Skip to main content

The Pyramid of DF/IR Expertise





The Pyramid of DF/IR Expertise


"First say to yourself what you would be; and then do what you have to do."


-Epictetus



I woke up one day and realized I’m an Executive at a Nationwide Digital Forensic & E-Discovery professional services firm.  How did that happen?  I also woke up one day and realized I have 25 years in the justice system.  If I’d stayed in law enforcement, I could retire this year.  All of these things are simultaneously shocking and sobering.  They cause one to really reflect on the steps that it took to get them to where they have arrived.  It also causes one to take inventor of all of the opportunities, successes, mistakes, failures, training, experience, case work and daily practice – both mental and practical – that go into building a body of work.  It also makes one feel old all of a sudden, but “old(er)” doesn’t have to equal bad, as I’ve come to learn.


But how does one get to this point?  As many of my colleagues have expressed in books and other writings, those of us who’ve been around this industry for a while often get questions from current college students, new college grads and those who just want to transition into a more interesting field about how to break into DF/IR.  It’s a common question that I, along with others, field quite frequently.


To be clear, I don’t have a really good answer for them.  I was lucky.  The government paid for all of my basic and most of my intermediate training and afforded me the opportunity to work cases.  A lot of cases.  I was also a one-man shop in law enforcement and the first part of my consulting career, so having to do everything alone really gives one a holistic perspective on the work that needs to be done and should be done.  In current case work, I see repeatedly how having all of the various parts of an investigation segmented and separated amongst multiple people – many of whom may not even like each other – is a detriment to the case, not an asset. 


But everyone has to start somewhere.  It’s important to identify at what stage you are currently before moving upward into the next logical phase of your training, education and work product.  To that end, I’ve developed a simple graphic that will help identify the different stages of a DF/IR career path and provide a rough framework for those both outside and already in our industry.  This “Pyramid of DF/IR Expertise” is designed primarily as a self-assessment, but for those reading this who may be more experienced, it can also serve as a barometer for rough comparison to others about where current standing within the framework:







Ignorance:  Everyone’s Baseline


The word “ignorant” is used colloquially as a pejorative, but in reality, it just means you don’t know something.  One of our roles as DF/IR practitioners is to help educate and inform people who may be ignorant about the technology, the practices, procedures, methods, and how we came to our findings (discussed later).  Everyone has a baseline in ignorance in every topic.  You don’t know what you don’t know.  Sometimes, I’m amazed at the things that seemingly everyone else knows, but about which I’m completely ignorant.  It bears noting that in the information age, and particularly with the advent of AI, ignorance is becoming less of a universal truth, but that doesn’t mean people necessarily know more.


In DF/IR the ignorance level would be those who are completely unaware of what we do, including the reasons and aforementioned procedures, methods, etc.  When we give testimony, we are often informing the ignorant.  This can often be the case when we consult with attorneys about the work we’ve done and how it led to a particular conclusion.  I want to emphasize, however, that ignorance does not equal stupidity.  Ignorance is the blank slate, which is often an asset because at the level of ignorance, most people have (hopefully) not developed any bias about the information to wich they’re being initially exposed.


Exposure


Exposure is the next logical step after ignorance.  My oldest son, who works in IT, had an instance where a computer operating system reinstall caused the loss one of his customer’s important data.  He called his dad – no stranger to data recovery – and asked what he could do.  I walked him through the process of creating a physical image of the drive and using FTK Imager and Autopsy to help recover what he could.  This was his first level of exposure to anything related to DF/IR.  


Exposure is also the level where the seed of interest starts to grow…. Or not.  My Intro to DF college students are all mostly forensic science majors, focusing on the hard sciences like chemistry, physics, biology and so forth.  They are not ignorant, but their first level of real exposure to DF/IR in most instances is in my class.  Some really enjoy it.  Some don’t.  A precious few realize that this may be an area of forensic science they want to pursue, which is both rewarding and validating to me as their instructor.  Their exposure is what generates interest and leads to more in-depth exploration.


Exposure can also be a dangerous place.  One only need spend some time on social media when a tragic incident like a plane crash occurs to see how previously ignorant people’s exposure to *some* information has made them a de facto “expert” in their minds about flying planes, airport operations, the FAA, etc.  Exposure forms a layperson’s knowledge base and can be productive, but it needs to be harnessed and cultivated in order to be a positive move upward.


