Sunday, November 25, 2018

Life After Law Enforcement: Can We Talk About Your Resume?


I’ve been a high-technology hiring manager for a long time and one of the consistent themes I’ve noticed when assessing candidates is that most resumes are abject clown shows. Chances are excellent that your resume falls into this category, because I know my early resumes certainly did.  It wasn’t until much later in my career after working with executive recruiters who actually knew something about resumes that I finally got mine under control.

In the name of community service and enlightened self-interest (because I’m assuming anyone who is applying for one of my teams now or in the future is going to do basic social media searching and find this post), I’m going to do a full blog post what I think makes a good resume.  The warning is that this is very specific to my experiences based on my experiences over the years so it’s not to be considered authoritative by any means.

The primary purpose of a resume for employment purposes is to get you that initial interview and into the hiring pipeline. You want to put your best foot forward quickly and concisely to the reader so that you will stand out as a qualified applicant that they want to talk to more about the position you’re interested in.  The secondary purpose for your resume is keeping track of your various experience, training, education, and accomplishments so that you can use for non-employment purposes like court expert witness validation, speaking engagements, grant submissions, certification applications, and anything else along the way that documents your professional career progression.  It’s important to keep your resume up to date as new things get added so that you aren’t stuck trying to remember several years of accomplishments on short notice. I update my resume with each new speaking engagement, for example, so that it’s always up to date and ready to go.

I’m reasonably agnostic as far as formatting, font type, and font size. For the longest time, I was using 9-point font to reduce the number of pages, but I discovered that it was causing issues recently when converting to PDF files so I just decided to go to 12-point font.  It’s easier to read and I don’t have any conversion issues.  I’m using Times New Roman because it’s a standard font that is easy to read, but there isn’t anything wrong with using other standard fonts like Arial, Calibari, and the like.  You just want to avoid using something exotic like wingdings and you should be fine.  It’s also important that you stay consistent with your font.  I’ve seen some really awful attention to detail failures on this front where one job listing on a resume will be in one font and another job will be listed in another font. 

The ultimate goal is to have something that looks professional, readable, and will look good when you convert it to PDF. I prefer PDF whenever I send someone a resume because it reduces the chances of something going sideways with fonts, edits, and the like when someone opens it up or passes it around.  It looks professional and PDF is such a universal format that any given web browser can open them up so specific word processing software isn’t necessary for a reader to review it.

You’ll also see all sorts of rules and recommendations when it comes to resume length and you can count me as agnostic in that area also.  A resume should be as long as it needs to be to accurately reflect your value as a candidate and to score an interview for the job you are seeking. I’ve seen some resumes that just dragged on and on because they were loaded with nonsense and others that I knew were too short because I knew they were leaving some critical information out.

The top of your resume will, of course, list your name and your contact information. I see most people listing their full mailing address and I’ve long since stopped doing that.  I just leave things with my city and state. It’s not that there is anything necessarily wrong with listing your full mailing address, but I will admit it sort of gives me the cold and pricklies when I see college students doing it because I’m always concerned some creeper will use it for stalking purposes.  That’s my Dad radar at work and I know it’s not hard to figure out addresses through open source investigations so take it for what it’s worth.

I list my city and state, my Google voice number (because I have it set to ping me any number of ways if someone leaves me a message or sends me a text and I hate giving out my direct cell phone number. I get enough fraud calls as it is without having to deal with recruiters dialing me directly), an email address, and the URL to my LinkedIn profile.  The email address should be something that you don’t mind getting recruiter spam sent to for the rest of your life. I get hit up by recruiters all of the time and quite a bit of it is clearly based on resumes I had out about a decade ago.  What I’ve noticed is that, for the most part, the recruiters who are pitching jobs that are appropriate to my skill set and career progression reach out to me directly via LinkedIn.

What I don’t list is any post-nominals letters because, in general, I think they are grossly misused (here in the United States, at least) and strike me as unnecessary puffery. I understand that there’s more than a few people who disagree with me on this, but even if you do list eight security certification acronyms after your name, you don’t need to do that on your resume because you’re going to be listing those in the body of your resume.  Remember that Robin Williams taught us that in the dictionary for word “redundant” it says “see redundant”.

Once you’ve got the contact related information down, it’s time to start into the body of your resume.  I’m going to start off by saying there are many ways to craft a proper resume and I’m not offering up “The One True Way”, but rather recommendations based on what has worked for me in my career and what I’ve found effective both as a candidate and as a hiring manager. It is a very good idea to not only do research by reading blog posts like this, but to pay someone to review and help craft your resume.  In my case, my current resume is the productive of various executive recruiters that I’ve worked with over the years.  Since I was the product they were trying to sell, they were happy to help me craft my resume for free, but there is nothing wrong with paying someone to help you with if you aren’t at the point in your career with professional recruiters (and I mean the few that are any good at their jobs) will do it for you.

The next section that I have in my resume is basically a biography section that I have titled “Profile”.  It’s a basically a mirror of the third-party biography that I have up on my LinkedIn profile and serves as a sort of generic cover letter.  The idea is to give the reader a reasonably quick overview of what I think makes me a good job candidate, speaker, expert witness, and the like. It’s basically an extended written version of an elevator speech.  This is also where I list the URL of the AFoD blog and my twitter account. I could have also just listed both in my contact area at the start of my resume.

