Behold! The Future?

The last blog post resulted in quite a few discussions with a variety of interesting people. Several other bloggers such as Harlan Carvey, Lenny Zeltzer, and David Sullivan picked up on the post and discussed it in their own blogs. One of the conversations that planted a seed in my mind was one that I had with Jake Jacobson. You probably don’t know Jake, but I’m working on fixing that. He’s one of the two people who I am currently interviewing for the blog. Jake is a digital forensics leader for a government digital forensics lab.  He has a tremendous amount of experience in the field and I enjoy talking to him because of his insight into a variety of topics in digital forensics.

In our conversation, Jake posited that the Motorola Atrix might be a vision of the future of mobile computing. As I discussed it with him and thought about it more after our conversation, I think he’s correct. While I’m not necessarily predicting the demise of the laptop computer, I think we’re approaching a time where the traditional laptop device is going to be deemphasized at least in the consumer market. What I find fascinating about the Atrix is that it’s the first dockable 4G smartphone that I’m aware of being marketed by a major manufacturer. The Atrix dock allows the user to connect their phone to an HD monitor as well as a keyboard and mouse. Essentially, it’s smart phone that can be a least partially used in a manner of a traditional dockable laptop computer. However, it’s not necessarily being marketed as a replacement for a laptop computer. In fact, it has a Lapdock that allows the device to connect to a laptop. However, it’s easy to see that as time and technology march on, these sort of devices could start replacing laptops in at least some circumstances.

One of the major divides with computing devices is the ability to consume content and the ability to create content. Traditional desktop and laptop devices are able to create content as well as consume it.  Mobile devices like smart phones and tablet computers are primarily designed to consume content. As these devices become more powerful, they will increasingly be able to create content. However, it’s not just processing power that is a barrier to content creation. The user interface is also a key issue.  Even if your smart phone was capable of content creation, do you really want to do it on a four inch touchscreen? That’s not a design that is conducive to long or complicated content creation sessions. However, if you could dock your smart phone into a docking station and use a mouse, keyboard, and monitor (which may also be touchscreen capable), the user interface experience is no longer a barrier.

So then I wonder about disk space. Technological advances continue to drive the price of storage technology down all the while increasing what can be stored on ever shrinking storage devices. Even now there is a significant amount of storage capacity on smart phones through the use of high capacity microSD cards. I think that as wireless bandwidth becomes cheaper, faster, and more reliable, we’ll see increased use of cloud based storage solutions that can be used for content creation rather than just content storage. In the future, I doubt we’ll need terabytes of storage on a mobile device to be able to use terabytes of data for content creation purposes on that same device.

While I‘m still not predicting the demise of the laptop computer, I suspect the future of mobility in computing lies with smart phones rather than laptops. Even the laptops are becoming more mobile. It’s more likely that the future of laptop computing will look more like the Macbook Air and less like the traditional laptops we see in many homes and corporate environments today.

I’m convinced we are going to see smart phones being increasingly used for financial transactions especially in the retail world. There are a couple of other technological twists for smart phones that I want to bring to your attention before I continue on. We’re already at the point where you can use your smart phone as an airline boarding pass. The user simply has to have an email send to their smart phone which includes a QR Code that can be scanned by a gate agent. It’s not a terribly difficult solution for the airlines to implement, but it shows how these devices can be use to replace older technology such as printed boarding pass.  The other interesting twist is that Google has announced that it now supports two-step authentication for Google accounts. This method provides the option to use a smart phone in the authentication process.

I think this is the sort of thing that we’re going to see in relation to using smart phones to facilitate credit card transactions. It could start out as using a smart phone to authenticate a transaction involving a physical credit card. In that sort of scenario, the physical credit card is still handed to the retail clerk or scanned into a card reader. However, the transaction does not complete until an authentication message is sent to the smart phone and validated by the user using, for example, some sort of password.  This would require a very reliable wireless network before it would be adopted by the public. The last thing you want is to be standing in line at Target with a half dozen impatient people behind you staring at you as you fumble with your phone trying to get it to authenticate your transaction, but being unable to do so because of poor network connectivity.

