Not that long ago, I would listen in awe at the DFIR experts presenting at conferences and wondered how some people can just glide right through this work like a slip-n-slide without taking a second breath. I mean, this work is usually pretty difficult to do but easy to make a mistake. Missing an important artifact or misinterpreting data that gets caught by an opposing expert happens, and when it does, embarrassment sets in quite quickly. How do these experts get away without making any mistakes?
The short answer
They made the same mistakes you make and are still making mistakes. They fail every day.
The longer answer
We all fail and no one gets out of here alive (without failing). The difference is what you do after you fail. Having grown up in the South, whenever I would skin my knee or crash my bicycle, I was generally told to ‘rub some dirt on it' and get up. I’ve pretty much lived with that advice and even raised my kids on it. For my kids, I changed the ‘rub some dirt on it’ with ‘if you don’t see bone sticking out, get back up’.
That’s as simple as it gets. Fall down. Get back up. There’s plenty of complex advice you can find on breaking this down into reflecting on how the fail happened, what steps you could have taken to prevent it, and how you can prevent the fail from happening again. I take those steps as a given and simply know that I’ll rub dirt on it and keep going, making sure to not do that particular error again.
By the way, a failure by anyone feels the same as you do when you fail. The difference is choosing to move past it as a learning experience.
A warning sign
If you don’t make mistakes, errors, or fails, then you are not moving forward. You are not gaining experience or learning. Obviously, the fewer fails you have, the better. But having none is probably an indication that you are not trying to go beyond that what you already know. You may not be testing your limits and pushing yourself to be better. You gotta know your limitations..
One of the worst pieces of advice that I have ever been given was from a 30-year police veteran when I was a new guy in patrol. His advice was “never do anything and you’ll never get in trouble”. Technically he was correct. Don’t do any aggressive patrol and the risk of making a mistake drastically decreases. Practically, that means you’d never get any better at the job you are getting paid to do. Happily, I did the opposite and made enough mistakes to become so good at my job that a small-town cop traveled the world working international organized crime cases with just about every alphabet soup federal agency in North America. I brought that attitude to digital forensics and believe me….I’ve made plenty of mistakes and fails, from forgetting to bring my presentation materials for a conference to totally missing a blatantly obvious piece of electronic evidence on a drive on a case. Fails still smart, but rub dirt on it and learn from it.
What I am not saying
I am certainly not saying to intentionally make mistakes in order to learn or get better. You will fail at something no matter how hard you try to succeed, so don’t worry about that. The fails are coming, maybe in the next hour or next week. As long as you work to learn and improve your skills, employ what you learned and master them, the mistakes will be there as you work through the process. Try to keep the mistakes small and the learning big. Worst are the big mistakes and small learning. Fail small. Learn big.
Remember: Rub some dirt on it. Learn from it. Don’t do it again.