Attribution or bust.

Nov 29, 2022

To be the best at this thing we call “DFIR”, you need to be singularly focused on the primary objectives of a digital forensic examination.  These (broadly) are:

  • locate EVIDENCE of the crime/incident,
  • identify the SUSPECT(s),
  • convey findings in COURT.

Locating digital EVIDENCE is simple. Data is data is data.  I didn’t say that uncovering digital evidence is easy, but it is simple when basic principles are applied.

Identifying suspects is not simple, nor is it easy.  Data generally does not identify the SUSPECT behind the device. Data may point to a specific person, but more evidence beyond data is needed. This does not mean to avoid looking for circumstantial digital evidence that may lead to identifying the suspect, but that these are only clues to follow.

Your DFIR work is part of the process to give justice to victims.  Justice distinctly means the legal system, typically in a COURT or LEGAL/ADMINISTRATIVE PROCESS. Your work must be zero-error.  Touching any data, and every time that you touch data may result in your open court testimony to convey why you touched it, what you did when your touched it, and your conclusions of what you saw.


Although it is exciting to use DFIR software to uncover pivotal evidence that may close a case, do not fall into the trap that your DFIR work is using tools for the sake of using tools.  The tools are simply a means to an end.  If and when the day comes that the current DFIR tools completely change to something different to accomplish the same goals, then use the better systems.

Tools = means to an end (and are not the end goal).

From my personal experience, which is different from many, my first days as a detective included practically no training, minimal supervision, and few written guidelines on how to do the job of a detective (ie: investigate and file cases).  It took weeks just to figure out what was expected, months to learn the ropes, and years to become effective.  This happened to me four times for four different assignments, in three different agencies.  Every assignment seemed to be a sink-or-swim type of on-the-job training.

Regardless of the assignment, there was always one constant theme: identify, locate, and arrest the bad guys.

But IR?

I understand that sometimes attribution is not the goal. More accurately, it is broadly remedying a breach to stop data loss and prevent future attacks.  However, this is not justice, it is business, and not “forensics” in the legal definition of the word.

Placing the Suspect Behind the Keyboard

I wrote the first edition of Placing the Suspect Behind the Keyboard to give a broad overview of DFIR investigations. 

The second edition due out in 2023 dives deeper into the subject with the intention to guide the forensic investigator to build great cases using a wide range of tools, techniques, methods, procedures, and tools.

Several major DFIR tool developers are collaborating on the new edition that will illustrate varied aspects of digital forensic investigations. You will be able to see how using multiple tools can solve different forensic problems. 

I have been naming the developers one by one, and there are only a few left before the list is done. There is room for two more developers that I am considering to add….

Here is the nuts and bolts of the new Placing the Suspect Behind the Keyboard, Second Edition

  • Starting a lab (if you don’t have one in your organization)
  • Initiating cases
    • Uncover crimes and self-initiate cases
  • Working cases
    • Being assigned or hired to work cases
    • Tactics, techniques, procedures, principles, ideas, inspirations, and methods
    • Software, hardware, case management
  • Closing cases
    • Who did it
    • How did they do it
    • Why did they do it
    • Where did they do it
  • Case presentations
    • Prove it to your organization
    • Prove it in court
  • Your Career
    • Education
    • Experience
    • Excelling into the top 1%

The goal of this book is to be your "Turnover Folder" of working computer-facilitated investigations, whether the investigations are criminal, civil, or administrative.