With a reliable wireless network (there’s a Six Sigma project in someone’s future), you could eliminate the physical credit card from the process. Banks could also potentially eliminate persistent credit card numbers which could greatly reduce their exposure to certain forms of credit card fraud. Maybe we end up with a scenario where a smart phone credit card application is linked to the bank through a our reliable wireless network. When a purchase is to be made, that application communicates with the bank and issues a one time temporary credit card number for that particular transaction. That one time number is transmitted to the retailer through something like a QR Code that is scanned by the retailer from the phone. Further authentication can be built into the process by requiring some sort of biometric authentication (let’s just imagine a future without passwords while were speculating) from the user before the transaction can be completed.

This could also be used as a protection against the various credential stealing money laundering bits of malware that are active in the wild currently. So Zeus steals your bank account information, but when the money is set to be removed from your account and sent to a money mule, an authentication message is sent to your smart phone alerting you to the transaction.

There Is No Alternative

This past week I learned that a research group has reported that smart phones are outselling personal computers. It’s further confirmation to me that we’ve moved out of the era of computer forensics and into era of digital forensics. Computer forensics, of course, will continue to play an important part of what we do as a community, but the mobile device era is firmly and undeniably in place. Every now and again I still see examiners comment on some of the digital forensics list servs how they hate working on phones. I have to restrain myself from asking how they feel about obsolescence. 

We’re at the point where being able to perform mobile device forensics is increasingly becoming a mandatory skill for a digital forensics examiner. While I’m not amazed at how ubiquitous these devices have become, I will admit to a certain level of awe when I see just how powerful these devices are and what they are capable of doing. We haven’t been in the smartphone era for all that long and we’re already seeing mobile devices such as the forthcoming Droid Bionic that will have relatively powerful multi-core processors.

With great power comes great vulnerability. Gone are the days when you could use a mobile device without worrying about malicious actors working to compromise your phone and your data. There are already numerous vendors who are offering anti-virus protection for mobile devices. There are hundreds of thousands of applications available for mobile devices and even applications created by reputable vendors can expose users to risk. For example, viaForensics recently released the results of their research that showed vulnerabilities in the applications of many high profile companies including financial firms.

Mobile devices are going to be an issue for examiners regardless of their role or industry. For traditional digital forensics investigations and eDiscovery, devices like smart phones are a treasure trove of information such as text messages, email, geolocation data,  address books, pictures, and movies.  I recently attended a webinar that illustrated the convergence of mobile device forensics and analytical software. This presentation illustrated how an examiner could use a mobile device forensics tool such as Cellebrite to harvest information from a smart phone and then feed it into a visual analytical tool made by i2 to to assist an investigator in establishing links between people.

The incident response and penetration testing world will need to rapidly adjust to the mobile device era given how the criminal element will be increasingly targeting these devices. There have been numerous stories in the press talking about the convergence of mobile devices and electronic crime. I even read a recent article that reported that smart phones could eventually work as credit cards. It’s clear to me that mobile devices are going to be a key element of financial crime in the future. People are increasingly using mobile devices for routine banking. If it hasn’t happened already, it’s only a matter of time before we see Zeus style malware infecting mobile devices for the purpose of harvesting banking credentials. These credentials can then be used to transfer money out of a victim’s account to be laundered through money mules before the victim realizes what has occurred. Brian Krebs has done some excellent reporting in the area of not only electronic crime, but money mules in particular.

Forensic 4cast Awards

Lee Whitfield announced this week that the nominations are open for the 2011 Forensic 4cast awards. You can submit your nominations at the Forensic 4cast website.  If you think about it, you should send Lee a nice note (or donation) thanking him for doing this for the community.  He puts in a tremendous amount of effort into this at his own expense. 