There is no reason why anyone can’t write a good profile that doesn’t catch the attention of the reader no matter where they are in their career cycle. If you have some career experience, this is where you draw that out and explain to the reader why you are awesome and why they should keep reading through the resume.  If you are a college student, this is where you talk about what you are passionate about, what classes you’ve taken, and all of the side projects like college clubs, volunteering, research work, and the like that you’re working on during college to prepare you for that first job.  Everyone has a cool story no matter where they are in their career. This is where you can tell yours.

The next section in my resume is my work experience. This is the next logical progression for my resume since I’ve been in the job market for a while, but if you are just starting out and in college, it might make more sense to lead with your academic background and really hit that hard and then list any paid or volunteer experience after that.

The work experience section is really where resumes can fall flat on their faces.  Getting this right is difficult is this is where the professionals who have helped me with my resume over the years have really added value.  What I’ve been told to do by these people is to tell people what I’ve done accomplished rather than just making it a job description.  This is not easy even if you have an easy list of accomplishments in your head. It’s also one of the reasons why I frequently keep my resume updated because it’s very easy to forget everything you’ve done over the years especially if you are trying to quickly update a resume on relatively short notice.

What I do for my employment section is that I list each employer that I have had and then I provide no more than a paragraph explaining the employer.  For example, for my JP Morgan Chase section, I have “JP Morgan Chase is a leading global financial firm made up of over 235,000 people and 2.4 trillion dollars of assets. The firm provides retail, commercial, and investment financial services to millions of customers around the world.” This just gives the reader an idea about the size, scope, and purpose of your organization.  I think this is a great idea even if you are working for a law enforcement agency.  Sure, people are going to know who the Pittsburg Police Department is, but do they know, for example, how many officers there are or the population size that they serve?  If you belong to an agency that no one has heard of before, this is a great time to explain some basic information about the Burning Stump Junction police department and the community that it serves.

For my law enforcement people reading this, not only should you be talking about what you accomplished during your law enforcement career and giving us some background on your department, but you should also be describing what the purpose was of those various nifty specialized units who served on during your career.  This includes the digital forensics type units as well as anything else you did during your career.  Don’t assume that a human resources person screening resumes is going to have any idea what an RCFL or ECTF task force officer does or what those units are.  Don’t assume that a hiring manager like me is necessarily going to understand what you did when you left patrol and were working that first assignment as a detective on some specialized unit that might not have had anything to do with high-tech crimes. 

Do NOT just copy and paste a civil service job description into the work history for your employment history for a job. I've seen people do this several times over the years (including the part that says "other duties as assigned") and it's sloppy, lazy, and tells me that I've got someone who just decided to phone it in for their resume. These resumes get no further consideration from me.

All of this goes double for my military veterans.  I love you guys and gals, but you leave so much on the table with your resumes.  All too often when I get a resume from someone who was in the military, I’ll just get some small burb at the start of their resume work history section (because most of what I see are folks who enlisted right after high school or were commissioned as officers after college) telling me the brand of the service, some dates, a job title, and maybe a bit of text telling me about their MOS/AFSC/Rating for enlisted people or their general warfare community if they were officers.

You veterans should go nuts with your service history.  Look, you don’t have to necessarily spend a lot of time telling me about the United States Army, but you should explain what that 31K Working Dog Handler MOS is, what you did during your time in the service, the relevant training you received, and especially all that you achieved. This means listing all of your various awards. Every. Singular. One.  The general rule is that if it’s listed on your DD214 under the section that says “decorations, medals, badges…” it should show up somewhere on your resume. This includes your warfare community qualifications.  Frankly, if you did something like earn a United States Navy submarine warfare qualification badge, I wouldn’t blame you if you put it as a high-resolution graphic on the top of your resume.  I’ve literally got someone on my team right now who earned a Combat Infantryman Badge in Iraq (You know exactly who you are. I know you are reading this. I’m so glaring at you right now) and doesn’t have it on his resume.

I also strongly recommend that you explain on your resume what you did to earn the non-campaign type awards.  You should certainly feel free to explain what that GWOT medal means, but it’s not necessary. What I think is necessary is explaining why you were awarded that United States Air Force Achievement Medal.  There is some citation somewhere that explains what great thing or things you did to get that award so it should merit at least a sentence or two explaining why you got it.  This gets back into the concept of explaining what you achieved on your resume rather than just your job responsibilities.  

You should have a section that lists your academic related education.  In my resume, I have this after my employment section.  This is where I list my undergraduate and graduate degrees. This is also where I list that I’m a graduate of the 141st Iowa Law Enforcement Academy because that’s still a big deal for me as a personal and professional accomplishment.  I list my various honor society memberships under the degree programs that they were associated with because it looks cool.  I don’t list my grade point averages because no one cares about your GPA unless maybe when you’re just out of college.  Frankly, with the way grade inflation is these days, a 4.0 GPA doesn’t really tell me much of anything as a hiring manager.  If you are in college or just out of college, it’s not a bad idea to just lead off your resume with the educational portion and put in more details such as club memberships, leadership positions, interesting research projects, a more detailed description of both your university, the academic program you were involved with, relevant classes, and anything else that would tell the hiring manager why you should get that first interview.  You spent many years cranking on your degree program and if it’s the primary focus of your resume, it should have much more content on your resume that it does on mine. 

The next section on my resume is basically me just punting when it comes to professional training.  I long stopped keeping track of all of the conference presentations, online training webinars, and the like that I attended.  I think I still have a list somewhere that lists various classroom training that I’ve done, but I’m at a point in my career where I just decided to include a paragraph that says:

Successfully completed hundreds of hours of advanced training in areas such as computer forensics, fraud, payment systems, financial technology, mobile device forensics, cybercrime, malware analysis, data assurance, interviewing and interrogation, investigation, incident response, and open source intelligence.

