Tuesday, January 10, 2012


Not too long ago, I blogged with a view of how you can contribute to the DFIR community, and this post seems to have sparked some discussion, leading to posts from other bloggers.  I saw via Twitter this morning that Christa Miller had posted her review of the Jonathan Fields book, Uncertainty.  Unfortunately, Twitter is poor medium for commenting (although many seem to prefer it) as 140 characters simply is not enough space to offer comments, input or feedback on something.  Far too often, I think, for many forensicators it comes down to tweeting or nothing.  When that happens, I honestly believe the something is lost, and the community is less for it.  As such, I opted to post the thoughts that Christa's review percolated here on my own blog.

I won't rehash Christa's review here...there's really no point in doing that.  Christa is an excellent writer, and the only way to do her review and writing justice is to recommend that you go read what she's written, and draw your own opinions.

Two sentences in particular within Christa's review really caught my attention:

A forensicator’s fear of looking stupid or failing is not, on its face, all that irrational. Who wouldn’t worry about how one’s employer or a courtroom will react to the disclosure that you don’t have all the answers?

What I thought was interesting about this was not so much whether this fear is irrational or not; rather, what caught my attention was the "one's employer or a courtroom".  I'm sure that a lot of analysts are faced with this very situation or feeling, and as such, I wouldn't discount as being irrational at all.  Now, I'm not saying that Christa's review did this...rather, I'm simply saying that as a community, this is a place where a number of analysts find themselves.

When I was in graduate school, I was surrounded by other students, a few of whom were PhD candidates.  There were a great number of PhD academic professors, of course, and perhaps one of the most powerful things I learned in my 2 1/2 years at NPS was something one of my instructors shared with me.  He had been an enlisted Marine, switched over to "the dark side" to become an officer, and was a Major by the time he left the Marine Corps to pursue his PhD.  In short, he told me that if I was struggling with a 6th order differential equation, after no more than 15 minutes of not making any headway, ask for help.

That's right.  Admit that you need help, assistance, a gentle nudge...hey, we all find at times that we've worked ourselves into a tight corner by going down a rabbit hole, particularly the wrong one.  Why keep doing it, if all you really need is a little help?

So, I found myself thinking about that statement years later when I would be going over another analyst's case notes and report, and I'd see "Registry Analysis - 16 hrs" and nothing else.  No "this is what I was looking for" and no "this is what I found."  Why was that?  Why would a consultant consume 8 or 16 hrs doing something that they had no idea of and had no discernible results, and then charge a customer for that time?  Particularly when someone who could provide assistance was a phone call or a cubicle away?

Whenever I've encountered a situation where I'm not familiar with something, I tend to reach out for some assistance.  While I was on the ISS ERS team, I was tasked with a Saturday morning response to address a FreeBSD firewall in a server room in another state.  Now, I have some familiarity with Linux, but hey, this is a firewall...so I asked the engagement manager to see about lining someone up with whom I could speak once I got on-site, got situated and got an idea of what was going on.  After all, I'm not an expert on much of anything, in particular FreeBSD firewalls.

Having worked with teams of analysts over the years, I've seen this "fear of failure" issue several times.  Each time, I see two sides to the issue...on one hand, you have the analyst who's afraid to even ask a question, because (as I've been told) they're afraid of "looking stupid" to their peers and boss.  So what happens is that instead of asking for help, they turn in a report that's incomplete, full of glaring holes in the analysis and conclusions, and essentially blank case notes.  That gig to analyze one image that was spec'd out at 48 hrs now takes 72 or even 96 (or more) hours to complete between multiple analysts, and while the customer ultimately gets a half-way decent deliverable, your team has lost money on the engagement.  On top of that, there's now some ill-will on the team...because one analyst didn't want to ask for help, now another analyst has to drop everything (including their family time after 5pm) to work late, in emergency mode.

On the other hand, there's the analyst who does ask questions, does ask for assistance, and in the process learns something that they can then carry forward on future engagements.  The customer receives a comprehensive report in a timely manner, and the analyst is able to meet their revenue numbers, allowing them the time to take a vacation or "mental health day", and receive a bonus.

My point is this...there's not one of us that knows everything, and regardless of what your individual perception may be, no one expects you to know everything.  If you have a passion for what you do, you learn when you ask questions and engage with others, you incorporate that new information into what you do, and you grow from it.  If you're worried about people thinking you'll "look stupid", an option would be to pursue a trusted adviser relationship with someone with whom you feel comfortable asking questions.

If you're concerned with someone seeing you ask a question publicly (potential employer, defense counsel), then find someone you can ask questions of "off the grid". 

Ultimately, as I see it, the question becomes, do you continue into the future not knowing something, or do you ask someone and at the least get a leg up on fully discovering the answer?  Would you rather look like you don't know something for a moment (as you ask the question) and then have an answer (or at least a pathway to it), or would your preference be to not know something at all, and have it discovered later, after the issue has grown?