Professional Certification and/or Practice-Specific Degree


We see a lot of certifications in DF/IR, and there seem to be more every year.  We also field a lot of questions about the value of certifications in DF/IR on professional forums like Linked In.  Certifications have their place, but are a very tertiary introduction to the practice, not something that automatically turns someone into an “Expert” because they can now add letters to the end of their name.  Certifications also come in different varieties, and finding the appropriate one(s) can be tricky.  There are vendor-neutral and vendor-specific certifications.  Vendor-neutral ones usually focus more on methods and procedures, while vendor-specific certifications focus more on how a specific DF/IR tool works and how to best utilize it… With some methods and procedures peppered in most of the time.  Certs are great, but sometimes they teach the student just enough to get themselves in trouble.  And as virtually anyone in this industry would tell you, the cert is useless without the ability or opportunity to put the information into practice with case work.  Case work is king.  I’d much prefer someone who has 15 years working cases and no certs over someone with alphabet soup after their name and has barely touched a DF/IR analysis in all of the time they’ve held said certifications.  There are just too many nuances to what we do that cannot be adequately addressed by a certification.


Practice-specific degrees can often be in the same realm as a certification.  While it generally takes much longer to obtain a Digital Forensics degree, having one does not necessarily mean you know anything about digital forensics.  Scrutiny should be given to the course work in the degree program.  Does the program offer hands-on lab exercises, opportunities for independent study, internships with a DF/IR shop, exposure to working cases or any other educational benefits that would make one more prepared to enter the workforce and start contributing almost immediately?  Or is it just a piece of paper and lectures ad nauseum?  Another key component to this is, who teaches the courses.  All of these are large considerations when researching a DF/IR undergrad or graduate program.


Practitioner


Many of you reading this are probably at this level in some capacity.  This is where the proverbial sausage of DF/IR work gets made.  It’s how we get exposure to different devices, operating systems, artifacts, file types & systems, tools, manual analysis, and so much more.  If you’re here, you’ve made it and it’s a great place to be.  There’s job security in an ever-changing field and no shortage of challenges to overcome and problems to solve on a daily basis.


Many practitioners never testify in court.  Many our colleagues on the IR side of DF/IR would tell you they never want to have to testify because it’s nerve-wracking and stressful.  While in law enforcement, I testified a lot, but almost never qualified as an Expert.  I did A LOT more case work than testimony, however. I still do.


Even if at a senior or executive level in an organization, if you worked your way into a practitioner role, you should always remain a practitioner.  The knowledge, skills and abilities in DF/IR are so fluid and specific that setting them aside to try and lead a team without knowing these changes have taken place will ultimately lead to a lapse in quality and thoroughness.  


Being a practitioner in DF/IR comes with a lot of responsibility.  The practitioner has to constantly be assessing new technology, options for solving problems, the law and legal decisions, and a litany of other areas related to the practice.  This position is for the life-long learner.  Getting here is a privilege that generally comes through a lot of hard work (sometimes a little luck) and should always be treated with the respect due a position of this nature.  We’ve all read the stories of forensic scientists who have falsified or embellished evidence because they didn’t want to be embarrassed or “let the bad guy go”.  This is where we have to constantly be vigilant of these traps and re-assess where we are with every case.  This takes time, dedication and a large degree of introspection.  Accountability and responsibility are key in the practitioner role(s).


Expert


Being called an “Expert” is somewhat odd to me.  And there are many, many definitions of what an expert is, both legal and as a standard of practice.  There are many working at the practitioner level who are experts and all experts should also be at the practitioner level.  My experience testifying in courts all over the US is the general legal rule for an “Expert” witness is that you can demonstrate that you know more about the particular topic than the layperson AND can offer an opinion based upon the evidence reviewed within a reasonable degree of scientific certainty.  


If you’re reading this and getting ready for your first testimony as an Expert, do yourself a favor and take these few tips:


  1. Brush up on FRCP Rule 702 and Daubert/Frye and how that applies to your testimony
  2. Watch other experts testify and take away whatever tips you can to refine your presentation. Believe it or not, there’s a YouTube channel for this called “DFIR Testimony  The recent Karen Read trial is a great case to check out.
  3. Know the case inside and out. Know the law as it relates to your case inside and out.  Know the arguments that will likely be levied against your findings and prepare for them.
  4. Positive self-talk is powerful.  Before every testimony, I remind myself of a few simple things:
    1. Tell the truth, completely and regardless of the consequence to the case
    2. This is just a conversation between two people.
    3. You know the evidence; you know the work.  Don’t overcomplicate the presentation.


As mentioned previously, there are many more experts in our field who probably never testify, and their writings, opinions, findings and research should be taken in to make you a better practitioner and increase your level of knowledge.  This is also how we grow as a community, both in practice acceptance and in overall legitimacy.


Teacher


Some will no doubt dispute that “Teacher” shouldn’t be at the top of the pyramid, but I’ll make some arguments why it should be.  Let’s start with the elephant in the room, the adage “Those who can’t do, teach.”  I’d push back on that with my own:  “Those who practice make the best teachers.”  Furthermore, those who teach become better practitioners.


One of the most grueling mental exercises I’ve ever volunteered for is constructing my own 15-week college course.  It didn’t help that I was wholly ignorant about the process and the system at the outset, including the fact that Adjunct Professors generally don’t share much class material with other Adjunct Professors.  But not only does the curriculum development exercise obviously serve my students well, it served me well, and continues to do so as I hone, refine and update every semester I teach.  I forced me to deconstruct what we do at every basic step, and in teaching the class, it forces me to relay those steps to others.