….because I didn’t want to add several pages of training classes to my resume.  Don’t be me.  Add several pages of training classes to your resume unless maybe you’re in a senior position like mine where it doesn’t matter as much.  I should have at least kept track of everything that I’ve done so that I can list it if I ever need it for court purposes or something similar.  The training section is where you want to list all of the classes you’ve taken that are relevant to the job you are seeking.  Unless you’re just desperate for something to beef up a thin resume, there’s no reason to put that ASP certification class you took on your resume.

The next part of my resume is where I list the necessary evil that are professional certifications.  You have to have them for the most part in our industry so list all of the relevant ones that you have.  I just list the active certification names and leave it at that. I don’t anything else such as the years that I have had them, certification numbers, or anything else.  Feel free to list expired certifications. I don’t list my expired certifications, but if you slogged away on that CCNA back in the day and decided not to renew, it still tells me that you suffered like I did with the Cisco certs (mine are all expired) and at some point you passed a reasonably difficult test on networking.  Again, I don’t care if you are ASP certified, but I do care if you are an ASP instructor.  The fact that you are qualified to teach someone something is interesting to me even if it’s not relevant to a digital forensics position.

The next section that I list are my “selected presentations and media appearances” where I list the various times that I have given presentations at conferences, webinars that I’ve done, or times that I’ve shown up in the media.  I call it “selected” because, once again, I didn’t keep track of this sort of thing as well as I should have early in my career so I don’t remember all of the times that I’ve presented.  I have done a pretty good job of keeping track of this sort of thing for most of my career, however, so this is a pretty extensive section.  If you teach a class, give a presentation somewhere, or anything similar, it should be listed here.  An alternative that I have seen some other candidates do is keep a list of this sort of thing in something like Google documents and then just provide a link in a cover email or something similar for the hiring manager to access. I prefer keeping everything in the resume so that if people print it out, they have everything in front of them.  You can’t assume that someone is going to click on your link (and we’re a bit of a paranoid bunch in general when it comes to clicking on links) and some people prefer to just print out resumes and review them in paper form.

The next section for my resume is one that I have titled “Professional Activities” and this is a bit of a mixed bag of things such as advisory boards, committee memberships, side consulting engagements, and anything similar that I have done over the years.  This is also where I list things like the fact that I attended the FBI Citizens Academy out of the Newark Field Office back in 2010.

The last section that I list are my professional affiliations and those are my various association memberships such as the American Academy of Forensic Sciences, Association of Certified Fraud Examiners, International Association of Computer Investigative Specialists, and everything else.  I just list the names of the organization and I don’t include any dates, membership numbers, or anything similar.

All of this should just be considered a guideline for how a proper resume should be crafted. There are any number of ways to do a proper professional resume and how I crafted mine is just one of many.  Frankly, if the only thing you get out of reading this post is understanding that it’s a great value to pay someone to craft a proper resume for you, my work here is done.

Saturday, July 28, 2018

AFoD Blog Interview with Jessica Hyde

I normally do a short introduction to these interviews to explain why I selected the interview subject or what major points I think the reader should key in on the interview. This one turned out so well that the more time I spend an introduction, the more I'm delaying you from learning about Jessica Hyde. You'll see soon enough why I wanted to do this interview. Enjoy.

Jessica’s Professional Biography

Jessica Hyde has experience performing computer and mobile device forensics in both the commercial and government sectors. Jessica holds an MS in Computer Forensics from George Mason University. She is currently the Director of Forensics for Magnet Forensics (USA) and an Adjunct Professor at George Mason University where she teaches Mobile Device Forensics. Prior to her current role, she was a Senior Mobile Exploitation Analyst and team lead for Basis Technology, was part of the Cyber Crime Investigations team at EY, and worked as a Senior Electrical Engineer for American Systems where she specialized in the analysis of damaged mobile devices. She is currently working on a book on Digital Forensics for the Internet of Things anticipated for release in early 2019. Jessica is also a veteran of the United States Marine Corps.


1. Okay, Devil Dog, what led you to join the United States Marine Corps and what did you do while you were there?

I joined the Marine Corps in October 2001 in response to the attacks on September 11th. In that moment, I knew I had to do something that had more substance, more meaning, and to give back. It was a deeply personal decision, and very directly tied to the grief I was experiencing at the time, but honestly the best decision I ever made. The Marine Corps ultimately set me up for the path that my life has taken.

As part of the enlistment process, one takes a test called the Armed Services Vocational Aptitude Battery (ASVAB). The results of that test, combined with my timing and the positions available, meant I was assigned to go to Avionics school.

Working in Avionics on the AV8B Harrier II VSTOL aircraft, my day-to-day function was to troubleshoot aircrafts and make repairs, but it was the hardware and electrical engineering skills I learned and used every day that became the foundation of the hardware analysis portions of the forensic examinations I do today.

This is where I learned to solder, use a multimeter, read schematics, extract data, work with binary and hexadecimal, read data sheets, use oscilloscopes, and wave function generators, etc.… all tools and methods I would use later to extract data from everything from mobile phones to drones to telematics units to smart speakers.

Joining the USMC changed my life. At the time, I was a high school dropout working in retail management. I had coded as a kid, writing programs at the age of 6 on a Commodore 64 and taking programming courses all the way through high school, but when I dropped out, I abandoned those aspects.

That aptitude test and a bit of timing brought me back to something I forgot I had missed. The Corps reintroduced me to things I loved in technology and helped build my confidence in doing technical work and solving problems. Returning to technology gave me fulfillment. Doing technical work in a mission-oriented environment for a greater cause was what brought me true satisfaction.

