ADF Bret: Hi Brett, thanks for taking time to talk! My first question is, what’s with the extra “t”? I’m just kidding of course. Growing up, one of my best friends spelled his name with two “t”s so we just refer to one another as Brettt so as not to offend one another.
Brett: A rose by any other name…
ADF Bret: You’re a digital forensic examiner providing private consulting and training to government agencies and you’ve also found time to write quite a few books, including Placing the Suspect Behind the Keyboard, Hiding Behind the Keyboard, and X-Ways Forensics Practitioner’s Guide, all of which have received nominations for Best Forensic Book of the Year. How did you get started writing books for the forensic community and what (besides the money and fame) keeps you writing?
Brett: Much like any author writing forensic books, I wanted to write the books that I wish were already written by someone else. I would have bought them if they already were written! My first two books were published within the same year, so they competed against each other for Best Forensic Book of the Year and the X-Ways book won. That was neat, and certainly having Eric Zimmerman as my co-author helped. I will keep writing books whenever I need a book that hasn’t already been written, so hopefully we get more authors writing books.
ADF Bret: Who do you create for? In other words, as a cybersecurity instructor, do you have a specific type of person in mind when you are producing content?
Brett: I tend to create content for myself, or at least what I want to learn, what I think is important to learn, and what I think others would want to learn. There really isn’t a specific type of person, because in this field, you can be having a cup of coffee while watching a progress bar and the next minute the phone rings and you’re running out the door to handle someone’s emergency. That’s a broad audience for creating any content!
ADF Bret: Your readers have come to rely on you for forensic knowledge and best practices. How do you stay current with as busy as you are writing, training and running DFIR Training?
Brett: Constant reading. That’s the secret. Books and blogs and blogs and books. And of course, squeezing in a few good conferences and courses to meet great people. I give presentations a few times a year, and even a one-hour talk forces me to seriously learn what I am going to talk about. Then putting all of it into use, either on real cases or real practice cases ties it up all in a nice package.
The DFIR Training website does take up a lot of time, but the content that I put on the site is the content that I also need to know, and that what I think many of us should know. Whether to find a tool or training or artifact, my intention is to have the information one click away for when you need it. Just wait and see when I finish the forensic artifact database. When the forensic artifact database is done, or at least populated with enough data, you will be able to search for a tools linked to an artifact, or an artifact linked to multiple tool to recover that artifact, and have the white papers for that artifact, videos, and training courses all cross referenced.
ADF Bret: It’s my understanding that you served in the USMC before a career in law enforcement. Can you tell us about that experience and your transition from the service? Do you have any advice for others transitioning out?
Brett: Ah, yes. I was 17 years old in bootcamp, then went straight to 2/3. Any Marine reading this knows exactly what 2/3 means…Marine infantry. 2nd Battalion, 3rd Marines. This was quite a bit before the Cyber commands were created and I much rather had gone into the Marine Corps Cyberspace Command had it existed at the time. But my time in the Corps was worth it for more reasons than any job training.
I had an easy time transitioning mentally as I knew that I wanted to get into law enforcement. It took a few years after the Marines, and I worked in a jail before eventually being hired as a police officer. Since I always knew what I wanted to do after the Marines, I prepared myself and just drove on until I got it. Not knowing what you want to do or not know what you will accept doing until then will make transition difficult. Being patient and persistent never hurts either. Make a plan. Follow the plan. Adjust as necessary.
ADF Bret: Do you have a favorite case that you participated in? Can you share any stories?
Brett: I only spent a few years on the street in patrol, with some years in SWAT and bike patrol. I didn’t have any cases per se, other than handling emergency calls. But since the majority of my time was undercover narcotics, I had quite a few memorable cases. I bounced around different state and federal task forces and was part of many really cool cases. I have some favorites, but the favorite thing was being able to work with so many experienced officers, detectives, and agents, with some of them having worked famous investigations. One of the agents that I worked a case with had his case turned into a movie a few years ago. That’s the kind of people that I had the honor to work with, those with great investigative skills. I hung around them as much as possible hoping that their experience would rub off on me. I hope that a little of it did.
I can say that I’ve had more than a few experiences that could have gone the wrong way and glad to have not had that happen. I’ve solved murders, infiltrated outlaw motorcycle gangs, operated undercover in international crime organizations, was hired as hitman to kill informants, worked a few terrorism cases, broke up some human trafficking operations, and bought a lot of drugs. I never did kill any informant by the way, but I did make the arrests for the conspiracies to commit murder.
ADF Bret: Brett, you also teach in the University of Washington, Computer Science and Engineering department. What led you to that and how has being a professor changed you?