Book Reviews

I’ve been making more of an effort to write up reviews for some of the books that I’ve been reading. You can find my reviews at my Amazon profile here. I haven’t been posting my reviews to the blog because I’m normally backed up on content (a nice problem to have) and it’s easy enough for you to read what I post on the Amazon site.

AFoD Interviews

The interviews have received a great response and I think you all for the positive feedback both public and private. I have two more that I’m working on as I write this and I hope to have them up relatively soon. If you are interested in seeing a particular person interviewed, please feel free to let me know.

Cyber Crime 101 Podcast

Joe Garcia had me on the Cyber Crime 101 podcast this past week. We talked about life after law enforcement for digital forensics examiners. We also talked a bit about the issue of law enforcement only tools. I’m a fan of Joe’s podcasts because I always seem to learn something new when I listen to them. For example, this podcast taught me that Virustotal now has browser addons for Firefox and Chrome.

An Interview With Ryan Pittman

I am pleased to present an interview with Assistant Special Agent in Charge Ryan Pittman of the United States Army Criminal Investigation Command’s Computer Crime Investigative Unit.  Ryan is one of the sharpest criminal investigators in the digital forensics field and is a very personable fellow. I had the good fortune to finally meet him in person at last year’s CEIC conference in Las Vegas and it was one of the highlights of my experience. As you will see from this interview, he’s very knowledgeable, down to earth, and is passionate about teaching others about digital forensics and information security. If you like this interview, you will also enjoy hearing him on one of the recent Forensic 4cast podcasts that Lee Whitfield hosted with Rob Lee, Ryan, and myself. 

Professional Biography of Ryan Pittman

Ryan Pittman is currently a Criminal Investigator (1811) for the U.S. Army Criminal Investigation Command’s Computer Crime Investigative Unit (CCIU) near Washington, DC, continuing a career of more than 12 years in law enforcement and forensic science. Special Agent Pittman previously served as a Digital Forensic Examiner for Stroz Freidberg, LLC; a Master Instructor for Guidance Software, Inc.; a Senior Forensic Analyst for Sytex, Inc.; and a Computer Crime Coordinator (as an active duty soldier) for the U.S. Army Criminal Investigation Command. He is currently a Ph.D. candidate with Northcentral University, after receiving his Master of Forensic Sciences from National University, his Master of Science in Management in Information Systems Security from Colorado Technical University, and his Bachelor of Science in Criminal Justice from the University of Maryland University College. Special Agent Pittman has taught for George Washington University, University of Maryland University College, and Central Texas College, among others, and has been invited to teach or speak about incident response, digital investigations, and computer forensics on five continents.

AFoD Interview with Ryan Pittman

AFoD: How did you get involved in digital forensics?

RP: I won't say it was by accident, but it certainly wasn't something I expected... I have been blessed in my career (and in my life, really) to have good mentors and people I trusted that took an interest in my success.

I started my professional life as a junior high school Spanish teacher, but during my student teaching decided I didn't have the patience for it.  I felt a calling to serve my country, and to a greater extent to do something "meaningful" with my career.  I didn't exactly know what "meaningful" was at that time, and some argued that being a school teacher was a noble enough calling, but I needed something more concrete and wanted to feel like I was contributing to the world each morning when I woke up. So in a stroke of brilliance (read: moment of insanity), I took a break from college and ran off and joined the US Army as a Military Policeman.

I immediately fell in love with law enforcement and everything we stood for: truth and justice, law and order, help and kindness. Yes, I was very naive at that time, but it was enough to keep me wanting more. I soon decided there had to be more to life than writing traffic tickets and busting heads at the club on Saturday night. Serving in Okinawa, Japan, a colleague named Clarence Lahl was the first to get me interested in investigations.  It was the logic of it that appealed to me, and the chance to try to prove that we were smarter and more tenacious than the bad guys.  I worked my way up, becoming a Military Police Investigator, and (as soon as I could) I joined the Army's Criminal Investigation Division (CID).  During this same time, I switched from an Education major to the degree that every good cop (mistakenly) believes will help him do his job better, Criminal Justice, and earned my B.S.