The best part of my daily work in the Marines was that I had the opportunity to solve problems with both my brain and my hands. A jet would come in with a gripe, and I would first verify the issue by duplicating the issue. Once I had recreated the discrepancy, I would then research via schematics, data sheets, etc. and come up with a test plan.

Next, I would conduct tests, and based on the results I would implement a fix (i.e. repair a wire, change a board). Once the repair was complete, another avionics person would inspect the fix. Then we would test the system to verify it was fixed.

A quality assurance rep would validate both the repair and the functional tests. And then, you guessed it, I would have to write it up. We logged all our steps in record books, tracked our work in a maintenance management program, and tracked tools in a process called ATAF (all tools accounted for). Then I would see that same bird that was “hard down” for a gripe fly through the air. That was an amazing feeling.

Working in a Marine Corps avionics shop is not identical to working in a forensics lab, but from a process perspective and an engineering perspective, similarities are uncanny - Discover, Test, Find, Parse, Validate/Verify, Report, all while maintaining a chain of custody and using some sort of case management system. From a hardware perspective, it’s a lot of the same tools and processes for reading data. Of course, there are also Standard Operating Procedures.

I credit the Marine Corps with helping to make me the person I am today. I learned a technical skill and ran with it, pursuing a formal education in Engineering while on active duty, so I could make the transition from HS dropout to eventual adjunct professor in a graduate school program. It was a lot of work along the way. But every moment was worth it.

2. Why did you eventually leave the Marine Corps and what did you do next?

Leaving the Marine Corps was the furthest thing from my mind. The Corps treated me well -- I had met and married my husband there and had my first child. I loved the work and was a good Marine, earning three meritorious promotions and several awards. I honestly thought I could be the first female Sergeant Major of the Marine Corps. I was motivated and dedicated to the Corps. 

When a technical school I was attending as a reenlistment incentive was cut while I was mid-program, I fought to stay in that school and brought up that my contract was being breached. I thought being the stellar Marine I was, that they would let me finish school.

Lesson learned - don’t play hardball with the Marine Corps. I assumed they would look at my stack of commendations and decide to fulfill the incentive and let me complete the school. That didn’t happen. They agreed that they had breached my reenlistment contract and gave me the choice to separate from active duty or return to the squadron. Finishing the technical school was not an option I was given. It was a difficult decision to leave something I thought would be a career.

I decided to take the opportunity to separate honorably and finish my undergraduate degree. I had taken classes while on active duty and it made sense. So, I left the Corps and went to school full time. I had my second son at this time as well. I was able to transition from the Montgomery GI Bill to the Post-9/11 GI Bill, which provided better benefits and allowed me to finish my degree quickly without taking on debt. I had enough months of education left over to later complete my MS in Computer Forensics.

All in all, I attended five different colleges to complete my undergraduate degree, thanks to pursuing it while both on active duty and as a veteran. It took 8 years from start to finish. In the end, I earned a BS in Electronic Engineering Technology and graduated Summa Cum Laude.

Despite the challenges of going to school fulltime while having two small children, I think a later start worked out best for me. Had I taken a more traditional route, I might not have chosen technical courses as I discovered my interest and aptitude from the work I did in the Corps. I credit my good grades to being serious and dedicated to my studies. I might not have been as studious in my late teens.

I secured a position as an Electrical Engineer as a government contractor, American Systems, just as I finished school. My Marine Corps experience translated well when combined with the parchment. This engineering position was unique, as it was in a reverse engineering lab and the start of my digital forensics career. 

My position started with reverse engineering circuits of unknown origin, developing schematics and describing function, as well as reverse-engineering microcontroller code. I was overwhelmed at first. Everyone in the lab was so knowledgeable. As I did well with the reverse engineering, I very quickly was moved to the electronic data recovery team.

This was my first exposure to digital forensics. Most of my work involved extracting and analyzing data from damaged devices. It could entail anything that stored data -- from mobile phones, to hard drives, to telematics units, to any circuit board with embedded storage. I never knew what the cases would entail, which made it exciting. Typically, I used chip-off and JTAG methodologies to access the data. 

The work was fantastic because it was my job to get into devices that weren’t supported, pull off the data, and then analyze and report on it. The challenge was intense, as often I worked on things that had never been done before.

Fortunately, I worked with some brilliant engineers and specialists. I was able to learn so much from the team and be challenged at the same time. Since all the devices were damaged, I learned to utilize a lot of state-of-the-art equipment, everything from Computed Tomography to Scanning Electron Microscopes to Plasma and Laser Ablation.

Once the data was recovered, it was analysis time. Sometimes I dealt with conventional hard drives and mobile phones and used traditional forensics tools and methods post-data recovery.

However, I also often dealt with unsupported embedded devices, and my next step was to figure out the data structures and file systems. Then I could begin to analyze the data. Often the data structures were proprietary and undefined. I spent much of my time in data sheets and hex editors. The reporting included the extraction methodologies, device characteristics, and analysis of the recovered data. 

I became so interested in the forensic analysis portion of the work that I decided to start working on my MS in Computer Forensics at George Mason University. Despite doing what some would consider deep dive work, I lacked fundamentals in computer forensics. I had gaps I needed to fill in my skillset. Taking classes at GMU was a great way to strengthen my skills in the areas where I was weak, as the instructors were practitioners and provided a wealth of knowledge and experience.

