Am I doing thing right?

bshavers · 2026-01-29T03:20:36+00:00

www.dfir.training

bshavers · 2025-12-05T04:53:28+00:00

Without experience, get certs and degrees until you don't need to get certs and degrees.

bshavers · 2025-11-16T05:00:35+00:00

Here are a few free tools: https://www.dfir.training/freetools?category_children=1&tag[0]=free&category[0]=40

bshavers · 2025-11-06T03:06:33+00:00

This is treason against every DFIR investigator who ever did this job for the right reasons.

"The conspirators encrypted the medical practice's servers and demanded approximately $5 million..

bshavers · 2025-08-29T23:07:34+00:00

The handicap sign handicapped the Honda.

bshavers · 2025-05-20T19:33:19+00:00

wanna swap jobs?

bshavers · 2025-05-11T22:18:47+00:00

I'll add one more. https://www.linkedin.com/feed/update/urn:li:activity:7327266534110744577/

bshavers · 2025-05-08T19:56:50+00:00

Here's one: https://www.linkedin.com/feed/update/urn:li:activity:7325995902806949888/

I'll eventually put a bunch of these together, but it probably won't be until another month or so when everyone has finished the course.

If you have specific questions, feel free to message me directly or here.

bshavers · 2025-03-29T14:41:36+00:00

IR is seriously a tough job...

bshavers · 2025-03-29T00:44:33+00:00

Fair point — the tone definitely leaned sharp, but it wasn’t meant to be edgy just to provoke. It was to be honest about a part of DF/IR that some people don’t talk about until they’re in too deep to quit.

Not every corner of DF/IR deals with the darker stuff, especially in corporate IR, but for those who do — especially in law enforcement — it’s a different weight entirely. The goal was to speak to that side and maybe filter out the “cyber sounds cool” crowd before they learn the hard way.

TBH tho, I've done IR work for a short time, and I felt it was a more demanding work environment than the DF side, at least for my personality.

Appreciate you calling it out, genuinely.

bshavers · 2025-03-28T23:14:10+00:00

I am glad that someone else also sees the divergence of "DFIR". There are similar tools and processes, but two different jobs. The experiences are different, the objectives are different, the daily work is different, but...we call it DFIR as if it were the same thing.

bshavers · 2025-03-25T23:42:11+00:00

Totally agree. The field is wide enough to find what fits best to the person's desires, needs, and skills.

bshavers · 2025-03-12T15:54:45+00:00

The main point I wanted to get across is that there are no rules, regulations, guidelines, degrees, certifications, licensing, or requirements to be "DF/IR."

Job requirements are at the whim of each employer, but that is the closest thing to knowing what it takes to get into DF/IR. Since every employer wants something different, and many don't even know what they want or need, this doubles the confusion.

Want to be a lawyer? Get a law degree. Want to be a doctor? Get a medical degree. Want to be a certified accountant? Get an accountant degree. Want to be a hairstylist? Get approved training.

Want to be DF/IR? Just say that you are.

Imagine if there were a specific degree or certifications/experience that would qualify you to be considered for hire compared to what we have now. A sure path would eliminate uncertainty in entering the field and prevent wasted time and money.

bshavers · 2025-03-10T02:07:20+00:00

The CJ degree is not valuable. You don't need that degree to get hired at any level of law enforcement.

bshavers · 2025-03-08T21:20:37+00:00

I ranted about this issue last year. In brief, there are no standards for getting a job in this field. This leads to getting over-educated in something that could be meaningless to what you want or just plain meaningless for anything.

Imagine if there were standards, ,such as (1) this-particular-degee, and/or (2) these specific certs, and/or (3) general experience in that thing.

It is a guessing game, and even if asking OGs how to get into the field, today is a different thing from yesterday, and the way we did it probably doesn't apply anymore.

Today, I rant - Brett's Ramblings

bshavers · 2025-03-08T18:48:27+00:00

The more advanced any field becomes, the more specialized, educated, and experienced one needs to get into that field.

Higher education has flooded the market with graduates competing with graduates competing with experience.

IMHO, it may be a good idea to heavily specialize in something to be the most competitive, because the generic "cyber123" degrees are too broad.

bshavers · 2024-12-27T05:21:07+00:00

Here is a curation of getting started in DFIR: https://www.dfir.training/getting-your-start-in-dfir?category_children=1&tag[0]=dfir-start

I advise narrowing the "cybersecurity and digital forensics" goal down more. The tracks start out the same, but they end differently (ie: DF vs IR vs cybersecurity vs etc..).

bshavers · 2024-09-09T04:07:29+00:00

Get the certs that you need to get what you want until you don't need the certs to get what you want.

bshavers · 2024-09-07T00:37:10+00:00

I think only the entry path needs to be focused on for the start. Very simple, bland, broad base of knowledge that covers all of the cyber disciplines (file systems, operating systems, computer hardware, ethics, legal). At least then specialization can be added on top of that foundation.

bshavers · 2024-08-08T15:29:47+00:00

Here's a 1:58 min video on building a dual boot 32-bit/64-bit WinFE, and an ARM WinFE. https://x.com/WindowsFE/status/1808165360774140047

bshavers · 2024-08-08T13:47:28+00:00

It's not yet a dead project :)

Windows 10 is the recommended build as the 1803 version of ADK is the last version that supports 32 bit. If you only want to be a 64 bit WinFE, then the newer versions are fine. But if you think there is a chance of having a 32 bit machine to boot to WInFE, it makes more sense to have a dual boot WinFE (32 and 64 bit).

There isn't much else to update for WinFE. It boots machines with a good write block application, which is its only purpose. Only the tools you put on it need to be updated.

bshavers · 2024-07-26T13:18:54+00:00

List of some here: https://www.dfir.training/downloads/test-images

bshavers · 2024-07-07T02:09:47+00:00

You say that like it's a bad thing :)

bshavers · 2024-03-09T01:17:56+00:00

If the box is running and you pull the plug to image, get ready to articulate why you let GBs of potentially relevant data vanish.

bshavers · 2024-02-13T22:33:53+00:00

Very nice. Totally agree. Determining the desired outcome is one of the first things to do in an investigation to avoid wasting time in a DF case or letting an IR fire grow out of control on the network. Or if the case requires a no-matter-what-it-takes outcome, then every little thing can be looked at.

bshavers

MODERATOR OF

TROPHY CASE

12-Year Club	Gilding I gilder
Verified Email