As a military CID Agent, I worked all manner of crimes from adultery (yes, it's a crime in the military) to wire fraud and everything in between. Every investigator soon figures out that they are better at some things than others and enjoy some aspects of the job more.  For me, it was crime scenes and physical evidence... I loved the science of it, the fact that measured and meticulous attention to detail could be the thing that blew a case wide open. I also liked the idea (even if it was a little naive - I am noticing a trend here) that there was a part of each investigation from which the "truth" could actually be divined, when the human aspect was at worst unrepentantly false and at best unreliable.  So, I thought the only way I could ensure I got to focus on what I liked best was to enroll in grad school, which I did and earned a Master of Forensic Sciences degree.

It was about this time that the profile of digital evidence began to grow and we began taking note of how computers could contain evidence of virtually any crime, not just traditional computer offenses, such as kiddie porn.  Where I was stationed at the time (Fort Hood, TX), I had the good fortune to serve with Jamey Tubbs and Jessica Bair (of Guidance Software fame), who were among the pioneers of computer forensics in Army CID.  They started a local computer crime program at Fort Hood, which allowed us to get our digital evidence examined locally, rather than having to send it off to our crime laboratory in Georgia.  I gave them a lot of business and picked their brains whenever I could. I saw digital forensics as an opportunity to specialize even further and deal with a particular type of evidence that was new and interesting (I love to learn new things!).  To be honest, I got tired of taking evidence, walking it to the back of the office, pushing it through the "secret door," and then not seeing it again until three weeks later when I got it back with a forensic report. I wanted to be on the other side of that door!

Jessica left the Army for Guidance Software and Jamey left to serve in Kuwait, but I took it upon myself to keep learning all I could about the discipline and the emerging science behind digital forensics. Despite my education and my interest, it was unlikely I would be able to convince CID to pay for formal training or allow me to work as a computer crimes guy; it was definitely still a niche in the Army at that time and there were plenty of other criminals that needed catching. But, fortune smiled on me again as I PCS'd to Kuwait to be Jamey's #2.  I guess Jamey took that as a sign... He had been a part-time instructor for Guidance Software for several years by then and got special permission to not only teach the EnCase Forensics Intermediate Course to a handful of us in Kuwait, but also to administer the written portion of the EnCE exam. So I took the course and the exam, qualified for the practical portion, which I also subsequently passed. As a newly minted EnCE, I began doing examinations on real criminal evidence and knew at that point that I had started on the path that would define the rest of my professional life.  So, that's how I got started, and the rest (as they say) is history.

AFoD:  In 2005, you made the decision to leave the Army and go into the private sector. Can you tell us what lead to this decision and what your professional life was like in the private sector during this period?

RP: I had reached the point in my career where I had a Master's
degree, tons of experience as a criminal investigator, and had been doing the digital forensics thing for a bit.  However, I was working in a organization that was VERY hierarchical, where a person's worth was determined by his rank, not by what he knew or what he could do. That is not necessarily a knock on the Army (because I have the Army to thank for most of the positive opportunities I've had in my career and making me a better person), but that is just the nature of the organization.  So, here is what I was looking at in late-2004:

1. I was freshly out of the Middle East (if you've never spent more
than a year away from your family in a combat zone, it is a character builder!) and had been told face-to-face by the CID Commanding General that I would most likely be headed back there in a year;

2. I was a Staff Sergeant (for those unfamiliar with the military, that is a middle-management, enlisted Non-Commissioned Officer rank). I had two choices for promotion... Either I could stay enlisted, which meant in most cases ceasing to investigate cases and probably not being allowed to do another forensic examination as I was turned into an admin guy (Detachment Sergeant, Evidence Custodian, etc.), or I could become a warrant officer and commit to another seven years in the Army;

3. I making less than $30k a year, working side by side with GS13s
from the FBI and other agencies and seeing the type of salaries being offered by private companies for forensic specialists. The combo of those three things made me want to get out (although, in a honest moment, it was mostly #3).  The problem was that I wasn't just going to step off active duty and step right into a GS13 Special Agent position somewhere, particularly not doing computer crime, so I decided to try my hand in the private sector.  Simultaneously one of the best and worst decisions of my life...