Brett: UW asked me to teach years ago, and I accepted thinking it would be fun, and I was right. But I also learned that the time needed to teach in academia is way more than you could ever expect. I have been teaching and instructing for over 30 years now, but UW was my first-time teaching at a graduate level setting, which meant that I kept the tempo up, which also meant that I had to keep up with everything! My personal goal was to make sure everyone gained 100% from the program and be motivated to keep learning after graduation. I met some exceptional students in the program, in that some were already top in their current fields of software development and others I know will be.
ADF Bret: You’ve taken hundreds of hours of training and specialized digital forensic training from the Federal Law Enforcement Training Center (FLETC). Do you have any advice for officers and agents considering training at FLETC, NW3C or other similar training programs?
Brett: The most important aspect of training is to take it when you can get it, because opportunities don’t come at you when it is convenient. Especially if you are already in government, grab the training now because it is not as plentiful in the private sector as you have it in the government sector.
Before I left law enforcement, I had over 2,000 hours of formal training, in a chair in classrooms across the country. On top of that, I had too many hours of on-the-job training to count. Then the practical experiences from case initiation-to-court. After I entered the private sector, all of that trained grinded to a near halt because corporate spending is tighter than public tax dollar spending. Now, I carefully evaluate every training expense, not just because of funding, but because of time. It’s a different world, so my advice for those in LE now, is to grab the training when you can get it because you don’t know when you can get it later.
ADF Bret: What do you think forensic investigators and examiners can do better?
Brett: That’s a tough one, because of perspectives. With where I am at now, I can choose who to work with, which clients I want to accept, and the types of cases I want to work. Because of this, I choose to work with really good folks and companies and tend to only see highly skilled and professional (as in also nice) people. With this, everyone is practically helping everyone else to be better and to work good cases and incidents.
But I am certainly aware of that some of us can do things better. Communication and mentoring are probably the two most important suggestions that I can give. If we communicate effectively and help each other, we can each grow in skills and competence. It’s a win-win when you help someone else perfect a skill or learn a process that they didn’t know before you showed it.
ADF Bret: You spend a vast amount of time helping others improve themselves. How do you want to improve yourself in the next year?
Brett: Next year, I want to be better. That is about all I can say for next year because I go day-by-day. My goal for today is to learn something that I didn’t know yesterday or do something a little better than I did yesterday. Or maybe encourage someone today for them to do better tomorrow. I want to focus daily on the little things for constant improvement, even if the forward movement is only an inch.
ADF Bret: Do you have any thoughts or predictions on how IoT, AI, machine learning, robotics, drones and the like will impact the role of forensic investigators and examiners in the coming years?
Brett: More work! Crimes will be the same as it is only the tools that facilitate crimes that change. I believe it will be easier to solve cases because data propagates likes bunnies, which means evidence is strewn everywhere, and this makes it harder, if not impossible to destroy, hide, or prevent evidence from being discovered. I can’t wait to do my first case on a robot!
ADF Bret: Where can people see you speak or teach in 2019?
Brett: I have one USA presentation confirmed at CTIN at Microsoft in Redmond, Washington. I have a few tentative overseas potentials to work out. But I am always “on demand” at a Patreon page with online courses 😊.
ADF Bret: What do you like to do for fun?
Brett: Traveling to neat places with my wife is probably my number one go-to for fun. Taking pictures and flying a drone all over the world is pretty cool, especially since my favorite person likes coming along too.
I'm also a member of the Marine Corps League and hold a few positions in a local detachment - the Puget Sound Marines. For any Marine or Navy Corpsman, I can't recommend an organization more worthy to join to help veterans. And kids! Being part of an organization that puts toys into the hands of thousands of kids during the holidays makes the year's effort well worth it.
ADF Bret: Do you have a favorite Netflix or podcast binge?
Brett: When Breaking Bad ended, I thought my binges would end, so then of course it resulted in re-watching Black Mirror episodes, just to keep me up at night.
ADF Bret: You live in Seattle, Washington. Do you have any recommendations for investigators or examiners who might be planning to attend the CTIN Digital Forensic conference or the Northwest Internet Crimes Against Children conference later this year?
Brett: This year, CTIN is at Microsoft, so that is quite cool. You’ll be at the company that develops the operating system that we typically exam all the time. The list of speakers is really good too, and there’s not one speaker that wouldn’t like you to walk up and introduce yourself to them.
I presented at ICAC a few years ago, again at Microsoft, but won’t be there for the next conference. I can say that if you have never been to an ICAC conference, you should go for more reasons that you should have no issue in justifying. Nothing beats the objectives of ICAC training.
ADF Bret: Brett, thanks so much for all your time and everything that you do to educate and inform.
Brett: More than a pleasure and thanks!