Saturday, July 28, 2018

AFoD Blog Interview with Jessica Hyde

I normally do a short introduction to these interviews to explain why I selected the interview subject or what major points I think the reader should key in on the interview. This one turned out so well that the more time I spend an introduction, the more I'm delaying you from learning about Jessica Hyde. You'll see soon enough why I wanted to do this interview. Enjoy.

Jessica’s Professional Biography

Jessica Hyde has experience performing computer and mobile device forensics in both the commercial and government sectors. Jessica holds an MS in Computer Forensics from George Mason University. She is currently the Director of Forensics for Magnet Forensics (USA) and an Adjunct Professor at George Mason University where she teaches Mobile Device Forensics. Prior to her current role, she was a Senior Mobile Exploitation Analyst and team lead for Basis Technology, was part of the Cyber Crime Investigations team at EY, and worked as a Senior Electrical Engineer for American Systems where she specialized in the analysis of damaged mobile devices. She is currently working on a book on Digital Forensics for the Internet of Things anticipated for release in early 2019. Jessica is also a veteran of the United States Marine Corps.

1. Okay, Devil Dog, what led you to join the United States Marine Corps and what did you do while you were there?

I joined the Marine Corps in October 2001 in response to the attacks on September 11th. In that moment, I knew I had to do something that had more substance, more meaning, and to give back. It was a deeply personal decision, and very directly tied to the grief I was experiencing at the time, but honestly the best decision I ever made. The Marine Corps ultimately set me up for the path that my life has taken.

As part of the enlistment process, one takes a test called the Armed Services Vocational Aptitude Battery (ASVAB). The results of that test, combined with my timing and the positions available, meant I was assigned to go to Avionics school.

Working in Avionics on the AV8B Harrier II VSTOL aircraft, my day-to-day function was to troubleshoot aircrafts and make repairs, but it was the hardware and electrical engineering skills I learned and used every day that became the foundation of the hardware analysis portions of the forensic examinations I do today.

This is where I learned to solder, use a multimeter, read schematics, extract data, work with binary and hexadecimal, read data sheets, use oscilloscopes, and wave function generators, etc.… all tools and methods I would use later to extract data from everything from mobile phones to drones to telematics units to smart speakers.

Joining the USMC changed my life. At the time, I was a high school dropout working in retail management. I had coded as a kid, writing programs at the age of 6 on a Commodore 64 and taking programming courses all the way through high school, but when I dropped out, I abandoned those aspects.

That aptitude test and a bit of timing brought me back to something I forgot I had missed. The Corps reintroduced me to things I loved in technology and helped build my confidence in doing technical work and solving problems. Returning to technology gave me fulfillment. Doing technical work in a mission-oriented environment for a greater cause was what brought me true satisfaction.

The best part of my daily work in the Marines was that I had the opportunity to solve problems with both my brain and my hands. A jet would come in with a gripe, and I would first verify the issue by duplicating the issue. Once I had recreated the discrepancy, I would then research via schematics, data sheets, etc. and come up with a test plan.

Next, I would conduct tests, and based on the results I would implement a fix (i.e. repair a wire, change a board). Once the repair was complete, another avionics person would inspect the fix. Then we would test the system to verify it was fixed.

A quality assurance rep would validate both the repair and the functional tests. And then, you guessed it, I would have to write it up. We logged all our steps in record books, tracked our work in a maintenance management program, and tracked tools in a process called ATAF (all tools accounted for). Then I would see that same bird that was “hard down” for a gripe fly through the air. That was an amazing feeling.

Working in a Marine Corps avionics shop is not identical to working in a forensics lab, but from a process perspective and an engineering perspective, similarities are uncanny - Discover, Test, Find, Parse, Validate/Verify, Report, all while maintaining a chain of custody and using some sort of case management system. From a hardware perspective, it’s a lot of the same tools and processes for reading data. Of course, there are also Standard Operating Procedures.

I credit the Marine Corps with helping to make me the person I am today. I learned a technical skill and ran with it, pursuing a formal education in Engineering while on active duty, so I could make the transition from HS dropout to eventual adjunct professor in a graduate school program. It was a lot of work along the way. But every moment was worth it.