Before I even left the Army, I was lucky enough to secure a job with Guidance Software as an instructor (thanks in no small part to
endorsements by Jamey Tubbs and Jessica Bair). Then, with less than a month to go before I was to get out of the Army, I was "un-hired" due to a hiring freeze at the company. PANIC TIME! One of my colleagues at Fort Hood, Troy Asmus, made a couple calls on my behalf and found out there was a vacant contractor position at CID's Computer Crime Investigative Unit (CCIU). I applied, got picked up, and was off to D.C.

At CCIU, it was a brave new world... It was a gig doing hacking and
intrusion investigations (or, in my case, forensic exams) and this was a watershed moment for me. I had never worked intrusions before, and so I approached it the same way I approached the type of computer forensics with which I was most familiar.  But, as you know, intrusion investigations are generally not anything like your garden variety child porn exam; it is a whole different league!  I spent almost six months going to work HATING my job. I felt stupid and worthless and like I was a waste of space. I got ripped in private meetings with my boss on an almost weekly basis and I was scared to death that I'd be fired (a feeling I'd never had before).  It wasn't that I wasn't working hard, or that I wasn't doing good work, it was that I didn't have enough experience to do the RIGHT work. But, I made it my mission to contribute the way I knew I should... I spent very long days, hours and hours in self-study, gobbling up anything I could read about intrusion forensics, and paying a lot of attention to a colleague that would become both an important mentor and best friend, Dave Shaver. And suddenly... The light bulb came on! I went from non-entity to ninja in a blink! It felt like it was overnight (even though it was the result of lots of hard work), and intrusion investigations and examinations became the most fun I'd ever had doing forensics. I knew right then that I'd make the rest of my career in the network security and intrusion forensics field if I could help it. CCIU began offering GS13 Special Agent positions as they transitioned to a civilian organization within CID. I applied and got hired, but in a case of career deja vu I got un-hired again as the Army pulled all the positions back.

About that time, Bob Weitershausen (another one of those great mentors I mentioned) at Guidance Software let me know that they lifted their hiring freeze and I was back in the saddle with GSI. I took over the network intrusion curriculum from Lance Mueller (who is brilliant, by the way) and spent the next two years living the life of an itinerant digital forensics instructor.  This was probably my favorite period in the private sector... I worked with good people, I got to share my passion for our discipline with eager students, and (most importantly) I got time to research, experiment, and play. No job is better in our field than one that gives you freedom to grow as a professional, doing something you love. After GSI made their public stock offering, my personal philosophy and that of the company's began to diverge so I reluctantly left. It was an amicable parting, and I joined a firm where I could get back to being a "doer" not just a teacher.

This firm had a great reputation, and backed it up with some of the most competent forensic professionals with which I had ever worked; among them was the great Eoghan Casey (reference aforementioned "mentorship" theme).  My time there was bitter sweet and formed my general view of private sector gigs: great people, awesome money, no quality of life.  I felt owned, and after about three months I already knew I'd have to make a change or risk insanity. I couldn't take the demanding, sometimes demeaning, holier-than-thou clients anymore and doing so much civil work made me feel kind of icky.  It just wasn't in my DNA... I kept a lookout on USAJobs for a federal law enforcement position to open up, and was thrilled when one opened up back at CCIU.

