Post by SANS Institute

Heather Barnhart, 20+ year digital forensic examiner and SANS DFIR Curriculum Lead, has a standing rule for how labs should think about AI: treat it like the least experienced person on your team. The newest hire. The one who needs every step explained, every output checked, every assumption questioned. The teams getting real value from AI are the ones treating it that way: deliberate onboarding, close review, clear boundaries on what it owns. That framing came out of her recent appearance on the Digital Forensics Now Podcast, and it reflects how she approaches AI integration in forensic and IR workflows: not as a shortcut, but as a capability you build deliberately, the same way you would with any new team member. The analogy holds across the workflow. AI earns its place on volume tasks: triage, artifact parsing, timeline construction. The practitioner stays in the loop on what the output means, where it fits in the investigation, and what conclusions it can and cannot support. The point is not that AI doesn't belong in DFIR; it's that the field rewards people who understand the work deeply enough to direct it well, and that applies to AI the same way it applies to the people you train. The full conversation covers where AI is adding real value in DFIR workflows and what practitioners need in place to use it well. https://lnkd.in/eBpcfTsR #DFIR #DigitalForensics #IncidentResponse #AI