2. Why did you eventually leave the Marine Corps and what did you do next?

Leaving the Marine Corps was the furthest thing from my mind. The Corps treated me well -- I had met and married my husband there and had my first child. I loved the work and was a good Marine, earning three meritorious promotions and several awards. I honestly thought I could be the first female Sergeant Major of the Marine Corps. I was motivated and dedicated to the Corps. 

When a technical school I was attending as a reenlistment incentive was cut while I was mid-program, I fought to stay in that school and brought up that my contract was being breached. I thought being the stellar Marine I was, that they would let me finish school.

Lesson learned - don’t play hardball with the Marine Corps. I assumed they would look at my stack of commendations and decide to fulfill the incentive and let me complete the school. That didn’t happen. They agreed that they had breached my reenlistment contract and gave me the choice to separate from active duty or return to the squadron. Finishing the technical school was not an option I was given. It was a difficult decision to leave something I thought would be a career.

I decided to take the opportunity to separate honorably and finish my undergraduate degree. I had taken classes while on active duty and it made sense. So, I left the Corps and went to school full time. I had my second son at this time as well. I was able to transition from the Montgomery GI Bill to the Post-9/11 GI Bill, which provided better benefits and allowed me to finish my degree quickly without taking on debt. I had enough months of education left over to later complete my MS in Computer Forensics.

All in all, I attended five different colleges to complete my undergraduate degree, thanks to pursuing it while both on active duty and as a veteran. It took 8 years from start to finish. In the end, I earned a BS in Electronic Engineering Technology and graduated Summa Cum Laude.

Despite the challenges of going to school fulltime while having two small children, I think a later start worked out best for me. Had I taken a more traditional route, I might not have chosen technical courses as I discovered my interest and aptitude from the work I did in the Corps. I credit my good grades to being serious and dedicated to my studies. I might not have been as studious in my late teens.

I secured a position as an Electrical Engineer as a government contractor, American Systems, just as I finished school. My Marine Corps experience translated well when combined with the parchment. This engineering position was unique, as it was in a reverse engineering lab and the start of my digital forensics career. 

My position started with reverse engineering circuits of unknown origin, developing schematics and describing function, as well as reverse-engineering microcontroller code. I was overwhelmed at first. Everyone in the lab was so knowledgeable. As I did well with the reverse engineering, I very quickly was moved to the electronic data recovery team.

This was my first exposure to digital forensics. Most of my work involved extracting and analyzing data from damaged devices. It could entail anything that stored data -- from mobile phones, to hard drives, to telematics units, to any circuit board with embedded storage. I never knew what the cases would entail, which made it exciting. Typically, I used chip-off and JTAG methodologies to access the data. 

The work was fantastic because it was my job to get into devices that weren’t supported, pull off the data, and then analyze and report on it. The challenge was intense, as often I worked on things that had never been done before.

Fortunately, I worked with some brilliant engineers and specialists. I was able to learn so much from the team and be challenged at the same time. Since all the devices were damaged, I learned to utilize a lot of state-of-the-art equipment, everything from Computed Tomography to Scanning Electron Microscopes to Plasma and Laser Ablation.

Once the data was recovered, it was analysis time. Sometimes I dealt with conventional hard drives and mobile phones and used traditional forensics tools and methods post-data recovery.

However, I also often dealt with unsupported embedded devices, and my next step was to figure out the data structures and file systems. Then I could begin to analyze the data. Often the data structures were proprietary and undefined. I spent much of my time in data sheets and hex editors. The reporting included the extraction methodologies, device characteristics, and analysis of the recovered data. 

I became so interested in the forensic analysis portion of the work that I decided to start working on my MS in Computer Forensics at George Mason University. Despite doing what some would consider deep dive work, I lacked fundamentals in computer forensics. I had gaps I needed to fill in my skillset. Taking classes at GMU was a great way to strengthen my skills in the areas where I was weak, as the instructors were practitioners and provided a wealth of knowledge and experience.

It was difficult going to school while working in a high-pressure forensics lab. I would receive high-priority projects, so I had to work through the night to find answers. Sometimes I missed classes. I remember running out of the lab for class during a high-priority case, and then rushing back to the lab to continue through the night. I couldn’t procrastinate on my school assignments, I had to start right away because I never knew if evidence with a quick turnaround time would hit my desk at work.

Even more importantly than what I learned in the classroom, were the relationships I built with the other students. Most were digital forensics practitioners as well. We were able to work together not only through our studies, but also to develop a network of other examiners to talk through technical challenges with.

