Search Brett's Ramblings

Making Ham Sandwiches in DFIR

Following up on some points made about DFIR writing on Twitter, here are my opinions on the subject of writing up your work in DFIR:

1: Write it up (or else your work didn’t happen)

2: Write it for your audience (or it won’t matter what you did anyway)

If you follow those two tips, your writing will be fine.

In police work, report writing is frequently given the analogy of “Painting a picture”, in that you should write a story that doesn’t need explaining outside of what you wrote.  The canvas should tell the entire story.  Search warrant affidavits work the way in that the probable cause for the warrant must be contained (and comprehended) within the four corners of the affidavit.  An independent party should be able to read what was written without requiring outside information to either support the words or interpret them.  The report (aka, the picture) stands on its own to describe the story.   I usually use the analogy of making a ham sandwich instead of painting a picture.

When I read a report that doesn’t make sense to me, I typically say to myself, this person can’t make a ham sandwich.  I can see the tomatoes, the bread, and the ham, but it just doesn’t look like a ham sandwich.  If I need the writer to verbally explain to me what was written, then the report is meaningless.  It may be 100% technically accurate, but 100% worthless at the same time.  I do not mean to say 'worthless' in an insulting manner, as a technical report can be very well done for a technical audience. I mean worthless in the manner that if the intended audience can't understand it, then why write in the first place.

If any of these are true, then the report wasn’t written correctly.

1: The writer needs to explain the report.

2: There is no story.


You can do the best DFIR work in the world and yet write a report that ruins it all.  Or, you can write up what you did in a manner that the report can be read on national television, in full, without needing a word of exposition to translate it to the audience. 

Few of us are great DFIR’rs and great writers.  We tend to favor one side over the other.  Some of us however, tend to ignore the writing part completely.  We don’t like to write.  We don’t like to edit.  We don’t like to write for an audience who doesn’t know what a MFT is, after all, doesn’t everyone know what the MFT is?

The reality is, you have to write up what you did so that others can understand it.  Embrace writing.  Showcase your DFIR labor in your writing, so that the reader completely understands what you did, what you found, and what needs to be done next.   

Make that ham sandwich.

  1006 Hits

DFIR Case Studies #7

As I was going through Case Studies #7, I found several some reminders on tips for working a case.  The simple obstacles that make some investigators quit only make others drive forward with creativity.  One example is the suspect in Case Study #7 using open WiFi to be anonymous.  Sometimes, investigators quit once they find that the suspect used a public WiFi or Tor.  This case shows why you should not do that, and in fact, can make a really good case by following basic investigative principles regardless of what the suspect has used to try to stay anonymous.

And with every new case study I release (until I stop making case studies), I'm giving a promo for training bundles.  Until midnight Friday (16th), you can get the entire DFIR Case Studies series PLUS X-Ways Forensics Practitioner's Guide online course for only $25!  This is one of the better bundles I've done.  If you have already taken the X-Ways Course, you can choose the Case Studies Series with the Placing the Suspect Behind the Keyboard Course at the same promo price of $25.

Don't forget.  Registration with this promo ends midnight, Friday, February 16Promo extended through Feb 20 for the first 25 registrations as @PhillMoore linked the course to his ThisWeekin4n6 blog.  

When you see the price go back to $150, the 25 promotional registration spots will have been used up.  

Case Studies Series + X-Ways Forensics Practitioner's Guide online course: 

Case Studies Series + Placing the Suspect Behind the Keyboard online course: 



*books not included!

  1261 Hits

How many exposure dollars do you need to buy a cup of coffee?

I am always flattered to be asked to speak in front of an audience on something that I know something about.  I have fun sharing information with great people about the ‘secrets’ on how to do neat things in forensics and investigations.

However, I find it odd to be asked to speak at conferences out of the state or out of the country, with the sole benefit of “exposure”.  I do not consider “waived tuition” to be a benefit to a conference that I wasn’t planning on attending anyway.

