I paid $250,000 to learn forensics…and still don’t know forensics...
DFIR Training (Brett Shavers)
The most complete DFIR resource on the planet. Digital forensics software, hardware, training, white papers, and more.
I have a confession: I’ve spent over $250,000 in my career on learning digital forensics and incident response (DF/IR) and for the licenses, subscriptions, and renewals. From college courses to certification programs, training courses, conferences, books, software, hardware, and travel expenses, I’ve invested more money than most people would even consider spending in a single profession.
Add to this amount how much my past employers paid to send me to training! Also, I can't forget the thousands of hours in classrooms because time is a cost.
Yet, I can’t count the times I’ve finished a course or completed a training session and thought, I still don’t know forensics.??
But don't think that I spent $250,000 last year!? This is over years!? Let me explain.
The Mirage of "Completion"
When I first started learning DF/IR (it was called "computer forensics" back in those days), I believed in the illusion of completion. The idea was simple: Take a class, get a certification, and voila! I'm a forensic examiner. Except that’s not how it works. I’d attend a class and think I understood how to use a particular tool or approach a specific type of analysis, but the reality always hit hard when I returned to real-world cases. The cases were messy, the data didn’t fit neatly into predefined categories, and my tools weren’t giving me the "answers" I expected. The perfect training scenarios never fit actual casework.
And because I didn't know what I didn't know, I sometimes blindly accepted what a tool showed me...even when I doubted what I saw.
The truth is that no course or certification can prepare you for every situation you face in this field. Forensics isn’t a box to check or a skill to master in a few weeks. It’s a mindset, a process, and, most importantly, a lifelong journey.
What the $250,000 Bought
Let’s break it down a little:
College Education:
Certifications:
Tools and Software:
Conferences and Workshops:
Books and Training Courses:
What $250,000 Didn’t Buy
The $250,000 I spent didn’t buy me:
Those skills aren’t for sale. They’re earned through doing the work. Every tough case, every late night, every dead end you pursue teaches you something money can’t buy.
But, you can get insight on these things from those who have gone through the pain themselves if you can find someone willing to teach you and, more importantly, articulate and convey these lessons to you. Otherwise, you'll have to endure the pain personally.
Money wasted
I took a few training courses that were 99% wasted time and money. One out-of-state course cost me several thousand for the class, a plane ticket, rental car, meals, hotel, and vacation time. The course was a disaster in terms of content and instruction for many reasons.??
Another course I regretted was a week-long training, again out of state, where the software company later closed down…that happened to me twice with two different software companies. I learned how to use tools that disappeared..
I’ve bought books that I thought applied to what I wanted to learn, but they failed to deliver. I’ve taken college courses that were regretful in the time and money spent. It happens, and I try to learn something from even the worst providers to get something out of it.
Of all the money spent, I'd say 10% fit in the wasted bucket. Some of the reasons were the quality of what I paid for, and others were because I paid for something I didn't need. After all, I didn't know what I needed.
The Real Value of Learning Forensics
Here’s the paradox: While I can say that $250,000 didn’t teach me forensics, it did enable me to learn forensics. Every course, tool, and book was a stepping stone. Each added something to my understanding, even if it wasn’t immediately apparent. The certifications helped me get a seat at the table. The tools helped me solve cases. The books and workshops gave me new perspectives. Listening to those who had experience and shared their perspectives gave me insight I didn’t have.
But the real learning happened when I applied all that knowledge to actual investigations. It’s in the doing—not the spending—that you truly grow.
Lessons Learned
Here’s my advice:
Buying time
I regularly see complaints online about the cost of software and training, and I truly understand the pain of running a credit card that racks up thousands of dollars to get a dongle….or just 8 hours in a classroom… I believe that pain is the price to buy time, and we get the better end of those transactions.
Consider that an 8-hour class could save you weeks of learning independently (while making mistakes!).? One software application that may cost thousands can probably allow you to solve a case a week faster. Even a book you can finish reading on a weekend can give you a perspective and thinking methods to save dozens of hours or even your career.