These relationships became crucial to solve complex problems. We bounced ideas off each other. We learned each other’s specialties and strengths. When we ran into challenges at work, we were one another’s resources. I still keep in touch with several of the other examiners from my classes. A couple of us are now instructors at GMU as well. It’s a great way to give back to the forensic community.

I continued the work on my MS while working for American Systems. I honestly don’t know if it was harder going to school while working as an examiner or being a full-time student with young kids. Each was challenging in its own regards. Eventually I left to round out my skill set with more traditional computer forensic analysis at EY.

3. So now you are over at Ernst and Young. How did things progress from there to the point where you ended up at Magnet in your present position? 

EY was a great organization to work for; however, I travelled a lot and my kids were young. I tend to over-immerse myself in work, so it wasn’t the right fit for my family. I also didn’t get to go as deep into exploration or break into damaged devices.

I recall running IEF on nearly every case, and I began to resent it – IEF found evidence so efficiently that my preliminary reports, which included IEF results among other things, were all that was necessary, and I would move on to the next case. I really wanted to spend more time digging!

Eventually, I moved on in my career and went to work in a lab where I got to dig as deep as I could go! I had the opportunity to join Heather Mahalik’s team at Basis Technology. It was incredible, my job was to get into devices that the commercial tools couldn’t support.

Heather and Brian Carrier, unbeknownst to me, had hired me to take over Heather’s role, as she was moving into another role. I was disappointed not to work with her day in and day out, but it was an amazing opportunity with a fantastic team doing challenging technical work. I was fortunate to get to work with some of the smartest people to create innovative ways to get data from devices.

Once the data was recovered from the device, I would run the image through all the tools at my disposal and search for the data the tools missed. I loved it! I got to deep dive on nearly every case I worked, hunting for new artifacts. It was the perfect fit for me. I worked exclusively mobile and other embedded devices at the time and incredibly happy.

As luck would have it, my relationship with Magnet products grew. I used the Dynamic App Finder (DAF) feature in IEF because it would save me time finding new databases of interest. It wasn’t the only way I found them, I looked manually as well, but man, I enjoyed what DAF did for me. I became a bigger fan of Magnet, as the tool helped me find areas to dig deeper more quickly! Of course, I had a lot of tools in my tool box, and I used them all. You need to in this field.

The next thing I knew, members of my team were on the Magnet ACQUIRE beta. As a team that specialized in pulling data from unsupported mobile devices, I was excited by the unique device agnostic approach that Magnet had taken.

We were beta testing, and I enjoyed the robust logging. And then a case came in with a device that wasn’t supported by the commercial tools in my lab. We tried them all. It was an important case, and I knew, based on the methods and robust logging that Magnet ACQUIRE showed, that it could likely create an image of the device.

I could have manually rooted the device and obtained the data via a shell, but the end customer preferred we not use that method. I got an exemplar and tested ACQUIRE and it did exactly what we needed. The tool acquired the data off the exemplar, with a detailed log that stated what had happened to the device.

With that successful acquisition, I requested and received approval to use the method on the evidence. Even with the tool being in beta, the robust logging combined with the process proof on the exemplar delivered resulted in us being able to use Magnet ACQUIRE on the case! I was an instant fan.

A short time thereafter, I was at a forensics conference and made sure to let the people from Magnet know in person how fantastic I thought ACQUIRE was and how I liked the approach. Of course, I had seen Jad Saliba speak at conferences and was amazed by his story, his passion, and his drive to help the forensic community. I was also too star-struck to ever approach him.

I clearly remember speaking with the VP of Product, Geoff MacGillivray. He was incredibly appreciative of the feedback and took the time to listen to my thoughts on the tool. I was super impressed and had no idea I would be working with him closely in the future.

Fast forward a bit to the AXIOM. The team I was on was lucky enough, once again, to be part of the beta. I participated in exchanges with the UX designer, Diana Wiffen. She was so open and engaging. I was generally touched by the fact that Magnet Forensics cared about what this one examiner thought.

Magnet came down to meet with our team during the beta. We were super fortunate that Jad and Adam came down along with Geoff and a few others to hear our thoughts on AXIOM and to share what they were working on for the future.

At the end of the meeting I had three disparate questions that needed answers from people in completely different areas of the company. They took my questions back and within 24 hours I had responses to all three questions from three different people at Magnet.