It was difficult going to school while working in a high-pressure forensics lab. I would receive high-priority projects, so I had to work through the night to find answers. Sometimes I missed classes. I remember running out of the lab for class during a high-priority case, and then rushing back to the lab to continue through the night. I couldn’t procrastinate on my school assignments, I had to start right away because I never knew if evidence with a quick turnaround time would hit my desk at work.

Even more importantly than what I learned in the classroom, were the relationships I built with the other students. Most were digital forensics practitioners as well. We were able to work together not only through our studies, but also to develop a network of other examiners to talk through technical challenges with.

These relationships became crucial to solve complex problems. We bounced ideas off each other. We learned each other’s specialties and strengths. When we ran into challenges at work, we were one another’s resources. I still keep in touch with several of the other examiners from my classes. A couple of us are now instructors at GMU as well. It’s a great way to give back to the forensic community.

I continued the work on my MS while working for American Systems. I honestly don’t know if it was harder going to school while working as an examiner or being a full-time student with young kids. Each was challenging in its own regards. Eventually I left to round out my skill set with more traditional computer forensic analysis at EY.

3. So now you are over at Ernst and Young. How did things progress from there to the point where you ended up at Magnet in your present position? 

EY was a great organization to work for; however, I travelled a lot and my kids were young. I tend to over-immerse myself in work, so it wasn’t the right fit for my family. I also didn’t get to go as deep into exploration or break into damaged devices.

I recall running IEF on nearly every case, and I began to resent it – IEF found evidence so efficiently that my preliminary reports, which included IEF results among other things, were all that was necessary, and I would move on to the next case. I really wanted to spend more time digging!

Eventually, I moved on in my career and went to work in a lab where I got to dig as deep as I could go! I had the opportunity to join Heather Mahalik’s team at Basis Technology. It was incredible, my job was to get into devices that the commercial tools couldn’t support.

Heather and Brian Carrier, unbeknownst to me, had hired me to take over Heather’s role, as she was moving into another role. I was disappointed not to work with her day in and day out, but it was an amazing opportunity with a fantastic team doing challenging technical work. I was fortunate to get to work with some of the smartest people to create innovative ways to get data from devices.

Once the data was recovered from the device, I would run the image through all the tools at my disposal and search for the data the tools missed. I loved it! I got to deep dive on nearly every case I worked, hunting for new artifacts. It was the perfect fit for me. I worked exclusively mobile and other embedded devices at the time and incredibly happy.

As luck would have it, my relationship with Magnet products grew. I used the Dynamic App Finder (DAF) feature in IEF because it would save me time finding new databases of interest. It wasn’t the only way I found them, I looked manually as well, but man, I enjoyed what DAF did for me. I became a bigger fan of Magnet, as the tool helped me find areas to dig deeper more quickly! Of course, I had a lot of tools in my tool box, and I used them all. You need to in this field.

The next thing I knew, members of my team were on the Magnet ACQUIRE beta. As a team that specialized in pulling data from unsupported mobile devices, I was excited by the unique device agnostic approach that Magnet had taken.

We were beta testing, and I enjoyed the robust logging. And then a case came in with a device that wasn’t supported by the commercial tools in my lab. We tried them all. It was an important case, and I knew, based on the methods and robust logging that Magnet ACQUIRE showed, that it could likely create an image of the device.

I could have manually rooted the device and obtained the data via a shell, but the end customer preferred we not use that method. I got an exemplar and tested ACQUIRE and it did exactly what we needed. The tool acquired the data off the exemplar, with a detailed log that stated what had happened to the device.

With that successful acquisition, I requested and received approval to use the method on the evidence. Even with the tool being in beta, the robust logging combined with the process proof on the exemplar delivered resulted in us being able to use Magnet ACQUIRE on the case! I was an instant fan.

A short time thereafter, I was at a forensics conference and made sure to let the people from Magnet know in person how fantastic I thought ACQUIRE was and how I liked the approach. Of course, I had seen Jad Saliba speak at conferences and was amazed by his story, his passion, and his drive to help the forensic community. I was also too star-struck to ever approach him.

I clearly remember speaking with the VP of Product, Geoff MacGillivray. He was incredibly appreciative of the feedback and took the time to listen to my thoughts on the tool. I was super impressed and had no idea I would be working with him closely in the future.

Fast forward a bit to the AXIOM. The team I was on was lucky enough, once again, to be part of the beta. I participated in exchanges with the UX designer, Diana Wiffen. She was so open and engaging. I was generally touched by the fact that Magnet Forensics cared about what this one examiner thought.

Magnet came down to meet with our team during the beta. We were super fortunate that Jad and Adam came down along with Geoff and a few others to hear our thoughts on AXIOM and to share what they were working on for the future.

At the end of the meeting I had three disparate questions that needed answers from people in completely different areas of the company. They took my questions back and within 24 hours I had responses to all three questions from three different people at Magnet.

I was blown away. The level of response, support, and interest was unmatched by anything I had seen from any other forensic organization. I could tell that the same passion to help the forensic community that I had seen in Jad was in every “Magneteer” with whom I interacted.

When my lab relocated, the time came for me to look for a new role. I reached out and applied for a position at Magnet. I couldn’t have imagined a greater group of people to work with. After I spoke with multiple members of the organization, Magnet created a role for me where I could work with the product and development teams on a regular basis.

Since coming on board, I’ve been continually inspired by Magnet’s core values and desire to do the right thing for the examiner above all else. At its core, Magnet wants to help examiners work their cases more efficiently and provide tools to help investigators and examiners find truth. It is wonderful to be part of an organization with high integrity.