There are plenty of websites that talk about this topic, but here is my take on the topic as it applies to the DFIR field:

  • Speaking for free:  Gets old fast, unless it’s your hobby to personally foot the expenses for a one-line by-line on your CV.  Tax write-off? Spending money on travel and lodging to get a tax write off is probably not the best way to make money.
  • Don’t spend money to speak at a conference: Seriously.  Don’t spend money on expenses to speak at a conference where they charge attendees to attend.  Attendees pay to learn.  You should not be paying to teach.  That’s crazy.
  • Turn down “opportunities”.  You can’t buy a cup of coffee with exposure dollars. 

If the organization wants you bad enough, they will pay (in real money).  If they don’t truly want you, they are not going to pay.  I have turned down conference requests for that reason alone.  I figure that if they are not willing to foot the bill to at least cover the expenses, that they didn’t want me in the first place. They wanted a donation of time and money for their commercial endeavor.

If you speak at conferences, and the only payment is waived tuition with benefit of exposure, you can bet that other speakers were paid. In one instance,  while I waited in a prep room, I listened to other speakers complaining about having shell out to speak at the conference.  The whole time I was thinking, “Why did these speakers agree to come here without getting paid and then complain about not getting paid, and then believe the organizer’s excuse that speakers don’t get paid.  By the way, I was getting paid at this conference….”

I am not saying that money is your only goal or the most important thing in speaking at conferences.  I am saying that your time is valuable and limited.   Time is precious.


  • -A local non-profit org asks for your donated time to speak for an hour? Sure. Why not.  It's a good cause at the cost of a short drive.
  • -Potential revenue generation: You can sell something, like your company’s service or product at the conference to attendees?  Sure.  That’s business marketing.
  • First time presenting?  Probably a good idea to get the experience and name branding (and charge later..).

Once you start getting paid, your next thoughts are going to be:

  • -Am I charging too much?
  • -Should I charge more?
  • -How much is the other speaker charging?

There are no correct answers to these questions.  I can say that at one event, I learned that a co-speaker had charged $20,000 for a 45 minute talk...  Closed training events are a completely different animal.  When you get a call to talk in front of a closed audience, the only questions on getting paid are, "How much do we write the check and where do we mail it?".

The moral of the story is: If you don’t ask, you will never be paid. And yes, I did ask the guy on the phone if he'd fly out and wash my car for free but he still didn't get the point.


***A little more information*** 2/4/18

Ok.  Don't get me wrong.  Speaking for free is good for many reasons, such as building your resume, sharing information, and being part of a quality event.  If you agree to speak for free at a conference that costs you money for travel, lodging, and meals, that's OK too (but stop complaining about not getting paid to the speakers who got paid at the same event....).

My point in this post is that if a conference organization directly contacts you and asks that you volunteer your time and money to speak at their event, where they are charging thousands of dollars to attendees, then it is a different animal all together.  In that case, you have a choice to volunteer your time and money or simply ask at a minimum to have your expenses covered.   No one has more than 52 weeks a year.  Use the weeks wisely.

  1036 Hits

Rub some dirt on it.

Failing hurts helps.

Not that long ago, I would listen in awe at the DFIR experts presenting at conferences and wondered how some people can just glide right through this work like a slip-n-slide without taking a second breath.  I mean, this work is usually pretty difficult to do but easy to make a mistake.  Missing an important artifact or misinterpreting data that gets caught by an opposing expert happens, and when it does, embarrassment sets in quite quickly.  How do these experts get away without making any mistakes?

The short answer

They made the same mistakes you make and are still making mistakes.  They fail every day.

The longer answer

We all fail and no one gets out of here alive (without failing).  The difference is what you do after you fail.  Having grown up in the South, whenever I would skin my knee or crash my bicycle, I was generally told to ‘rub some dirt on it' and get up.  I’ve pretty much lived with that advice and even raised my kids on it.  For my kids, I changed the ‘rub some dirt on it’ with ‘if you don’t see bone sticking out, get back up’.  

That’s as simple as it gets.  Fall down. Get back up.  There’s plenty of complex advice you can find on breaking this down into reflecting on how the fail happened, what steps you could have taken to prevent it, and how you can prevent the fail from happening again.  I take those steps as a given and simply know that I’ll rub dirt on it and keep going, making sure to not do that particular error again.

