Mindset of a Sherlock: DFIR Investigative Mindset Part 1
The first part of my review of Brett Shavers' Placing the Suspect Behind the Keyboard: The DFIR Investigative Mindset.
gHey Internet, Matt of Forensics With Matt here and in today’s blog post, I will weigh in on the information and lessons I found in Brett Shavers’ book, titled “Placing the Suspect Behind the Keyboaard: The DFIR Investigative Mindset” (Second edition).
Right from square one, if you’re looking for a totally technical book, you should look somewhere else, as this book is less about technical skills and more about the mind of an investigator. So think more Sherlock and less Mr Robot.
Before we actually get started, I want to plug the community events. I actually got this book for attending Brett Shavers’ talk on the “Investigative Mindset” at Magnet Virtual Summit back in February. I enjoyed the talk and found some very insightful (and useful information)
Scope
This book has twelve chapters in it along with introductions and conclusions. There are also some useful appendices on biases, mental blocks, resources for DFIR investigators to upskill, and common errors that investigators will make. Of these twelve chapters, I will discuss the first four in this post and each next post will cover four more.
Intro + Chapter 1
My most important takeaway from the intro is this line, which he stresses, even in his MVS talk:
Those who actively, aggressively, and purposefully endeavor to be more than just an analyst are the most effective investigators in DFIR
(Shavers, xxi)
This is a core tenet behind the “vibe” of this book. The book suggests the things that one might learn to have the investigative edge. We will consider this throughout the review.
Chapter 1 is about the technical skills that one must learn. He essentially says, “Learn them but this book won’t teach them; this book is on the mindset you need.” We’ll continue on because there isn’t much here to talk about.
Chapter 2
Chapter 2 speaks about the knowledge behind the trade. He mentions procedures behind the trade, rules of evidence, types of evidence and how to prove a hypothesis. He says theory in the book, but I think it’s more like hypothesis since it’s an assumption that you have and want to prove.
Among the most interesting parts of this relatively short chapter are Brett’s breakdowns of all types of evidence. When you read the book, if you do, you will be met with some cool flashcards and some specific terms that may or may not be insightful to you.
Chapter 3
This chapter is all about the important step of self-assessment: the most important step of determining where you are on your journey. He outlines aspects of you, like your curiosity and your mentality. e goes on to tell how they can affect you as an investigator and how to improve them.
This is a solid chapter. I found the part about curiosity to be the most memorable. This comes because it really resonated with my vision of a typical crime investigator. I think of the usual investigator as a person who is inquisitive and really focused (that’s ANOTHER point that’ll be hit on later on) on the evidence in front of the eyes, Here’s what’s at the helm of this thought:
Being curious requires questioning norms and rarely, if ever, being satidfied with what’s received…Curiosity solves cases and drives innovation in DFIR. When an obstacle is met with curiosity, the curious DFIR investigator does not stop, but finds a way [to overcome] the obstacle.
(Shavers, 42)
I love this notion that curiosity is very important in this field (like any other knowledge field) and will take one far. I, too, have experienced this in my own life. I have found that the things that I was most curious about were the things I was able to understand more (and deeper) and the things which stick with me until today (like interest in DFIR)!
Chapter 4
This section details the importance of senses on investigations.
Fig. 1: Sherlock Holmes and magnifying glass (Sherlock Holmes in the 22nd Century, 1999-2001)
Figure 1 brings forth a character that embodies the theme of this chapter: Sherlock Holmes. Although Shavers does not like the comparison to Sherlock Holmes, I think that doing this to a healthy degree is OK. That being said, and the meme format in mind, as well, eyes and brains are among the most important senses. As are your ears.
With that in mind, Brett makes the distinction between just using your senses and using them critically. This is what makes me want to reference Sherlock Holmes. He is an example of one who uses his senses critically. He observes and listens to his surroundings to inform his choices of how to proceed with his case.
Again Brett mentions in the beginning of the book that he does not like to make references to Sherlock, but this is apt for the reasons above. That being said, Brett gives us advice on how to learn to embody this character more within our own investigations.
Takeaways and Conclusion
This has been a juicy book so far and will continue to yield a great deal of Wisdom. Here are three major takeaways from this part of the book:
A DFIR investigator must commit mentally to being fully focused on the task at hand while they work.
DFIR is a field of constant learning and one must always be honing their craft.
Critical thinking is a major part of this field. Critical thinking is done with not just the brain.
Should you decide to read the book, you may see one (or two) of these points be mentioned explicitly later on (and I may cover it in later blogs on this book). If you decide to read the book, you may also see that alot of the sentiments are repeated and reinforced throughout. This is a very good thing to do because important mindset tips and shifts should be highlighted and reinforced.
With that being said, I’d like to call it a day and say that the next blog will cover chapters 5-8 of this book. Until then, this has been Matthew from Forensics With Matt, teaching you about Brett Shavers’ investigative mindset. Until next time, Matt OUT!