What really makes this place special is the people. There is nothing like the people behind Magnet. I am fortunate to have a job that I love with such an amazing team, and to get to work on great projects that benefit the digital forensic community. In my previous roles, I worked one case at a time; now my work can help multiple examiners on their cases simultaneously.

4. What are your job responsibilities with Magnet and what is a typical day like for you?

Good question. I have an interesting role. I sit on the Product Team, but report to the North America VP of Sales. Sound confusing yet? My duties in writing spell out work in 4 areas – Research and Development, Product, Marketing, and Sales.

Overall, I’m responsible for helping to bring the forensic examiner viewpoint to different areas. I spend most of my time working with the developers and the Product team.

However, I also spend a fair amount of time in support of Marketing (webinars, conference speaking, blogs). I also provide some support to sales by attending customer meetings where I can provide specific value – maybe because I have worked through a similar issue or environment as the customer.

In my Product team support, I assist in a lot of different ways. The Product team is responsible for the roadmap, the list of things we plan to work on in the future. I often provide feedback from an examiner perspective, as well as more importantly, feedback that I hear from customers.

To help the rest of the product team develop the roadmap, I also work closely with the product owners, who are responsible for prioritizing the different development teams’ work. Often, my work here again is to explore new features.

I also occasionally review things from the Documents team, such as release notes and descriptions for the Artifact Reference Guide, for technical accuracy.  Sometimes I look at UX designs for features our UX team has created. Other times I may assist Support with a specific question they have received from a user.

The other team that needs a forensic examiner’s perspective is Research and Development. At Magnet we have a variety of different teams that work on different areas: artifact research in development, data analytics/machine learning, cloud acquisition and analysis, mobile acquisition, etc. I work with the different teams as needed, depending on where I can provide value to features or research, but this is the core of much of my work daily.

Right now, for example, I’ve been spending a lot of time with the artifacts teams, introducing additional artifacts. One of the things I assist with is defining the relationships of each of a new artifact’s individual attributes to others, for our Connections feature. Sometimes I provide feedback on artifact prototypes, or participate in discussions of different ways we can present the information.

Another area where I’ve spent a lot of time this past year is with our data analytics team as they explored different machine learning models and representations as part of our Magnet.AI module.

My role with Marketing is what most people may be more familiar with, even though it is a smaller part of my time than I spend with R&D and Product. This work includes the development and delivery of presentations at conferences, blog posts, and webinars.

However, whatever material I present on during “conference season” usually pertains to the work I’ve been involved with throughout the year. Occasionally I’ll also do a Lunch and Lab session or a Roadshow. Roadshows typically involve technical presentations at three cities in a week, whereas Lunch and Labs are hands on sessions with AXIOM.

This is the work most people see me doing. Likewise, people may know me from a meeting with Sales, although this is a very small part of my role. We have a team of solutions consultants, many of whom spent years working as examiners, who provide technical expertise in the sales cycle. I tend to only join those meetings where I have some specific experience of value to assist a customer.

What I like most about my role is that I’m given some additional latitude outside of my responsibility to these four groups. Magnet has been supportive of my personal research interests, including the external work I do, such as writing a book on IoT forensics and teaching at George Mason University.

For another example, last year I worked on Alexa forensics with Brian Moran of BriMor Labs. My current research work is a Chrome Forensics project with Jad Saliba, our CTO and founder – how amazing is it that I get to work with Jad!

In addition to personal research, I regularly answer questions from customers who reach out with challenges they may encounter. At times this means I write a custom artifact to share with the customer and post on the Magnet Artifact Exchange.

This is one of the parts of my role that I treasure, as I feel it both helps keep me aware of relevant challenges in the field and allows me to participate in a small way to the missions involved in the work we do as forensic examiners. I often miss doing active investigations, so helping other examiners with some small aspect of an examination helps fill that desire.

I’m far from the only person at Magnet who responds to questions and challenges from customers. In addition to our Support Team there’s a band of close to 20 of us at Magnet who have worked as examiners. We’re in a variety of roles, from our CTO, to Product, Marketing, R&D, Training, and Sales teams.

Even though we have different responsibilities, we make a concerted effort to be an accessible resource to others in the organization who need our examiner perspective. The group of examiners meets regularly to share what we’re seeing, learning, and working on with each other. Working with this group is a great privilege.
       
So, what does my typical day look like? I’m fortunate to love what I do enough that the line between my hobby and my work is quite blurry. I’m also an early riser, and I like to write in the quiet of the morning before the family wakes up. I put my phone away to prevent me from tending to messages and emails.

As a side note, writing a book is more challenging than I ever expected. I would say the key to writing is to write. When I write daily, it’s easy each morning to get up and write or research. However, when I take a break due to work commitments, I find it hard to start back up again.

When I’m done writing, I look at my phone and catch up with things – sometimes responding to questions from customers in the Asia-Pacific and European regions, sometimes reading Twitter - and head out to the gym. I was putting on “book weight” and decided that had to stop – so I have become part of the #DFIRFit movement! Then is the start of the real day.
       
And that’s where my day will diverge. Every day is a bit different. Looking at a typical day, it really depends on where we are in terms of a release cycle, conference season, or where I am most needed. If I’m on the road, most of my time may be spent prepping and rehearsing content, delivering presentations, engaging with other forensicators, and learning from the presentations of others.

Regardless of any meetings and presentations that may be on my schedule, I fill in the gaps by responding to questions from either the development team or customers. Those responses typically require a bit of research.