I was blown away. The level of response, support, and interest was unmatched by anything I had seen from any other forensic organization. I could tell that the same passion to help the forensic community that I had seen in Jad was in every “Magneteer” with whom I interacted.

When my lab relocated, the time came for me to look for a new role. I reached out and applied for a position at Magnet. I couldn’t have imagined a greater group of people to work with. After I spoke with multiple members of the organization, Magnet created a role for me where I could work with the product and development teams on a regular basis.

Since coming on board, I’ve been continually inspired by Magnet’s core values and desire to do the right thing for the examiner above all else. At its core, Magnet wants to help examiners work their cases more efficiently and provide tools to help investigators and examiners find truth. It is wonderful to be part of an organization with high integrity.

What really makes this place special is the people. There is nothing like the people behind Magnet. I am fortunate to have a job that I love with such an amazing team, and to get to work on great projects that benefit the digital forensic community. In my previous roles, I worked one case at a time; now my work can help multiple examiners on their cases simultaneously.

4. What are your job responsibilities with Magnet and what is a typical day like for you?

Good question. I have an interesting role. I sit on the Product Team, but report to the North America VP of Sales. Sound confusing yet? My duties in writing spell out work in 4 areas – Research and Development, Product, Marketing, and Sales.

Overall, I’m responsible for helping to bring the forensic examiner viewpoint to different areas. I spend most of my time working with the developers and the Product team.

However, I also spend a fair amount of time in support of Marketing (webinars, conference speaking, blogs). I also provide some support to sales by attending customer meetings where I can provide specific value – maybe because I have worked through a similar issue or environment as the customer.

In my Product team support, I assist in a lot of different ways. The Product team is responsible for the roadmap, the list of things we plan to work on in the future. I often provide feedback from an examiner perspective, as well as more importantly, feedback that I hear from customers.

To help the rest of the product team develop the roadmap, I also work closely with the product owners, who are responsible for prioritizing the different development teams’ work. Often, my work here again is to explore new features.

I also occasionally review things from the Documents team, such as release notes and descriptions for the Artifact Reference Guide, for technical accuracy.  Sometimes I look at UX designs for features our UX team has created. Other times I may assist Support with a specific question they have received from a user.

The other team that needs a forensic examiner’s perspective is Research and Development. At Magnet we have a variety of different teams that work on different areas: artifact research in development, data analytics/machine learning, cloud acquisition and analysis, mobile acquisition, etc. I work with the different teams as needed, depending on where I can provide value to features or research, but this is the core of much of my work daily.

Right now, for example, I’ve been spending a lot of time with the artifacts teams, introducing additional artifacts. One of the things I assist with is defining the relationships of each of a new artifact’s individual attributes to others, for our Connections feature. Sometimes I provide feedback on artifact prototypes, or participate in discussions of different ways we can present the information.

Another area where I’ve spent a lot of time this past year is with our data analytics team as they explored different machine learning models and representations as part of our Magnet.AI module.

My role with Marketing is what most people may be more familiar with, even though it is a smaller part of my time than I spend with R&D and Product. This work includes the development and delivery of presentations at conferences, blog posts, and webinars.

However, whatever material I present on during “conference season” usually pertains to the work I’ve been involved with throughout the year. Occasionally I’ll also do a Lunch and Lab session or a Roadshow. Roadshows typically involve technical presentations at three cities in a week, whereas Lunch and Labs are hands on sessions with AXIOM.

This is the work most people see me doing. Likewise, people may know me from a meeting with Sales, although this is a very small part of my role. We have a team of solutions consultants, many of whom spent years working as examiners, who provide technical expertise in the sales cycle. I tend to only join those meetings where I have some specific experience of value to assist a customer.

What I like most about my role is that I’m given some additional latitude outside of my responsibility to these four groups. Magnet has been supportive of my personal research interests, including the external work I do, such as writing a book on IoT forensics and teaching at George Mason University.

For another example, last year I worked on Alexa forensics with Brian Moran of BriMor Labs. My current research work is a Chrome Forensics project with Jad Saliba, our CTO and founder – how amazing is it that I get to work with Jad!

In addition to personal research, I regularly answer questions from customers who reach out with challenges they may encounter. At times this means I write a custom artifact to share with the customer and post on the Magnet Artifact Exchange.