I have worked on cases that took weeks to get what I needed. Learning to apply the best tools for the tasks and truly investigate the cases now takes me minutes or hours to do what I was doing for weeks because of one class or one book or choosing a more appropriate tool.
The alternative is to not invest in yourself and choose to self-learn everything. The problem is that you might learn the wrong or old way or not learn something you should have learned.? You won’t know if you are doing it right or if you could do it more efficiently. You can spend hours and hours and hours over weeks and months learning something that a class can teach you in a day.
Without trying to embarrass myself, I was doing a forensic task that took me practically an entire day on many cases. In a course I took, I learned how to do that one task in minutes, where I spent more hours than I care to admit. I'll never get those hours back, but it was a very important and worthwhile lesson.
Some of the best investments made were inexpensive
I spent $15 on coffee with someone who I consider my most important role model in DF/IR.??That?one hour?jumpstarted me more than any class I ever took by putting me on a path I would have missed otherwise. Cost: $15 and one hour.
Another role model introduced me to a tool that made me money using it and allowed me to do things that I would not have been able to do in the cases I used it. Cost: 5 minutes during a break in a conference.
Meeting the second-best* DFIR professional in Seattle at the beginning of my career confirmed that I was on the right path, mostly because his freely given advice meant the world to me. Cost: 30 minutes in traffic and 15 minutes in his office.
I held onto the shirttails of incredible investigators as they worked cases and learned more than anything I have ever read, studied, researched, or heard in any training course. Cost: Years of being at their beck and call to glean every drop of experience and hang onto their every word.
In cases where I could interview the suspects (outside of being undercover), the insight into how offenders think, act, react, and feel was worth every minute of the conversations.?Cost:?Hours of critically listening, asking good questions, and being a temporary visitor in their world (aka: their mindset).
I was comped an 8-hour course for review and heard some perfect analogies of a complex subject that I have since used in court testimony. One analogy worked so well, I got the point across in 3 minutes when the subject is so complex, you could spend 30 minutes trying to describe it. This will save me paragraphs of writing in reports and a half hour in every court or deposition.?Cost: 8 hours.
The Journey Continues
I’m still learning forensics. Every case brings new challenges, every year brings new tools and techniques, and every failure teaches me something valuable. The $250,000 wasn’t a waste—it was the price of admission to a journey without end.
So, every $1 that I spend on training, reading, or certification gets evaluated based on what I expect to get out of it. Sometimes, it’s a one-for-one trade, but most of the time, I get 10x the value in time saved, improved accuracy, and better comprehension of the data in front of me.
About that $250,000 number...it's most certainly more than that because DF/IR is expensive...I just don't want to scare away those wanting to get into DFIR or scale up in their career.
Unfortunately, you can't do this work with just one dongle and one class.? Getting into the field, gaining competence, earning a reputation, and figuring out what you need is complete chaos until we who refuse to participate in regulation will be regulated by inferiors**.
?
*aka: inside joke
**Plato figured this out well before us, and we still don't get it.
IT Security Consultant - CISO - C|EH - DPO
2 个月Jan Verhulst ??
Quality Engineering Leader | Driving AI-Enhanced Software Excellence
2 个月Great breakdown. And the cost of all of that (specifically the immeasurable learnings from experience) is what companies are getting by hiring experienced people over inexperienced people. Especially in IT where things are changing so often that the mindset and ways of learning are what ate critical.
Cyber Security & Analytics
2 个月??
Cyber Security Lead @ MYER | Information Security Generalist | CISM
2 个月Interesting post and since I'm reading and trying to involve myself more in dfir now, what would you suggest is a good starting point, I'm currently reading investigating windows systems by Harlan Carvey and also file system forensics side by side. I'm also going to buy dfir investigation mindset (your book). Any suggestions would be good.