Skip to main content

DF/IR: This *Stuff* Isn’t For Everybody

July 1, 2025




DF/IR:  This *Stuff* Isn’t For Everybody


"Difficulties strengthen the mind, as labor does the body.”


-Seneca

Letters from a Stoic



Some of those who have been reading my posts and other ramblings on LinkedIn and X know that I’m still fortunate enough to keep in touch with the law enforcement community through teaching active shooter response for a Nationwide training provider.  In this notably specialized “side-hustle”, which is no doubt a departure from DF/IR (don’t worry – I’ll get there), I have the opportunity to connect and work with professionals from law enforcement and military circles, many of whom I stand in awe  because of what they’ve been able to accomplish in their careers through mental toughness, physical conditioning and honing their craft to surgical precision.


Several years ago, I was teaching with such a professional – a former Navy SEAL, who upon meeting him, never introduced himself as such until we did instructor introductions for the class, during which he casually mentioned that he was part of SEAL Team 4 and served several deployments to Iraq & Afghanistan.  He was a quiet professional, not really speaking much further about his service until we had been together for several days.  During the lunch break on day 3 of a 4-day class deployment, he relayed this anecdote from SEAL Training (paraphrased):


During SEAL training, the candidates would often train in harsh conditions, undergoing sleep deprivation and starvation to assess their physical and mental toughness.  One such iteration had them treading water in the ocean off San Diego in February, where the water temperatures were quite low, causing some to slip into hypothermia.  He said the medical staff would monitor this closely and pull candidates out of the water if their body temperature dipped below safe levels and “their Trident would be pulled” on the spot.  


I was naive, so I asked what that meant.  “You’re done”, he said.  “You’re out of the program.”  I was astounded.  It’s not like you can control your body temperature in cold water very easily.  It’s an autonomic response.  Your temp either stays at/above acceptable levels or it doesn’t.  When I mentioned this, his response was to look at me rather matter-of-factly and state “The shit ain’t for everybody!”  


The DF/IR Corollary


Recently there’s been some discussion amongst DF/IR colleagues about several topics.  Brett Shavers touched upon this in his articles both on Mastery of DF/IR topics and in one titled “You Don’t Belong in DF/IR”, but my goal in this month’s iteration is to expand on this a bit.  


Digital Forensics and Incident Response both require very specialized skillsets that go beyond standard IT Admin work and incorporate expertise that is deemed appropriate for a particular case or incident application. One of these is the ability to articulate and explain what you did, why you did it, the steps you took to find what you found and, ultimately, the ability to explain all of this in testimony to a judge, jury, opposing counsel, etc.  


Testimony is where the rubber meets the road.  The trend, however, is that fewer and fewer DF/IR practitioners have the desire to meet this bona-fide occupational qualification (BFOQ) of the role.  


Several have disputed this notion with me over the years, but when we look at the Webster’s Dictionary definition of “forensic”, it’s pretty clear - belonging to, used in, or suitable to courts of law or to public discussion and debate.  So the “F” in DF/IR is directly related to presenting evidence in a court of law, and the current trend is to get into the field without fully appreciating that this is not only a qualification, but a very real possibility.






Why Do Some Fear Testimony?


While arguably a BFOQ of a DF/IR practitioner, it’s apparent when hiring for and working in the workforce that the reality of testimony, sworn declarations and other on-the-record pleadings doesn’t really occur to many working to get into the field.  To clarify, there are several different tracks to pursue.  The most interesting and likely track to lead to testimony is the investigative/litigation support track.  If you are seeking employment at a digital forensic/e-discovery firm or a role supporting law enforcement, you should expect to have to testify.  But how does one “learn” how to testify?  There are no undergraduate college courses in expert testimony being widely taught.  Even if there were, practicing in a sterile moot environment is less than ideal.  One can choose to go watch testimony, which can educate about what to expect, but it’s an entirely different thing to be under oath giving your own testimony that may lead to someone serving a long prison term (or not) or contribute to the fact pattern of a large judgement (or not).  