Although I now know I am happiest in the government, I am extremely grateful for my time in the private sector, and I would recommend it to anyone who has never known anything but government service. There was more good than bad, and the three years I spent outside the government were worth their weight in gold:

1. I gained valuable experience with many more aspects of digital
forensics (e.g., civil litigation, eDiscovery, etc.) than I otherwise
would have if I had stayed 100% govie.

2. I was able to up my reportable salary number.  If you've ever been job hunting, you know that they always want to base your salary on what you made before, so the higher you can legitimately push that number the better shot you have at keeping it where you want it when you change jobs.

3. I became more appreciative... More appreciative of having a job in a bad economy. More appreciative of what a huge difference quality of life makes in job satisfaction. More appreciative of how a supervisor can make or break an employee (have to fill the ol' leadership toolbox!).

4. I made contacts and grew my professional circles. I cannot
overstate how important the people are that you meet along your path. You never know when someone is going to reach out and give you a hand up (which is always nice), but then being able to reach out your hand and offer help to another is the best!  Not to mention all the awesome people I had the extreme good fortune to learn from.

5. I also learned a lot about myself... I learned which digital forensic specialty appealed most to me. I learned I liked to teach as well as do.  I learned I am happiest in the government. And, I learned that money isn't everything.

AFoD: One of the things that is apparent from your career is that you have a keen interest in teaching. In 2007, you started work on a PhD and a couple years later you began a new role on the side as an associate professor. Can you tell us about your work in the academic world? I'm curious about your research interests as well as what you are teaching your students.

RP: I do have an interest in teaching and try to scratch that itch
whenever I can... I don't know if it comes from my time as a junior
high teacher earlier in my career, but I love the opportunity to talk with people who are as enthusiastic about our field as I am.  You just can't teach passion, so anytime you meet someone who has the drive and the enthusiasm, adding the know-how is the easy (and fun) part.  I broke into teaching at the college level as a Criminal Justice instructor at a community college (before I had even finished my own B.S.). It whet my appetite for not only sharing experiences with others interested in breaking into CJ but also stimulated my own appreciation for how important continuous and life-long learning is to our competence and effectiveness as professionals. That small start led to extensive graduate work, and additional teaching gigs for universities such as George Washington University and University of Maryland University College.  I've never really been an "academic," as
I am a full-time practitioner and teaching has always been an
as-time-permitted thing (except during a stint as a Master Instructor for Guidance Software).  But, as institutional education becomes much more available than it once was in computer forensics, there are greater opportunities to contribute to and formalize the cannon of our art/science.

I know this feeling is not unique... When I think of the folks in the
computer forensics field, most of the professionals that we hold in
the greatest esteem (or that at least get a lot of pub!), such as Eoghan Casey (Johns Hopkins), Brian Carrier (Purdue), Jesse Kornblum (Naval Academy), and Kevin Mandia (George Washington) just to name a few have all felt the call to teach.  I'll be the first to admit that I am not even fit to be mentioned in the same breath as these guys (heck, I'm lucky they even let me in the same room at conferences!), but they absolutely have the right of it: we will not get anywhere without doing our part to help the next Eoghan Casey or the next Eric Huber.

Good digital forensics programs in academia are still a little hard to come by...There are small pockets of excellence that exist at numerous institutions around the country, as colleges and universities have begun to realize that such courses can be cash cows; however, these courses are mostly the product of great professionals in our field giving focused effort to single offerings (don't get me wrong, this is very important).  But, until we get more programs focused on our speciality, and specifically move the level of that focus "up" (into the realm of serious doctoral work), I think we will continue to be mired by half-formed efforts designed to capture the latest trend in education by treating it as a spin-off of an IT or CJ undergrad degree.  The institutions that are getting more serious about offering digital forensics degrees (or have already taken great strides, such as UCF and Champlain) are successfully asking one very crucial question: "What do our graduates need to know how to do when they leave us?"   I had a large part recently in re-authoring two computer forensics and cyber security courses for UMUC, a project which was undertaken with that question in mind.  The reason this is so critical, in my view, is that we are a "DO"-oriented profession.

