How do you know if your DFIR case will be an amazing case or a case from hell?

How do you know if your DFIR case will be an amazing case or a case from hell?

How do you know if your DFIR case will be an amazing case or a case from hell? The worst way to find out is when you check the news and see your name and case blasted everywhere online.

The answer: You won’t know until it is too late.

When you are working a case (or incident), some of the first things that go through your mind are:

**Is this case important?

**Will this case substantially impact my job, career, or organization (negative or positive impact)?

**Will this case become publicly scrutinized?

**Will this case be picked apart at a trial?

Well! Here is the flow chart with the answer before you start the case.

Of course, there are many factors to consider for every case, but one of the most frustrating factors is not knowing if the case will be a great (positively important to the organization or public) case or a never-ending disaster (ie: case from hell or case that will not die).

A Few Personal Examples

I’ll use personal examples from different types of cases that will probably give zero insight on how to determine which type of case will end up being great or not-so-great, but will show that since you can never know for sure, treat them all like they will not work out as you expected.

#1 Forensic case

Runaway teenager. No foul play expected. Analysis of the teen’s device (forensic image created). Nothing discovered of obvious importance. The lead detective decided to have the forensic image wiped, case closed. "Just" a missing kid...

Result : Teen had been murdered.  Became a media event. Charges were brought a few years later. I got to say "I told you so."

Lesson learned: Don’t assume that a “nothing” case is nothing. Keep evidence until you know for certain.


#2 Forensic case

Simple IP theft. Small dollar amount litigation.  Few devices. Open and shut case. Light forensic work per client.

Result :  Substantial crimes alleged. Major criminal investigation initiated. Forensic analysis objectives changed to reflect alleged crimes. Case took years to conclude.

Lesson learned: What seems to be simple, can turn a corner faster than a Lotus on rails. 


#3 Forensic case

Simple imaging of a USB flashdrive for another examiner. No further involvement in the case. Was told “Just image the USB.”

Result : Flashdrive was the most key evidence in the investigation. Case became publicly important. Defense constantly tried to attack the acquisition. Case took years to conclude. I've never testified so much for creating an image in my career.

Lesson learned : It’s never just an acquisition.


#4 Search warrant assist (terrorism/drug case)

Multi-state DEA search warrant assist. Role was to babysit kids in one of the search warrant locations with another detective during the search. More accurately, I ended up babysitting kids with another detective while the federal guys did all the searching.

Result : Everyone sued for so many things that I can’t remember them all. Some of the allegations were waterboarding and torture and other crazy stuff.  After several years , the case was eventually dismissed as being crazy. (no, that wasn’t the actual judgment).

Lesson reaffirmed: It is good practice to always write a report, even for things that don’t appear to need a report.  And your report will certainly help someone else who didn't write a report!


#4 Drug possession case

Patrol drug arrest (basically, someone in a traffic stop arrested for drugs). Case filed. Short affidavit. Just like the hundreds before it.

Result: Defendant went to trial, a dozen officers testifying to every aspect of everything involved and not involved in the arrest.  Cross examinations were long and demanding. Most everyone testified by memory since no reports or notes taken. Defendant eventually lost the case.

Lesson learned: No matter your role, keep notes and keep good notes to make your potential testimony easier, or maybe even prevent a case from getting that far in the justice system.


#5 Embezzlement case

Bookkeeper fired for embezzling a few thousand dollars. Asked to only copy “the books” from a desktop for the forensic accountant to examine. I offered to image the entire drive as the computer was to be kept in service with the new bookkeeper. I even carved out files that looked like financial records, just in case...

Result: The “books” didn’t show anything. But the files that I carved from the image showed that the embezzlement was closer to a million dollars than a thousand dollars and turned a simple termination of an employee into a serious criminal investigation with substantial jail time.

Lesson learned: If resources allow, go a little deeper in the work to make sure you cover all bases. All I did was imaging and data carving, but it made all the difference for the forensic accountant.


If you spend enough time doing any forensics or investigations work, you are bound to have a case that will not die (just keeps going on and on and on and on…). This is not a bad thing unless you did not take the case seriously in the beginning.

This only means that by taking good notes, treating the simple tasks as if they will be scrutinized to the most minute detail, and always assuming that any case can instantly turn into the biggest case that you have ever worked, your work will not be problematic.  Sometimes, it may be years later when the case pops up again. Either way, you just never know which case will keep you up at night.

Written by :Brett Shavers