On days that I’m not on the road, working from my home office, I often go through feature tickets and update them based on what I discover. Sometimes I respond to questions from developers, but typically, I spend a good amount of time researching and trying to understand forensic issues before I provide feedback.

I regularly test development builds of new features, and offer feedback on those features, draft the artifacts’ connections, and help with the fragment descriptions for the artifact reference guide. At times I work with the content team to draft or provide a technical review of content.

I also spend a chunk of time in the evenings catching up on all the information shared by the industry. There’s always so much to learn, which is one of the greatest things about this field – new problems to solve and new artifacts being discovered. There’s too much going on in the field for anyone to know everything, which makes sharing with each other imperative. Sometimes you can find me on Twitter in my down time.

I’m lucky to have a dream job where I get to do things that I love to do, research forensic issues, and help others with questions they may have. But in a role that you are passionate about, and that is also global, there can be blurring of time off and on.

There are a lot of reasons for this blurring: working with people in different time zones, having great friends in the forensics space, and constant data generation. Because many of my friends are in forensics, sometimes a casual chat may lead to jumping on my computer to carve for data and check out an artifact.

I’m passionate about digital forensics, so this is a natural flow for me. However, I do make a conscious effort to take time off from work one day a week, which is positive for both my family and my sanity. 

It’s interesting because there’s quite a dichotomy between my days on the road and my days in my home lab. At home, I spend most of my day staring at a computer screen. I don’t have office mates to speak of, which is great for allowing for deep focus and concentration.

In contrast, when I’m on the road at conferences, I constantly engage with other people. The energy in these two arenas is very different. I gain energy from learning new things – the secret is that both people and data can stimulate the ability to gain more knowledge. There is always so much to learn!

5. You make segues so easy for me. Part of the reason I wanted to land an interview with one Jessica Hyde is your work into IoT forensics and the book that will come out of it. Can you tell us more about your research into IoT and your upcoming book?

Happily! Researching Internet of Things devices has been a great deal of fun. As someone who worked on teams that specialized in mobile device forensics, I often received the “weird” devices -- anything with an embedded system. This included everything from smartwatches to dashboards from vehicles to drones.

So, when the opportunity came along to work with Brian Moran to dig into the Amazon Alexa “Echo-system” – I dug in! I loved the complexity of coupling my hardware skills to obtain data from the devices, with my love of parsing data from unsupported apps.

Then came the realization that I needed to understand how to get data from “the cloud” and I was hooked! I began working on different IoT systems, from smart homes to smart watches, to smart thermostats, robot vacuums, light switches, and more. Can you think of something cooler to research in your spare time? I mean, I get to play with devices in my home and then tear them apart and find data, all in hopes of helping others. And I’m so fortunate that my hobby and my work are in the same field.

As I did increasingly more of this work and shared information in presentations and blog posts, more friends, acquaintances, and people I’d never met started to inquire about how to get data from more of these devices they were seeing on cases. In other words, as people begin to have more devices in their homes and on their person, IoT devices are more regularly becoming the witness, suspect, and victim in cases.

This led to ideas of what things to research next, and I began to collaborate with other examiners. The important aspect with regards to IoT forensics isn’t the recipe for how to get the data, because that can change – particularly as cloud APIs change. The important skill is understanding the methodology: how to identify IoT devices at the scene, create test data, find where that data resides, parsing that data, and then apply the same methodology to cases.

As I began to research more devices, and as I regularly attempt to promote sharing in our community, it only made sense to challenge myself to practice what I preach and provide the methods to exploit forensic data from Internet connected devices. To do this, I’m collaborating with others in different areas in the community to give them the opportunity to share their IoT forensics work.

The book’s focus of the is to discuss the forensic value of IoT devices, provide examples, and describe the skills necessary to test, acquire, and analyze IoT  devices in forensic investigations.

As for the book’s format, there are really two main parts: one part that speaks to methodology, and the second part that speaks to examples. The methodology section is further broken down to describe ways to obtain and analyze data from physical devices, associated applications, and the cloud. This section explains concepts like In-System Programming (ISP) to read data from devices, parsing unsupported applications from mobile devices, and dealing with APIs and JSON data. 

The second portion is broken down into different categories of IoT devices, with examples of forensic analysis. It’s important to note that this second section is meant to serve as an example, not a recipe. Again, this is a rapidly changing area, and with a book the concept is to share a resource about how to conduct the analysis. 

This section will also include contributions from other digital forensics professionals who have explored different IoT devices.  I’m fortunate to know fantastic, talented forensicators also working in this area who are interested to share what they’ve learned. This will hopefully allow the reader to see other perspectives on IoT forensic analysis and provide a wider depth and breadth than I could provide alone. 

I hope to release the book in early 2019. If anyone has any questions, ideas, or contributions, I happily welcome their input. The book’s goal is to provide a methodology to investigate IoT devices the reader may encounter in the field. I think IoT forensics will continue to become a larger part of cases and a significant source of data and we all need to work together to understand how to investigate it.

6. What is your advice to someone who is looking for ways to give back to the community?

This is an area I’m quite passionate about, so I’m glad for the opportunity to share my thoughts on ways to give back to the community.

There are so many ways in which those of us involved in DFIR can give back. One of the most obvious ways is by sharing what you’ve learned with others. This can take many forms, including everything from mentoring to presentations.

I would like to point people to some really good posts on this concept, including Harlan Carvey’s “Beyond Getting Started” and Brett Shaver’s “Sharing is Caring”. They discuss the importance of sharing back what you learn with the community.