This is one of the parts of my role that I treasure, as I feel it both helps keep me aware of relevant challenges in the field and allows me to participate in a small way to the missions involved in the work we do as forensic examiners. I often miss doing active investigations, so helping other examiners with some small aspect of an examination helps fill that desire.

I’m far from the only person at Magnet who responds to questions and challenges from customers. In addition to our Support Team there’s a band of close to 20 of us at Magnet who have worked as examiners. We’re in a variety of roles, from our CTO, to Product, Marketing, R&D, Training, and Sales teams.

Even though we have different responsibilities, we make a concerted effort to be an accessible resource to others in the organization who need our examiner perspective. The group of examiners meets regularly to share what we’re seeing, learning, and working on with each other. Working with this group is a great privilege.
So, what does my typical day look like? I’m fortunate to love what I do enough that the line between my hobby and my work is quite blurry. I’m also an early riser, and I like to write in the quiet of the morning before the family wakes up. I put my phone away to prevent me from tending to messages and emails.

As a side note, writing a book is more challenging than I ever expected. I would say the key to writing is to write. When I write daily, it’s easy each morning to get up and write or research. However, when I take a break due to work commitments, I find it hard to start back up again.

When I’m done writing, I look at my phone and catch up with things – sometimes responding to questions from customers in the Asia-Pacific and European regions, sometimes reading Twitter - and head out to the gym. I was putting on “book weight” and decided that had to stop – so I have become part of the #DFIRFit movement! Then is the start of the real day.
And that’s where my day will diverge. Every day is a bit different. Looking at a typical day, it really depends on where we are in terms of a release cycle, conference season, or where I am most needed. If I’m on the road, most of my time may be spent prepping and rehearsing content, delivering presentations, engaging with other forensicators, and learning from the presentations of others.

Regardless of any meetings and presentations that may be on my schedule, I fill in the gaps by responding to questions from either the development team or customers. Those responses typically require a bit of research.

On days that I’m not on the road, working from my home office, I often go through feature tickets and update them based on what I discover. Sometimes I respond to questions from developers, but typically, I spend a good amount of time researching and trying to understand forensic issues before I provide feedback.

I regularly test development builds of new features, and offer feedback on those features, draft the artifacts’ connections, and help with the fragment descriptions for the artifact reference guide. At times I work with the content team to draft or provide a technical review of content.

I also spend a chunk of time in the evenings catching up on all the information shared by the industry. There’s always so much to learn, which is one of the greatest things about this field – new problems to solve and new artifacts being discovered. There’s too much going on in the field for anyone to know everything, which makes sharing with each other imperative. Sometimes you can find me on Twitter in my down time.

I’m lucky to have a dream job where I get to do things that I love to do, research forensic issues, and help others with questions they may have. But in a role that you are passionate about, and that is also global, there can be blurring of time off and on.

There are a lot of reasons for this blurring: working with people in different time zones, having great friends in the forensics space, and constant data generation. Because many of my friends are in forensics, sometimes a casual chat may lead to jumping on my computer to carve for data and check out an artifact.

I’m passionate about digital forensics, so this is a natural flow for me. However, I do make a conscious effort to take time off from work one day a week, which is positive for both my family and my sanity. 

It’s interesting because there’s quite a dichotomy between my days on the road and my days in my home lab. At home, I spend most of my day staring at a computer screen. I don’t have office mates to speak of, which is great for allowing for deep focus and concentration.

In contrast, when I’m on the road at conferences, I constantly engage with other people. The energy in these two arenas is very different. I gain energy from learning new things – the secret is that both people and data can stimulate the ability to gain more knowledge. There is always so much to learn!

5. You make segues so easy for me. Part of the reason I wanted to land an interview with one Jessica Hyde is your work into IoT forensics and the book that will come out of it. Can you tell us more about your research into IoT and your upcoming book?

Happily! Researching Internet of Things devices has been a great deal of fun. As someone who worked on teams that specialized in mobile device forensics, I often received the “weird” devices -- anything with an embedded system. This included everything from smartwatches to dashboards from vehicles to drones.

So, when the opportunity came along to work with Brian Moran to dig into the Amazon Alexa “Echo-system” – I dug in! I loved the complexity of coupling my hardware skills to obtain data from the devices, with my love of parsing data from unsupported apps.