Teaching doesn’t have to be in a formal educational environment.  If you testify, you’re teaching the jury, both counsels and the Judge through your presentation.  If you write blogs or research and publish, you’re teaching inside the community.  If you talk to folks at a holiday party about what you do in any kind of detail, you’re teaching them about our practice.  If your child needs help imaging a newly-formatted hard drive, you’re teaching them what you do.  If you give CLE or conference presentations, you’re teaching a wider audience in the legal community.


Teaching others makes us better as individual practitioners.  Teachers also have to be constant learners.   I was recently taught some techniques in MS Excel by a colleague, which proved invaluable in a particular case.  I don’t know everything, nor do I claim to.  And the ultimate “pay it forward” would be if I can pass on that knowledge to someone else.  Knowledge-sharing is something we need to do better.  It’s a challenge in DF/IR because we have law enforcement/government and everyone else.  Trust is at the heart of knowledge sharing and trust can be in short supply in some arenas of DF/IR.  I’d challenge anyone reading this to be a little more open with information sharing.  Transparency = knowledge, the proper application of which leads to justice.


As a final note on teaching, I’m glad to see that we’re growing more as a discipline at the University level.  My Alma Mater, Virginia Commonwealth University, has just announced a Master’s program concentration in DF/IR for the Department of Forensic Science starting in Fall 2025.  This program, and others like it, serve to increase our footprint and practitioner knowledge base times goes on.


Wrapping It Up 


The “Pyramid of DF/IR Expertise” is designed to offer a series of steps to career and knowledge progression, incorporating potential goals and self-assessment.  By examining this framework, we work toward not only assessing other practitioners, but ourselves as well.  If you feel yourself slipping downward in the pyramid, it’s time to make proactive steps to reverse the trend or get out of the industry altogether.  If you’re stuck in one place (likely at the practitioner level), don’t sweat it.  We need the expertise now more than ever, and the need isn’t going away.  If you’re competent, knowledgeable and honest, you will advance upward.  


A DF/IR career wasn’t built in a day!  ðŸ˜€


About the Author:

Patrick Siewert served 15 years in full-time law enforcement and investigated hundreds of high-tech crimes to precedent-setting results, Patrick is a graduate of SCERS & BCERT and is a court-certified expert witness in digital forensics, mobile forensics and historical cell site location analysis. He has published dozens of articles and is cited in numerous academic papers. He was the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA) and currently serves as Director of Digital Forensics and E-Discovery for a Nationwide (US) provider of DF/IR and e-disco litigation support services, while keeping in touch with the public safety community as a Law Enforcement Instructor in multiple disciplines.

Email:  Patrick@ProDigital4n6.com

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Patrick Siewert on X/Twitter : @RVA4n6

Patrick Siewert on Substack :  rva4n6.substack.com 

Pro Digital (old) blog site :  https://prodigital4n6.blogspot.com/ 

Labels:
Location: Richmond, VA, USA

Popular posts from this blog

  January 1, 2025 What Is “The Philosophy of DF/IR” ? “If it is not right, do not do it, if it is not true, do not say it.” -Marcus Aurelius Welcome to the newest Digital Forensics/Incident Response blog (for now)!   I created this space for several reasons.   First, I have a passion for writing about our industry and the nuances that reside within it and come about because of our practice of forensic data analysis.   The intersection of data, evidence and the law is a fascinating thread on which to pull and the more we pull on it, the more we unravel the tapestry of our practice and work to hone and refine how we conduct our work.   Second, I have been inspired lately by the likes of Brett Shavers (DFIR Training) and others to continue writing.   For those of you who are not already familiar, I wrote a DF blog for my company, Pro Digital Forensic Consulting, before the company and I were acquired by a Nationwide Digital Forensic services provider.   ...
Read more

Effective Advanced Communication in DF/IR

  January 12, 2025 Effective Advanced Communication in DF/IR “Nothing important comes into being overnight; even grapes or figs need time to ripen.” -Epictetus As my bio and LinkedIn page relay, I teach a lot.   One of those teaching roles is as an Adjunct Professor in the Department of Forensic Science teaching an Intro to Digital Forensics course at Virginia Commonwealth University , which also happens to be my Alma Mater.   I teach one semester per year, which, when combined with a list of other responsibilities, is quite enough. For those of you who teach, you know that most semesters start off with excitement and energy and by the time the 15 or 16-week course starts to wind down, it can be a bit of a grind.   Even teaching once a week for 3 hours is grueling at times, especially with regard to assignments, grading, testing, etc… Oh, and FT work too!   Teaching at VCU is also one of the most rewarding roles I fill.   Not only does it help keep me up-to...
Read more