Some of the ways to share your research and knowledge with the community include developing scripts, giving presentations, posting artifact details, teaching, answering questions on listservs, and of course writing -- in the form of a blog, a whitepaper, article, book, or even peer reviewing other’s work. I outlined my thoughts on each method more formally in this blog post late last year which can be found here.

One of the current issue related to sharing a group of us is currently discussing Rapid Peer Review for practitioners. There are a lot of thoughts on this, including Brett’s “The RAPID PEER REVIEW” and Joshua James’s “DFIR already has Rapid Peer Review – we can do better”. The outcome of these discussions should serve to create a way for practitioners to expand on and validate each other’s work at the practitioner level. I encourage anyone who has ideas in this area to please reach out to me to be involved.
                                                                               
Important to note that you don’t need to have as much experience as you, Eric, or someone like Harlan or Brett to share! This industry is so vast and there’s so much to figure out. If you figured something out for an examination because you couldn’t find material on how to get data off that device or parse that artifact, someone else may run into that same scenario. There are so many unknowns that the only way we can succeed as a community is to work together to share our knowledge.

But sharing can be even bigger! It doesn’t have to be just within the confines of our community. Some people may have the motivation to find ways to use their DFIR skills to give back in other ways. This can include everything from discussing Internet safety and multi-factor authentication in your community, to speaking at schools, to teaching victims of abuse how not to be violated digitally by their abusers.

I just recently organized some of my thoughts on Giving Back in DFIR in a blog post. I included some specific organizations that are doing work to give back that people can learn more about or find new ways to help others. I’m so proud to be a member of this community where we can have impact in the world well beyond our cases with our skillsets.

You can also give back by helping people learn about the field. You can help introduce new examiners to the field by participating in everything from resume clinics, to volunteering with groups that help bring people to conferences.

I was fortunate enough to have an opportunity to volunteer at a resume clinic run by Lesley Carhart at Circle City Con. It was a tremendous experience and I met some great future DFIR practitioners. Mentoring is also a great way to help others. Organizations like H.E.R.O. Child Rescue Corps help transitioning wounded veterans move into law enforcement careers ad trained counter-child-exploitation professionals.

There are also groups like Cyber Sleuth Science Lab that focus on bringing digital forensic education to underrepresented high school students. In the words of DFIR practitioner Richie Cyrus, it is our responsibility to “send the elevator back down”.

7. What is your advice for someone who is looking to break into the digital forensics field?

My advice is to learn and get involved. As far as learning, there is great formalized training at both the university level, and via training courses from vendors and organizations.

However, college degrees and expensive DFIR training have a cost barrier. There are lots of great ways to access information outside of those formalized courses. I highly recommend that anyone looking into the field check out the following three resources, as they are a gateway to other information: AboutDFIR.com, DFIR.training, and subscribe to thisweekin4n6.com.

By using these resources, you should be able to find archived content specific to what you’re seeking, as well as keep up on the newest information that the community is sharing. That said, please look out for scholarship opportunities to get access to training. I listed several in the Giving Back in DFIR blog that I mentioned.

A lot of people ask what certifications or training they should choose. Well, just like much of forensics, it depends. One thing I suggest is to look at the requirements in job postings for your dream job and start taking the steps to get there.

I also encourage people to apply for jobs where they don’t meet every single requirement. Often that is just the “dream candidate,” it’s unlikely that they’ll find someone who meets all the requirements. Apply anyway! The worst that happens is that you don’t get the position, the best that happens is that you get the job and the opportunity to learn skills you might not otherwise have.

Of course, it’s important to have a CV/resume. But if you have no experience, what goes there? If transitioning out of one career into a new one, list cross-industry skills. This could include writing, technical skills like networking or programming, or soft skills like the ability to brief executives. Make sure your resume includes all the training and certifications that you have gotten.

One of the most valuable things you can have on your resume is a reference to your own work! If you’ve been sharing as you learn or research, a place where you’ve blogged about that research can be a real foot in the door.

When I hired forensic practitioners, I really appreciated when the candidate had a public blog post on some research they had done. Not only did this let me know that they could conduct, understand, and write about forensic research; it also gave me a specific topic to focus on in the interview.

If you can go in depth about something you’ve researched, chances are you’ll be a good fit. You may also be more comfortable than if the interviewer asks randomly about some topic you haven’t spent as much time on with practical hands-on work.

It isn’t always about the resume. Sometimes it all comes down to networking. Often that’s because even finding the job opening can be a struggle. This has gotten better thanks to sites like aboutDFIR.com having a jobs page focused on our industry. I address several of the nuances in finding a job in a blog post that can be found here.

Of note, in that post is a matrix to help figure out the potential titles of positions you may be interested in applying. Sometimes finding the actual requisitions to apply can be a tricky part of the process.

In general, though, networking is important in almost every field. I’m a strong proponent of getting involved. So how can you do that? It’s great if you can get out there and meet other people. They may know of a position, or you may meet someone who’s hiring.

I highly recommend attending a conference in your vicinity and looking for a local BSides conference. The wiki here is a great place to find out about local BSides. You’re bound to learn something there.

You can also try to get involved with an association in your area. A great resource for finding some of these groups is to look at the Associations page on DFIR.training. I also advocate joining the #DFIR community on Twitter. A lot of great information is shared on Twitter first. If you follow me, @B1N2H3X, I have two Twitter lists you can access on my profile to get you started with finding other DFIR folks.

Thank you, Eric, for the opportunity to share.  I have been a long-time reader of AFoD and it is a true honor to have been invited to be interviewed by you.  You and your blog do an amazing job of sharing content with the community. Thank you again for this honor and privilege.