Then came the realization that I needed to understand how to get data from “the cloud” and I was hooked! I began working on different IoT systems, from smart homes to smart watches, to smart thermostats, robot vacuums, light switches, and more. Can you think of something cooler to research in your spare time? I mean, I get to play with devices in my home and then tear them apart and find data, all in hopes of helping others. And I’m so fortunate that my hobby and my work are in the same field.

As I did increasingly more of this work and shared information in presentations and blog posts, more friends, acquaintances, and people I’d never met started to inquire about how to get data from more of these devices they were seeing on cases. In other words, as people begin to have more devices in their homes and on their person, IoT devices are more regularly becoming the witness, suspect, and victim in cases.

This led to ideas of what things to research next, and I began to collaborate with other examiners. The important aspect with regards to IoT forensics isn’t the recipe for how to get the data, because that can change – particularly as cloud APIs change. The important skill is understanding the methodology: how to identify IoT devices at the scene, create test data, find where that data resides, parsing that data, and then apply the same methodology to cases.

As I began to research more devices, and as I regularly attempt to promote sharing in our community, it only made sense to challenge myself to practice what I preach and provide the methods to exploit forensic data from Internet connected devices. To do this, I’m collaborating with others in different areas in the community to give them the opportunity to share their IoT forensics work.

The book’s focus of the is to discuss the forensic value of IoT devices, provide examples, and describe the skills necessary to test, acquire, and analyze IoT  devices in forensic investigations.

As for the book’s format, there are really two main parts: one part that speaks to methodology, and the second part that speaks to examples. The methodology section is further broken down to describe ways to obtain and analyze data from physical devices, associated applications, and the cloud. This section explains concepts like In-System Programming (ISP) to read data from devices, parsing unsupported applications from mobile devices, and dealing with APIs and JSON data. 

The second portion is broken down into different categories of IoT devices, with examples of forensic analysis. It’s important to note that this second section is meant to serve as an example, not a recipe. Again, this is a rapidly changing area, and with a book the concept is to share a resource about how to conduct the analysis. 

This section will also include contributions from other digital forensics professionals who have explored different IoT devices.  I’m fortunate to know fantastic, talented forensicators also working in this area who are interested to share what they’ve learned. This will hopefully allow the reader to see other perspectives on IoT forensic analysis and provide a wider depth and breadth than I could provide alone. 

I hope to release the book in early 2019. If anyone has any questions, ideas, or contributions, I happily welcome their input. The book’s goal is to provide a methodology to investigate IoT devices the reader may encounter in the field. I think IoT forensics will continue to become a larger part of cases and a significant source of data and we all need to work together to understand how to investigate it.

6. What is your advice to someone who is looking for ways to give back to the community?

This is an area I’m quite passionate about, so I’m glad for the opportunity to share my thoughts on ways to give back to the community.

There are so many ways in which those of us involved in DFIR can give back. One of the most obvious ways is by sharing what you’ve learned with others. This can take many forms, including everything from mentoring to presentations.

I would like to point people to some really good posts on this concept, including Harlan Carvey’s “Beyond Getting Started” and Brett Shaver’s “Sharing is Caring”. They discuss the importance of sharing back what you learn with the community.

Some of the ways to share your research and knowledge with the community include developing scripts, giving presentations, posting artifact details, teaching, answering questions on listservs, and of course writing -- in the form of a blog, a whitepaper, article, book, or even peer reviewing other’s work. I outlined my thoughts on each method more formally in this blog post late last year which can be found here.

One of the current issue related to sharing a group of us is currently discussing Rapid Peer Review for practitioners. There are a lot of thoughts on this, including Brett’s “The RAPID PEER REVIEW” and Joshua James’s “DFIR already has Rapid Peer Review – we can do better”. The outcome of these discussions should serve to create a way for practitioners to expand on and validate each other’s work at the practitioner level. I encourage anyone who has ideas in this area to please reach out to me to be involved.
Important to note that you don’t need to have as much experience as you, Eric, or someone like Harlan or Brett to share! This industry is so vast and there’s so much to figure out. If you figured something out for an examination because you couldn’t find material on how to get data off that device or parse that artifact, someone else may run into that same scenario. There are so many unknowns that the only way we can succeed as a community is to work together to share our knowledge.

But sharing can be even bigger! It doesn’t have to be just within the confines of our community. Some people may have the motivation to find ways to use their DFIR skills to give back in other ways. This can include everything from discussing Internet safety and multi-factor authentication in your community, to speaking at schools, to teaching victims of abuse how not to be violated digitally by their abusers.