I generally have my own experience on which to draw with regard to this, so the track for me was natural and gradual.  As a patrol officer, I testified frequently with regard to traffic citations, minor arrest, and presented the evidence of those street-level offenses.  As one who was relatively prolific in DUI enforcement, I further got educated in the “science” of DUI and how to adequately testify about DUI suspects.  From there, several serious felony incidents occurring on school grounds while I was an SRO helped elevate the testimony experience.  After a few years as an SRO, I moved to narcotics investigations, which admittedly is the low-rung on the investigative ladder, but a great place to start and continue to practice testimony skills.  But it wasn’t until I started working ICAC full-time, and with a very supportive prosecuting team, that my testimony ability really began to grow exponentially.  I was fortunate to not only work with very proactive & supportive prosecutors, but also ones that would take the time to help me along with effective testimony.  Couple all of that with making high-profile cases which often went to trial, embarking on the digital forensic path, and the exposure to testimony was one of the most invaluable experiences I could have gained in law enforcement.  And how long did that take?  Everything cited in this paragraph took about 15 years.  


No one expects a new DF/IR examiner to be great at testimony overnight.  The frequent comment I hear from new examiners when it comes to testimony or declarations is, “I’ve never done this before”.  To that, I would offer that everything in life, you’ve never done before.  For everything, there is a first time (yes, I just quoted Spock).  From the first declaration to the first testimony, the experience only builds from there.  But you have to be able to articulate, communicate and explain things in terms people can understand.  I wrote about that more in the article linked here.


 

Testimony In Relation To IR Work


“But Patrick”, you say, “I don’t need to know all of this testimony stuff!  I work in IR, we don’t do testimony!”.  While  perhaps a valid retort, I would offer that even though you don’t *normally* testify, you should have the ability to testify effectively.  What you do almost daily should require you to communicate your methods and findings to stakeholders, who often make system-wide decisions that have ramifications beyond a single incident.  It should require you to be able to adequately put your methods, findings and conclusions in writing.  In effect, you are “testifying” for the CIO and any other interested parties in the matter.  The ability to effectively communicate does not wane just because you don’t testify formally in court.


Beyond that, there are an increasing number of instances where 1) security incidents in the private sector are overlapping with either law enforcement investigations or lead to litigation, so the likelihood that you will have to testify or write a formal declaration at some point is very real and only going to increase over time.  2) Civil litigation arising out of theft of personal information, wherein you may have to testify about what happened, what you did to help find what happened and what you did to prevent it from happening again.




Back to “This S*&t Isn’t For Everyone”


Why isn’t this DF/IR shit for everyone, as my SEAL training cadre member so eloquently put it?  Because it requires the analyst to:


  • Think long and hard about whether or not they want to do this job.  Yes, “digital forensic examiner” sounds cool, exciting and challenging.  But with those labels comes hard work, and you won’t get to a level of expertise worthy of testimony overnight.
  • Study what works and what doesn’t.  Check out the DFIR Testimony page on YouTube.  There’s some fantastic video being posted from real trials where experts on both “sides” of a case testify, some much more effectively than others.  If you look at this and you decide this is something you’d eventually like to do, great!  If you look at this and get scared to death and feel the pressure may be too much, it might be time to reconsider.
  • Put your ego aside.  Testimony in DF/IR isn’t a battle of who is more right.  It’s a test of who can most adequately relay the facts of the analysis so the finders of fact can come to an appropriate decision.  If you feel that you have such a stake in the outcome that it might affect your testimony, again, it might be time to reconsider.  As much as I respect the ICAC investigators and examiners and the work they do (via personal experience), many of them come around to advocating for a particular position.  That’s not what any of us are supposed to do.
  • Practice, assess, get more experience, get better, keep improving.  Fifteen years of testimony started with RADAR calibrations and breath alcohol tests and ended with multiple defendants being sentenced to record-breaking terms in prison for their crimes against children.  If I had the ability to investigate those record-breaking cases in my first 3 years in law enforcement, they likely would have not turned out so well.  Point being:  Improvement and growth are a continual process.  Even since matriculating out of law enforcement, every case and every testimony teaches me something.  Never stop learning from what you did well and what could be improved, and use the experience of others to self-assess what you could do better.


So if you read those points above and put your idea of the digital forensic career through the crucible of what to expect, and burn it down to it’s baser elements and you still want to do this work, God Bless You!  We need good, capable, smart people in this field – both in and out of law enforcement.  We need people whose desire to get at the truth is only matched by their ability to explain it to the fact-finders in the case.  This should be our ultimate goal as a practice area of forensic science, yet we should never be satisfied with the status quo.


Like Sisyphus pushing the rock uphill for eternity, the DF/IR path is both a curse and a blessing, but always an amazing opportunity to contribute to the collective good.




About the Author:

Patrick Siewert served 15 years in full-time law enforcement and investigated hundreds of high-tech crimes to precedent-setting results, Patrick is a graduate of SCERS & BCERT and is a court-certified expert witness in digital forensics, mobile forensics and historical cell site location analysis. He has published dozens of articles and is cited in numerous academic papers. He was the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA) and currently serves as Director of Digital Forensics and E-Discovery for a Nationwide (US) provider of DF/IR and e-disco litigation support services, while keeping in touch with the public safety community as a Law Enforcement Instructor in multiple disciplines.

Email:  Patrick@ProDigital4n6.com

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Patrick Siewert on X/Twitter : @RVA4n6

Patrick Siewert on Substack :  rva4n6.substack.com 

Pro Digital (old) blog site :  https://prodigital4n6.blogspot.com/ 

Labels:
Location: Virginia, USA

Popular posts from this blog

Part 3 of 3: Evolving A Digital Forensic Business

  September 1, 2025 Part 3 of 3: Evolving A Digital Forensic Business " The man who moves a mountain begins by carrying away small stones.” -Confucius AUTHOR'S NOTE:   This is the final iteration in a three-part series about starting, running and evolving a digital forensic professional services business. Earlier articles can be found on the main Philosophy of DF/IR page . Full disclosure before we dive into the final part of this three-part series about building a DF/IR business:   I’ve not grown my own business in the typical ways many might choose.   Three years ago (to the day), I opted to go for acquisition and merge my client-base and expertise with a larger nationwide digital forensic services provider.   That said, I keep a pretty close eye on the market.   I generally know who’s just starting out, who’s a little stagnant, who’s in growth mode and who is ready to move onto other things, and who seemingly makes good decisions and ones that make me sc...
Read more
  January 1, 2025 What Is “The Philosophy of DF/IR” ? “If it is not right, do not do it, if it is not true, do not say it.” -Marcus Aurelius Welcome to the newest Digital Forensics/Incident Response blog (for now)!   I created this space for several reasons.   First, I have a passion for writing about our industry and the nuances that reside within it and come about because of our practice of forensic data analysis.   The intersection of data, evidence and the law is a fascinating thread on which to pull and the more we pull on it, the more we unravel the tapestry of our practice and work to hone and refine how we conduct our work.   Second, I have been inspired lately by the likes of Brett Shavers (DFIR Training) and others to continue writing.   For those of you who are not already familiar, I wrote a DF blog for my company, Pro Digital Forensic Consulting, before the company and I were acquired by a Nationwide Digital Forensic services provider.   ...
Read more

Effective Advanced Communication in DF/IR

  January 12, 2025 Effective Advanced Communication in DF/IR “Nothing important comes into being overnight; even grapes or figs need time to ripen.” -Epictetus As my bio and LinkedIn page relay, I teach a lot.   One of those teaching roles is as an Adjunct Professor in the Department of Forensic Science teaching an Intro to Digital Forensics course at Virginia Commonwealth University , which also happens to be my Alma Mater.   I teach one semester per year, which, when combined with a list of other responsibilities, is quite enough. For those of you who teach, you know that most semesters start off with excitement and energy and by the time the 15 or 16-week course starts to wind down, it can be a bit of a grind.   Even teaching once a week for 3 hours is grueling at times, especially with regard to assignments, grading, testing, etc… Oh, and FT work too!   Teaching at VCU is also one of the most rewarding roles I fill.   Not only does it help keep me up-to...
Read more