By the way, a failure by anyone feels the same as you do when you fail.  The difference is choosing to move past it as a learning experience.

A warning sign

If you don’t make mistakes, errors, or fails, then you are not moving forward.  You are not gaining experience or learning.  Obviously, the fewer fails you have, the better.  But having none is probably an indication that you are not trying to go beyond that what you already know.  You may not be testing your limits and pushing yourself to be better. You gotta know your limitations..

One of the worst pieces of advice that I have ever been given was from a 30-year police veteran when I was a new guy in patrol.  His advice was “never do anything and you’ll never get in trouble”.   Technically he was correct.  Don’t do any aggressive patrol and the risk of making a mistake drastically decreases.  Practically, that means you’d never get any better at the job you are getting paid to do.  Happily, I did the opposite and made enough mistakes to become so good at my job that a small-town cop traveled the world working international organized crime cases with just about every alphabet soup federal agency in North America.  I brought that attitude to digital forensics and believe me….I’ve made plenty of mistakes and fails, from forgetting to bring my presentation materials for a conference to totally missing a blatantly obvious piece of electronic evidence on a drive on a case.  Fails still smart, but rub dirt on it and learn from it.

What I am not saying

I am certainly not saying to intentionally make mistakes in order to learn or get better.  You will fail at something no matter how hard you try to succeed, so don’t worry about that.  The fails are coming, maybe in the next hour or next week.  As long as you work to learn and improve your skills, employ what you learned and master them, the mistakes will be there as you work through the process.  Try to keep the mistakes small and the learning big.  Worst are the big mistakes and small learning.  Fail small.  Learn big. 

Remember: Rub some dirt on it.  Learn from it.   Don’t do it again. 



  1199 Hits

Don’t look back.  Try to keep up.  This is #DFIR.

I do a lot of peer-reviews.  Much like a case study (another one is coming up by the way…), a peer-review of the sort I am talking about is a line-by-line read of a forensic analyst’s report.  Then reading it again, then again, and a few more times, all the while red-lining items of interest.  Basically, I am hired to read your reports and tear them apart.  Before you take that the wrong way, sometimes I am hired to read a report written by an expert that was hired by the same attorney that hired me to tear apart the report.  My aim is to make sure the report is good, insofar as my opinion goes.  I’m not a spell-checker or grammar cop, but I work on finding inconsistencies and where the analyst may be weak in their work, experience, or training.  I help with what to expect on the stand, and conversely, I help attorneys where they can focus on opposing witnesses during cross examination.

Now that this is out of the way…

Here is something I come across often: lack of continued education.

In the world of computing, if you don’t keep up your skills with today’s information, you will be outdated in a year or two.  That which you believed to be true yesterday may have been proven to be false last year or is no longer relevant.  If you plant your feet on what you know today and refuse to move forward, you will grow roots and the DFIR world will pass you by faster than a long-tailed cat running out of a room full of rocking chairs.  I would go so far to say that if you spend 5 years in college learning DFIR, by the time you graduate, much of what you learned in the first year or two will be severely outdated.

Some of the rationales to not continually attend training or education that I have heard include;

“I’ve been doing this for 10 years and know how to do it better than anyone.”

“I’ve been doing this before you got out of diapers.”

“I don’t need training because I can teach it better than anyone can teach me.”

“The technology is basically the same.”

The problem is that during a peer review, when I see a boilerplate bio or CV that shows the last training or conference attended being over two or more years ago, it screams to me “OUTDATED!”.  This is not always the case of course, but for the clear majority of us, if you aren’t updating your knowledge with some sort of formalized training or education, you might get called out on it at some point.  How valuable is a Computer Science degree from 2002 if nothing has been done since 2002 to keep up on technology?

Of course, if you are a researcher, or you publish the information you discover, or you research-teach-research, you are probably exempt from “taking a class” as you are on the cutting edge.  You are part of those who create the information to be taught in the classroom.  You are the source of DFIR information.  That looks great in court by the way.  For everyone else, be sure to sit in some classroom or conference on a regular basis or it will not look like you are working to keep abreast of the field.  If for no other reason to show that you are current, keep current.  Pick a class.  Any class, but pick one.

You don’t need to spend $20K a year on training to stay current.  You don’t need to attend conferences that are out-of-state every year either.  If you can do either or both, more power to you.  But most of us are (1) busy, and if we are not busy, we are (2) really busy.  But you can do some things.  You do these things for “credit”, aka credibility.  You need to look at what you do to stay current a little differently.  Everything you are doing outside a classroom is assumed to be informal or unstructured (aka: not credible).  I suggest that you structure your efforts to give some formality that you can use for credibility.  Turn yourself into a living classroom.  If you do something outside the classroom that would be have been good to have learned in a classroom, write it down.  

  • Read.
  • Test-practice.
  • Research.
  • Talk.

Your reading should be DFIR heavy (whichever part of DFIR that you do – DF or IR, or both).  Books are good for a few good reasons.  You put them on a shelf and you can pull them down anytime as reference.  You can list them in your CV.  You can state references to them in reports.  The book will last your lifetime because books can’t be deleted or be hacked and defaced like a website can.

On one court case, the court wanted to physically see every DFIR book I owned and had read because I said I read a lot of DFIR books.  The next day in court, I brought the books I still had (previously donated older books). This made an impact in the case, especially when I made sure to point out the extensive notes I have made in most of my books.  I needed a dolly to bring the boxes of books, more than half my books are on my iPad :)

Blogs are great because the information is hot.  Sometimes, the information is so hot that the research and testing was completed only hours before you may have read it online.  You cannot get fresher information than that than you can with blogs!  Pro-tip:  when you find something really good in a blog, download it (PDF it, download, etc…).  Blogs disappear without notice and you don’t want to reference something that doesn’t exist anymore.

Your regular work doesn’t really count for practice, but you can develop practice scenarios based on your regular work.  For example, when you put in documentation about Shellbags in a report, be sure that you have practiced it too.  If/when ever asked about “how do you know” something, you want to be able to answer with (1) I was taught in this specific class, (2) I read it in these specific books, (3) corresponded with these specific experts x, y, and z, and (4) I tested-practiced the same scenario in controlled environments.  My common answer in cross examination to ‘how do you know’ is ‘because I personally tested it’.   I saw it with my own eyes.  I have seen this exact issue in a dozen prior examinations.

Research is fun.  Seriously.  When you research for an answer and find it, the retention of what you learn is so much better than posting a question on a forum and waiting for someone to spoon feed you the answer.  When you uncover the answer yourself, you will remember it and understand it much more than you can otherwise.   Document your research because you get credit for research only when you document it!

Some of us don’t like talking with others.  The computer is an easier companion.  Sure, a computer can cause some grief by not doing exactly what we want, but generally we can make the computer do what we want.  Talking with people is a skill that we also need.  When you talk to others in the field, you are learning.  You are forwarding your knowledge.  That goes both ways because by talking with someone else about DFIR, you are both sharing and both learning at the same time.  When you can say that you conferred with another practitioner, discussed the issue, shared experiences, and walked away with more information than before, you earned credit.

I give this advice mostly because this is the one area I see totally lacking in reporting (for legal documents such as a forensic analysis report, not internal documentation on a security breach), yet it is the easiest hole to shore up.  Take a class.  Read a book.  Research and practice. Talk with a peer.  Do these things and you’ll be 75% ahead of the game.  

  1130 Hits

X-Ways Forensics & eDiscovery

Following up on a discussion with an eDiscovery consultant, I wanted to show how X-Ways Forensics is a good (if not better at times) tool to have for the eDiscovery folks in ESI collection jobs.  Not that XWF can replace eDiscovery tools, but certainly can complement collection efforts.

I would even go as far to say that an entire eDiscovery matter can be done by solely using X-Ways Forensics depending on the case matter.  For example, if the collection just involves workstations and laptops (even many aspects of server collections), you may not only ‘get by’ using XWF, but can do a more thorough job of collection.  However, when you get into the cloud, XWF is not going to be your best choice for a collection tool.

Here is a short video on how you can use XWF to collect data in a given eDiscovery matter.  

And, Case Studies #5 is published. 

The promo for this week is $75 for the Case Studies series which includes:

  • X-Ways Forensics Practitioner’s Guide Online Course for FREE, and
  • Placing the Suspect Behind the Keyboard Course for FREE, and
  • Advanced Internet Investigations Course for FREE.

Register here (discount will be applied automatically) for the 2-day promo:

This promo is only good for 2 days!  The first time I did this promo, it was for 2 weeks and I under estimated the number of registrations.  From now the promos will be a lot shorter.  Get in while you can, you have 2 days this time and the clock has started….

  1155 Hits

When you think you know enough

If you ever have a day in the DF/IR field when you think you know enough, take the rest of the day off and reflect a bit before doing any more work.  The reasoning is that we can never know enough, in the DF/IR field or any field.  Usually, there is something that kicks me right where it hurts and screams at me, "DUDE, YOU DON'T KNOW ANYTHING!  YOU BETTER KEEP LEARNING!"

When that happens, I quietly back into a dark corner and reflect upon how I either (1) screwed something up or (2) didn't have a clue as to what I was doing but thought I knew.  My goal is to reduce the number of times this happens to me.  One of the ways that I do this, and I've blogged about it before, is reading cases.  I just uploaded Case Study #4 today.  It was an easy, clear cut case with college students changing their grades.  The thing is, when you get an easy case, and if you don't put forth the same amount of focus as you do with a complex case, you will be kicked in the behind for doing something stupid or missing something that was really obvious.  

Occasionally, I may print out an entire affidavit and write all over it with notes if it is a really good case.  Usually that happens when I miss something easy on a case that I should have caught. I go overboard to get my mind back into focusing on analysis and investigations.  So, when I did today's case study, I picked an easy case and still I reflected on my mind being in the game, especially on the easy cases.  You don't want to mess up an easy case.  There aren't any excuses to miss the easy stuff.

I've been getting great feedback on the Case Study series for the same reasons I'm talking about.  Sure, DF/IR students learn a lot from case studies, but for those working cases, you have to keep your head in the game constantly.  Read cases.  Compare how you would have done the same case.  Would you do anything differently?  Anything better? Could you have worked it at all?  When you ask yourself these questions, your focus is sharpened.  When you read what others do, your brain is processing the case as if you are working it.  Other than working a case and learning the hard way, case studies are the best way to learn casework, do casework, and master casework.

But don't forget. The second that you master DF/IR work, take the rest of the day off... 


The Black Friday extreme promotion I had expired yesterday, but since Phill Moore mentioned it on his blog today, I'm extending through Sunday.

Use this link to turn $1,129 in online courses to only $95. 

The promo includes X-Ways Forensics, Case Studies Series, Placing the Suspect Behind the Keyboard, and Internet Investigations.

  890 Hits

DFIR Mentors.  You just might be one and not know it.

If you share information, openly discuss that which you can, and sincerely try to help others in the DF/IR field, you are probably someone’s mentor and do not even know it.   I have always understood the term of “mentor” seriously as it implies a responsibility to teach others, and also suggests that you know a lot more than you think you know.

When you are in that position of being a mentor, know that your words are heavy.  You may not have asked to be someone’s mentor.  You may not want to be anyone’s mentor.  You may refuse to even being called a mentor.  But guess what…you are, whether you like it or not.   My advice is to run with it.  Your words can make an incredible difference in someone’s career (aka: substantial part of their life).

Harlan Carvey may not remember the day I first spoke to him by phone, but I remember it like it was yesterday.  I may not exactly remember how I came about to call him, except through a series of emails and questions that I wanted to ask him.  At the time, I was extremely proficient at working my way as an undercover officer in any criminal organization I targeted, in any number of states (and internationally).  But at the time, I was moving into the computer forensics world and was a green as a gooseberry in the middle June when it came to forensics.   That one phone call with Harlan set me on a new career path that I am truly grateful, especially since the undercover work was getting a bit hairy at times…I would say that my wife and kids really appreciated the career move.

Harlan was my mentor, at least with that phone call, and practically still is. 

Through the following years, I have had several mentors from the DF/IR field.  Most of which I never spoke or corresponded.   I read their writings, took their courses, or used their software.  I followed them as my mentors as if they were actually mentoring me (hint: they were, they just didn’t know it).

Getting to the point.

Your words are heavy.  Did I say that already? This must be important then.  I most likely follow your words to this day and your words have influenced me to be better, do better, and keep learning.  Especially if you have spoken to me personally, or emailed me, or DM’d me….  You just might be one of my mentors and not know it.

Since you just might be someone's mentor, here is some friendly advice.

Lend a helping hand. Encourage those who you have influence to do better than you did.  Show them the way to do things more efficiently and more effectively.  Our goal is to improve our lot, not to personally be the better than everyone else or constantly be the only 'winner' because we are the only ones who know how to do this job.  We are better because we help our peers and our juniors be better than we ever were or will be. You are the Yoda to today's Luke and Rey.

One of the things I do today is that which was done for me.  On that first call I had with Harlan Carvey, he gave me some advice.  Start a blog.  Find something no else is doing and research it.  Write a book.  And so I did, for myself at first.  But since then, I have helped ghostwrite DF/IR books for first timers, tech edit other books, and encouraged more than a few others to start Microsoft Word and get typing on their ideas for a great DF/IR book.  Some have not only taken me up on the challenge and published their book after me pushing them a little forward, but a few are also helping others in the same way.  Technically, I call this super cool.  One of my shelves of DF/IR books, I have a special section of books that I had a hand in being published.  I am most proud of those, even more so than the ones I have written because they are better than mine. That was my intention.

As an example of lending a hand, for book topics with those wanting to be published, I often get asked questions like, “What would you recommend to write about?” or “What do you think of this idea?”.  I always give my honest opinion based on (1) would I buy this book today or (2) would I have bought this book when I first started.  If neither fits me, my opinion is that maybe the idea works for others, but not for me. As for book ideas, I believe you can take any minute topic in the entire field of Digital Forensics / Incident Response and expand an entire encyclopedia on that one specific topic.  I’m not exaggerating. There is no need in the world to take an idea that has already been done and do over unless you can completely change everything that has already been done.  Why do that when you can be innovative, creative, and original?  Don’t reinvent the wheel.

There are too many ways in which you can be a mentor to positively affect someone in the field.  You can not only mentor the new folks, but believe it or not, you are probably mentoring your peers as well.  There is not a thing I cannot learn from every person, regardless of who it is.  If someone speaks, writes, or teaches, I can learn something regardless if it from a student or professor, user or developer, writer or reader.  This thinking should apply to you as well.

Your words are heavy.  You influence more than the people around you.  You influence everyone in the field.  You are a mentor, whether you accept the challenge or not, it is what it is.  I’m happy with that.



  1615 Hits

Bitcoin Forensics | Investigating Cryptocurrency Crimes Online's coming...

You knew this was coming.  A course in cryptocurrency investigations.  There is no faster and comprehensive method to learn cryptocurrency investigations than to take a class in it and study a book about it.   As the book is being written, the course is being developed alongside the book as a companion to the book.  If you have not come across cryptocurrency in your investigations yet, I promise you that you will soon enough.  When it does show up, and you are not prepared, your case is not going to get the full attention needed if you are not already prepared.

"Bitcoin" has been in the news more and more lately.  You probably have already heard of Bitcoin, but may not actually own any, nor understand how it works.  The intention of both the book and course is to give you the 'need to know' information of what it is and also the 'must know' information of how to investigate cryptocurrency.  Cryptocurrency is much more than just Bitcoin.  Way way much more.  The entire blockchain universe has begun to change the way data and records (and currency!) are being created and maintained.   In your lifetime, there will not be an investigation where some aspect of the blockchain and cryptocurrency is not a part, whether it be a tangent to your case or instrumental to it.  Criminal and civil investigations both.  Crimes from petty theft to murder.  You will see aspects of the blockchain in most everything.

Bitcoin Forensics | Investigating Cryptocurrency Crimes

But don't worry.  This book, the first book to be conceived and to be published on this subject, is covering all of it.  And if you want to see demonstrations, follow along with exercises, and actually trace transactions online in real-time, this course that will compliment the book is for you.

You may be able to tell that I am really excited about this book and course.  I am actually excited about the changes to investigations as we know it today due to the blockchain.  You cannot ignore the future in your cases and how this technology is changing everything.  Money laundering is a whole new world with cryptocurrency.  From small time street dealers to international drug trafficking organizations, the time is not only coming near, but is already here.  If you have read any of my previous investigative books, you know that I cover not only the things you can only do with search warrants, but also the things that you can do without any court order.  This applies to both civil and criminal cases, as many times you can get exactly what you need in a timely fashion when you know exactly where to look and what to look for, when it is publicly available.  That is the intention of both this book and course.  Deep dive into the operating system to find the crypto artifacts and hop online to trace the transactions from their origin to destinations. 


  2208 Hits

Thinking of Writing a #DF/IR Book? Here’s a tip that may or may not work out for you.

I am very open on my opinions about writing books, specifically DF/IR books.  I encourage anyone who is thinking about writing a DF/IR book to write away and start right away!  The longer you wait, the more likely someone else will write the book you wanted to write.

Over the years, I have been asked questions about writing and I posted a fairly detailed blog post with my opinions.  Take into account that I am no JK Rowling, nor do I have dozens of books in print, and like anyone, my opinions are my own.

So, what is the writing tip that may or may not work out for you?

The tip is to decide whether you want to tell the world about the book you started or keep the project to yourself.  Here is my experience on this, with an example for both.

2010, Experience #1: 

Some years ago, I wrote two ‘papers’ on virtual machines and forensics.  I decided to write a book on virtualization forensics and mapped out a table of contents, and started the first chapter.  Before I sent out a proposal to publishers, I came across a post on by Diane Barrett in which she posted that she was writing a book on the same topic that I was (Virtualization and Forensics).   Totally coincidental and an obvious case of independent-invention (we both had the same idea, independently).  So…what did I do? 

I chose to not write “my” book.  Why write what someone else already publicly announced? That's be like making a Wonder Woman movie after hearing that someone else is already making a Wonder Woman movie.

2017, Experience #2:

My fourth and current book is titled Bitcoin Forensics: Investigating Cryptocurrency Crimes.  I did my due diligence in researching to see if any other book existed (it did not) and if anyone else was working on the same topic (no one that I could find online).  To make sure I wasn’t writing something that someone else was writing, I blogged it, tweeted it, and posted to online forums.  I even reached out to anyone who would be interested in contributing to the book and am fortunate to have some fantastic volunteer contributors, along with a super co-author.  So, what happened?

Well…one of the volunteer contributors who agreed to help with the book quit, then without a peep, proposed the same book to a publisher, got a book contract, and the book immediately went to pre-sale on Amazon.  Interesting enough, he wasn’t planning to write the book in the first place until after volunteering to help with this book.


That’s right.  It happened.….at least he changed the title from "Bitcoin Forensics: Investigating Cryptocurrency Crimes" to "Cryptocurrency Forensics"....   

So, this is a tip for future writers that could be more like a warning if it doesn’t work.   If you plan on writing a DF/IR book, you’ll have to decide to either keep it a secret or tell the world.  Keep it a secret and maybe no one else is writing the same thing.  That’s a big chance to take because I can tell you, everyone is thinking about the same book to write that you are.  Not the best thing to have two closely identical books come out at the same time to the same (fairly small) audience.  

Or, you can publicly announce your book and probably someone else won’t intentionally take your idea and write it.  However, worst case, someone could offer to to help with your book, then run off and sneak in a book contract with another publisher...good grief.

I prefer telling everyone.  Why hide what you are working on?  Why hide the research you discovered?  I believe in sharing to help push us all forward, even if just an inch forward.  This is the way I have seen others do it and actually what I prefer.  I would regret having written an entire book, or even half a book, only to find that someone else was writing the same thing, which could have been avoided by simply announcing my intentions.  Then again, this happens....

And yes, I am still writing this book.  The team of contributors, tech editor, and co-author is simply awesome.

  1556 Hits