I just recently organized some of my thoughts on Giving Back in DFIR in a blog post. I included some specific organizations that are doing work to give back that people can learn more about or find new ways to help others. I’m so proud to be a member of this community where we can have impact in the world well beyond our cases with our skillsets.

You can also give back by helping people learn about the field. You can help introduce new examiners to the field by participating in everything from resume clinics, to volunteering with groups that help bring people to conferences.

I was fortunate enough to have an opportunity to volunteer at a resume clinic run by Lesley Carhart at Circle City Con. It was a tremendous experience and I met some great future DFIR practitioners. Mentoring is also a great way to help others. Organizations like H.E.R.O. Child Rescue Corps help transitioning wounded veterans move into law enforcement careers ad trained counter-child-exploitation professionals.

There are also groups like Cyber Sleuth Science Lab that focus on bringing digital forensic education to underrepresented high school students. In the words of DFIR practitioner Richie Cyrus, it is our responsibility to “send the elevator back down”.

7. What is your advice for someone who is looking to break into the digital forensics field?

My advice is to learn and get involved. As far as learning, there is great formalized training at both the university level, and via training courses from vendors and organizations.

However, college degrees and expensive DFIR training have a cost barrier. There are lots of great ways to access information outside of those formalized courses. I highly recommend that anyone looking into the field check out the following three resources, as they are a gateway to other information:,, and subscribe to

By using these resources, you should be able to find archived content specific to what you’re seeking, as well as keep up on the newest information that the community is sharing. That said, please look out for scholarship opportunities to get access to training. I listed several in the Giving Back in DFIR blog that I mentioned.

A lot of people ask what certifications or training they should choose. Well, just like much of forensics, it depends. One thing I suggest is to look at the requirements in job postings for your dream job and start taking the steps to get there.

I also encourage people to apply for jobs where they don’t meet every single requirement. Often that is just the “dream candidate,” it’s unlikely that they’ll find someone who meets all the requirements. Apply anyway! The worst that happens is that you don’t get the position, the best that happens is that you get the job and the opportunity to learn skills you might not otherwise have.

Of course, it’s important to have a CV/resume. But if you have no experience, what goes there? If transitioning out of one career into a new one, list cross-industry skills. This could include writing, technical skills like networking or programming, or soft skills like the ability to brief executives. Make sure your resume includes all the training and certifications that you have gotten.

One of the most valuable things you can have on your resume is a reference to your own work! If you’ve been sharing as you learn or research, a place where you’ve blogged about that research can be a real foot in the door.

When I hired forensic practitioners, I really appreciated when the candidate had a public blog post on some research they had done. Not only did this let me know that they could conduct, understand, and write about forensic research; it also gave me a specific topic to focus on in the interview.

If you can go in depth about something you’ve researched, chances are you’ll be a good fit. You may also be more comfortable than if the interviewer asks randomly about some topic you haven’t spent as much time on with practical hands-on work.

It isn’t always about the resume. Sometimes it all comes down to networking. Often that’s because even finding the job opening can be a struggle. This has gotten better thanks to sites like having a jobs page focused on our industry. I address several of the nuances in finding a job in a blog post that can be found here.

Of note, in that post is a matrix to help figure out the potential titles of positions you may be interested in applying. Sometimes finding the actual requisitions to apply can be a tricky part of the process.

In general, though, networking is important in almost every field. I’m a strong proponent of getting involved. So how can you do that? It’s great if you can get out there and meet other people. They may know of a position, or you may meet someone who’s hiring.

I highly recommend attending a conference in your vicinity and looking for a local BSides conference. The wiki here is a great place to find out about local BSides. You’re bound to learn something there.

You can also try to get involved with an association in your area. A great resource for finding some of these groups is to look at the Associations page on I also advocate joining the #DFIR community on Twitter. A lot of great information is shared on Twitter first. If you follow me, @B1N2H3X, I have two Twitter lists you can access on my profile to get you started with finding other DFIR folks.

Thank you, Eric, for the opportunity to share.  I have been a long-time reader of AFoD and it is a true honor to have been invited to be interviewed by you.  You and your blog do an amazing job of sharing content with the community. Thank you again for this honor and privilege.

1 comment: