A good friend of mine explained to me that in forensics, it is the little thing that makes the big difference. Knowing which buttons to press is important (I’m using “buttons” generically, of course), but the slight deviations in course direction that you take will have extreme effects on your path.

For example, steering a ship through the Suez Canal probably requires the most benign physical effort of moving the wheel a few centimeters to the left, then to the right, then to the left, and to the right until you are through the canal. But go one centimeter too far or not far enough and you end up blocking the entire canal for weeks, interrupting international commerce for the majority of the planet!

For anyone who has been (or currently in) the military, you know full well that being just one degree off your azimuth will put you not in the place you needed to be. One degree off means that in 5 clicks, you will miss your point by more than 300 feet. If you were an astronaut shooting for the moon, that one degree off course means you’ll miss the moon by over 4,000 miles!

That one degree in forensics matters!

Today’s forensic tools do a fantastic job of minimizing the risk of being off course. One of the tools that I have been putting through the wringer is Paraben’s E3: Universal Software . I’ll have a separate post about this soon but putting this tool through its paces reminds me of using tools to keep you on track, and that you have to trust your tool to get you to where you are going. By “trust your tool”, I do not mean blindly trust your tool, as we need to test tools and corroborate our analysis and findings.

I will say that Paraben’s development over the years has paid off in keeping an analysis on track, which makes me happy when the tools to do our work improve to make the work easier and less prone to error.

Where does that ‘one-degree' difference come from?

In land navigation, a one-degree error is sometimes a 180-degree error, meaning, you went in the complete opposite direction and didn’t know it. That is easy to figure out what happened. In forensics, this would be like looking for evidence of an alleged crime on the wrong hard drive, where you intended to do forensics on Drive #2 but grabbed Drive #22. You did great work, except it was wasted on the wrong drive.

The one-degree difference is much more severe than that example. This is where you may have a pre-conceived belief, bias, desire, or instruction to find the “right kind” of evidence. This happens. We are human. We want to believe what we want to believe and don’t want to believe what we don’t want to believe. But in DFIR, we need to base our beliefs in what the data and information show.

Just as important, we need to be strong in these beliefs. If for one second you lapse in trusting the data, or at a minimum, following the evidence to where the evidence leads you, you will be one-degree off course and your conclusions and findings will be wrong.

As one personal example, a civil case that I had been retained involved the theft of CAD files. Over a dozen computers were involved and I was hired by the defense. My findings were that the defendants most likely copied the CAD files to USB drives, and that is what I told my client.

My client didn’t believe me and tried to convince me that since his clients swore that they didn’t steal or copy anything, that I should check again. Because I couldn’t find evidence that this did not happen (I only found evidence that it most probably did), I was fired from that case as the attorney didn't believe me.  Months later, the same attorney called to hire me on another case, even though he previously said that he would not be needing my services again, like ever.  The reason he that he wanted to hire me was that his clients in the IP theft case eventually admitted guilt. They also admitted that they lied to him the entire time. I had been the only person giving the attorney accurate, factual, data-supported evidence.

Had I accepted that the defendant’s story as being the truth, I would have been on that one-degree off the path to try to prove that they were not guilty. I would most likely overlook evidence unintentionally because I wanted to believe information and not data. Eventually, the truth would have come out (it did!), and guess who would have paid the price?

Stay on target

Here’s my take on information surrounding any analysis. I listen, take notes, and ask questions for the analysis. I need to at least know what the case is about. Then, I work to prove or disprove the information that I was given by theorizing and testing the theories. None of what was alleged to have happened is taken as the gospel because people are people. People get facts wrong intentionally and unknowingly. And believe it or not, but some people will flat out lie.

For the DFIR analyst, you are an investigator. Investigators don’t start with an assumption of ‘who did it’ and try to prove it. They start with the evidence and follow that evidence to find ‘who did it’.  And along the way, the usual suspects are eliminated, forged evidence is discarded, and legitimate evidence is verified and corroborated. Personal opinions and beliefs are not part of the equation. I have done cases, where I was surprised to find where a person was believed to be innocent, was actually guilty, and some where guilt was presumed but was actually innocent.

In Hollywood and many crime novels, the criminal is known and the detective works to prove the case against the criminal. In fiction, this has to be this way for entertainment value. But in real life, you may never even have an idea of who the "criminal" is and have to follow the evidence, just like real-life investigators do. Stay on the target of finding the truth.

Staying on target means staying on facts and evidence to back up those facts. Eliminate assumptions. Eliminate the impossibilities.  Trust your tools. Trust the data. Test and verify everything.

When you have eliminated the impossible, whatever remains, however improbable, must be the truth. – Sir Arthur Conan Doyle via Sherlock Holmes

User comments

There are no user comments for this listing.