My recommendation with respect to the two sentences from Christa's review is this...if you find yourself in a situation where you are telling yourself, "I don't want people to think I'm dumb", consider what happens if you don't ask that question.  Are you going to run over hours on your analysis, and ultimately provide a poor product to your customer?  Are you missing data that would lead to the conviction or exoneration of someone who's been accused of a crime?  Or, can you take a moment to frame your question, provide some meaningful background data ("I'm looking at a Windows XP system"), maybe do some online searches, and ask it...even if that means you're reaching out to someone you know rather than posting to a public forum? 


Cindy Murphy said...

There's another great side effect to asking others for their help, or just talking to them about their area of expertise when we're not as comfortable with a subject.

Lloyd Alexander summed it up best when he said "Sometimes, we learn more by looking for the answer to a question and not finding it than we do from learning the answer itself."

You're right - none of us know everything... Once you start asking questions, you start to learn how very true that is, and you start to learn how very fun it is to find out more!

Nice post Harlan!

Christa M Miller said...

Harlan, thanks for the very kind words, and for the great riff off my post. Ironically I had written that review with regard to software coding or article writing or other "I can'ts" previously discussed, but I see how "contributing" is related to "just ask."

That said, I think many forensicators -- especially the newer ones -- might have a tough time figuring out where the line is between asking for help when it is genuinely needed, and asking for help prematurely (i.e. before having done the research).

In other words, if I'm working on a problem, and I've Googled and still can't find the answer, my next logical step might be to turn to a listserv or forum or buddy, explaining how far I've gotten. But... what if I used the wrong Google keywords? What if the answer really is glaringly obvious, and now I look lazy?

I guess, how much time should someone spend looking for an answer before finally asking for help? Especially on a tight timeline or under other pressure?

H. Carvey said...


Thanks. I think too many people believe "'tis better to remain silent and be thought a fool, than to open your mouth and remove all doubt" (attr. to Abe Lincoln), but to be honest, that simply does not work.

What happens if, because you didn't ask that question, a guilty man walks or an innocent man goes to jail?

H. Carvey said...


Part of my post on contributions addressed asking questions as a contribution.

...figuring out where the line is...

There're a couple of ways to look at this...one being, you never know until you try. Seriously. Sure, the first time you ask, someone's likely going to respond, "which version of Windows are you looking at..." or "which version of EnCase are you using...", but that's part of the learning process...and very likely part of the overall paralysis issue, as well.

If someone does ask the question, and get "did you try searching for X?" as a response, well, try it. I know I ran into that very problem back when I was first researching NTFS alternate data streams...Microsoft called them "alternative data streams" and "multiple data streams", so searching for just "alternate" wasn't as revealing as I'd've liked.

Again, however...don't use the "what if I didn't use the right key words??" as a reason for paralysis...

Cindy Murphy said...

Or something that happens more often - an exam just languishes indeterminately as the questions go unanswered and unresearched, and whatever evidence was there isn't utilized efficiently. Thankfully, investigations rely on multiple sources of information and evidence, and it's rarely one piece of esoteric digital evidence that the whole case hinges on... which isn't to say that couldn't happen.

H. Carvey said...


Good point, although in my experience, this doesn't/can't really happen in the private sector...because the customer usually has paid a lot of money for emergency response, and has someone pounding on them for answers.

However, I do get your point. I know that some LE have been shocked when private sector turn around is quick...like in 4 days, rather than 8+ months.

Cindy Murphy said...

Exam turn around time and case loads are a whole new line of conversation here... There are different sets of barriers in LE / VS the private sector that can affect that as well.

Hunter Images and Words said...

This discussion reminds me of my old Master Chief in the Navy: "The only stupid question is the one you should have asked and didn't." Still sage advice. Thanks for the post. Thanks to Christa for the review.

Christa M Miller said...

Sorry Harlan, I'd read that but forgot you brought it up. Thanks for the reminder.

I think where paralysis happens is when forensicators think beyond "information exchange" and start reading tonality into "did you try looking for X?" -- depending on their personal influences, that tonality can sound positive or critical.

Again, rational vs. irrational. But I have found I need to remind myself frequently to focus on the info exchange rather than "what does that mean," and I can be pretty paranoid/OCD, so that's a real task. :P

I think ultimately it's important to figure out a balance between 1) understanding where paralysis comes from, so we can encourage more participation; and 2) pushing participants to ask and discuss past their comfort zones. I tend to think that those who learn to ask and discuss will last longer and make the profession stronger than those who have learned to "get by"...

H. Carvey said...


I was primarily referring to the paralysis that prevents folks from asking the questions in the first place...but I do get what you're saying.

Anonymous said...

"He who asks a question is a fool for 5 minutes. He who never asks, is a fool forever"

Boy, how I have grown, and my salary, by simply asking qustions and documenting the answers.

Gareth said...

In our postgrad forensics course, one of our assignments is to complete an analysis and hand in a report on a given scenario. The scenario is, by design, incomplete meaning there will be holes in your report. You are then placed in a moot court situation where professional attorneys grill you over it in front of the rest of the class. This serves as a very good lesson if you are ever in this situation in the future!

peluang usaha kecil sampingan said...

I think ultimately it's important to figure out a balance between 1) understanding where paralysis comes from, so we can encourage more participation; and 2) pushing participants to ask and discuss past their comfort zones. I tend to think that those who learn to ask and discuss will last longer and make the profession stronger than those who have learned to