You don't belong in DF/IR
DFIR Training (Brett Shavers)
The most complete DFIR resource on the planet. Digital forensics software, hardware, training, white papers, and more.
Trying to get into DF/IR breaks most people. So, you’re not going to make it.? If you’re offended by the title of this post, good. That’s step one in figuring out you’re probably not cut out for this work.
I’ve seen too many people get excited about “getting into cyber” because they watched a Netflix show or heard that you can work from home in your pajamas and make six figures clicking a few buttons. They think it’s a vibe, an easy ride, or a sticker on a laptop.
It’s not.
DF/IR is not entry-level.
Stop complaining that you can’t get a DF/IR job with your college degree or 40 hours of forensic training. You are expected to be already competent because your case won’t wait for you to catch up. Your case also doesn’t care about excuses of not being sent to training to know this thing, or not being able to take a class in college because it was full, or not being able to afford to spend the time or money to learn the job.
Like any high-caliber selection process, DF/IR is open to anyone with the right mindset and dedication, regardless of who they are. The determining factors are competence vs. incompetence, problem-solver vs. problem-creator, complainer vs. doer.
There are no participation trophies in DF/IR.
Digital Forensics/Incident Response is not for tourists. This isn’t a side hustle. This isn’t a Reddit thread. This is work. Real work. The kind of work where someone’s business, freedom, or life is on the line based on whether you find the right artifact, follow the right lead, make the right call, and back it up with accurately interpreted data for facts that survive in court.
And that’s on a good day.
If you need motivation, DF/IR isn’t for you. If you need reminders, deadlines, or someone to tell you what to do every step of the way, you’re already a liability. If you have an excuse for everything and an answer to nothing, that’s your answer: nothing. Self-reliance and the ability to independently solve problems are essential in DF/IR. If you are constantly asking ‘how-do-I’ questions, the answer is always going to be to figure it out yourself.
Still interested? Cool. Let me paint you a better picture.
You’re working a case. The evidence is scattered across four mobile devices, a burner laptop, a remote server in another country, and an encrypted messaging app. You’re cross-referencing logs, image metadata, and partial timestamps, and maybe, just maybe, you find a link that ties it all together. That’s Tuesday.
Then one day, maybe a month later or even more than a year later, you go to court. You get cross-examined by an attorney who makes you feel their only job is to make you look incompetent. Your credibility, training, and methodology are all under fire.
I hope your report wasn’t half-assed. I hope you interpreted the data correctly and can convey the story. And I hope you don’t fold under pressure and wreck it all, because then there will be irreparable injustice for the victims.
Do not expect to leave DF/IR the same as you came into it.
Oh, and let’s not forget the content you’ll eventually see. If your stomach turns when someone even mentions crimes against children, human trafficking, abuse, torture, or anything we categorize as “CSAM,” then please, seriously, go find another career. I’m not saying that to be edgy. I’m saying it because it’s real. You will see things you will never, ever forget. Some of us still see them every time we close our eyes. And the sounds…the sounds never go away.
If your biggest fear is dark web malware or ransomware gangs, you haven’t seen the real monsters. The real monsters are walking around with clean records, paying their taxes, and doing unthinkable things behind closed doors and it’s your job to catch them.
And the tools? They don’t do the work. You do. Tools help. They’re essential. But they don’t think. They don’t analyze. They don’t build timelines, ask questions, interview suspects, or find correlations across devices. You do. And if your first instinct when you hit a dead end is to say, “The tool must be broken,” please pack up and go away.
DF/IR takes obsession. Not curiosity. Not interest. Pure, unadulterated obsession. The kind that keeps you up at night replaying case details in your head. The kind that makes you grab a pen at 2 AM because something didn’t sit right, and you need to get it down before it’s lost. The kind that makes you constantly second-guess your findings because you know what it means if you’re wrong.
A friend of mine recently relayed digital forensic testimony he gave in a sexual assault case where the defendant was found guilty and sentenced to 17 years. The recovered deleted digital recording that was played for the jury probably gave the entire courtroom PTSD, which doesn’t compare to what the victim went through. This is important work.
So no, you’re probably not going to make it.
We don’t need any more keyboard warriors, digital tourists, or resume chasers in DF/IR. We need investigators and practitioners. DF/IR needs people with iron stomachs and brains wired to chase answers that don’t want to be found. We need persistence, determination, and the raw grit it takes to figure out what is needed to become competent against any obstacle.
Working in IR and not expecting these types of cases? There's a good chance your non-DF work will hit a DF case just as hard.
For Those Already in DF/IR: Your Role as the Gatekeepers
If you’ve already made it into DF/IR, then you’ve put in the time, fought through the frustration, and built the skills. Now you have a responsibility. Not to make it easier for the next generation, but to ensure only the right people get through. Gatekeeping in DF/IR does not mean keeping out potential. It is the absolute opposite of that. All are welcome. Not all are able.
There is a fine line between nurturing potential while also maintaining high standards and wasting everyone’s time. You need to know the difference.
For those thinking about or working to get into DF/IR
If you're still here, a little angry, maybe even insulted, but more determined than ever, good. If you are eager to spend an ungodly amount of time learning and spend every cent you have left to be shown how to excel, then that’s step two.
Welcome to the tip of the cybersecurity spear.
Associate Manager - Senior Infrastructure Engineer L3 & Cybersecurity
18 小时前I am a beginner on this field. Do I also need to invest time learning laws of the land? Since you mentioned going into courts. I dont want to present a case/findings only get twisted by some unruly dirty Lawyer who are veterans circling around corners to avoid damages to their clients.
Senior Forensic Analyst
22 小时前Well said ??
eDiscovery Consultant - eForensics | Complex Cyber-Enabled Investigations - Expert Witness Cybersecurity - Investigations in End-Points and Critical Infrastructures - Mobile Devices (Opinions Expressed are Mine)
1 天前Excellent and concise advice
CEO at Digital Forensics Now | Top Women in Cybersecurity - Americas | Award Winning "Woman Owned Company of Excellence” | Thought Leader | Digital Forensics Expert
1 天前Love this! ????
Director of Digital Forensics & eDiscovery ?? Adjunct Professor & Nationwide Instructor ?? Expert in Digital Evidence & Cellular Location Records Analysis
1 天前… And then there’s the “business” of DF/IR. And I’m not only referencing those of us who have transitioned to the professional services side, although there’s definitely a calculus that goes into time vs budget vs effort. Government is the biggest business around. More revenue, manpower and resources than any company, bar none. And certainly more than any individual. The revenue is justified and allotted by statistics & (sometimes) end results. What’s the point? All of the things you mentioned are 100% correct, but magnified under the weight of more limited resources, time, manpower, etc. Oh, and then there’s the silly games of “hide the evidence” that’s pervasive amongst some in the government space. So I’d only add… Yes to all of what Brett wrote, and even moreso if you want to work in the private sector.