This is one of the key things I try to impress upon my students... It
is not enough to know, or even to teach.  We are not psychologists seeking to satisfy our academic curiosity about the long-term effects of not owning a pet, or biologists that observe the migratory patterns of the tripod fish and say "Hmm, that is interesting."  Knowledge without application is wasted!  Our field moves too fast, and the proper application of our discipline (even in research arenas) can have an immediate impact on people's lives... This is of course true of many forensic disciplines, but the speed at which digital technology changes and evolves makes it all the more critical in digital forensics.  The other thing I try to inculcate in my students (as I previously mentioned) is a passion for digital forensics and investigations. I want to get them excited! I want to get them pumped! I want them to get a small taste of what its like to break a big case wide open and catch the bad guy because they found the proverbial needle in the haystack as a result of their foo.

My philosophy is that I'll leave being brilliant to the Caseys and
Carriers...My job is to be the best practitioner I can be, to share my experiences with others if they are interested (mostly so they can learn from my mistakes!), and be an advocate for our profession when I can.  With that said, I do have some research interests, but you'd probably be disappointed with how unsophisticated they are.  I am doing a lot of work currently pertaining to the nature of the insider threat to U.S. Army systems, particularly as they relate to criminal incidents.  The amount of resources (time and money) spent on investigating and remediating  computer systems that theoretically should be among the easiest to control and lockdown (because of the nature of control in a military organization) is staggering, and there has to be a way to better address this issue without breaking the bank.  Other research interests include memory analysis (but who among us doesn't want to find out how to do this better, right?) and finding better and more clever ways to deal with the Trojan virus defense raised by suspects in DF cases.  Other than the insider threat work that is ongoing for my dissertation, I pick the other stuff up when I can and do an experiment here or some testing there. Eventually I'll get enough together that I publish a journal article in my spare time (whenever that is). ;-)

AFoD: One of the most self-destructive and limiting attitudes someone can have is to think, "Because I don't know everything, I don't know anything." I had to get over that attitude myself before I could work up the courage to do things like start a blog or teach people at a conference. It's easy to accept the fact that I'm never going to be someone who works at the level of an Eoghan Casey or Jesse Kornblum. Genius isn't common. It was harder to accept that I could still contribute even though I wasn't as gifted as those guys, but here we are talking so we both clearly got over it.

One of the reasons why I decided to swing for the bleachers and interview Richard Bejtlich for the first AFoD Blog interview was because I'm fascinated why our top level people got into digital forensics. People like Richard, Jesse, Eoghan, and yourself would excel at anything they were passionate about. I'm curious about why these people picked digital forensics rather than another field. What sort of people are you finding being attracted to digital forensics? Are there any sort of commonalities that you are seeing in your students?

RP:  You are very right that this can be kind of a rough field in which to draw attention to yourself... People often think they don't have anything to contribute, just because they've only been at it a couple years, or because they are still learning things on a daily basis themselves.  But, what they don't know is that we all are! Another deterrent is the fear of looking silly or having (perceived) knowledge limitations exposed for others to see.  It's kind of funny that you mention Richard Bejtlich in the same vein as "Because I don't know everything, I don't know anything."  I have enormous respect for Richard, although I've never had the pleasure of meeting him, and I think Real Digital Forensics is one of the best books (if not THE best) available on its subject.  Richard submitted the only review of less than 5 stars on Amazon for Eoghan Casey's book Handbook of Digital Forensics and Investigation, for which (as you know) I was a contributor.  As the basis for his less than perfect review, he called out my chapter specifically as one example of what he felt was a lack of coherence or overarching investigative scenario throughout the book as a whole.  I... was... crushed!  Not only did someone have something negative to say when I put myself out there, but it was someone who I told myself I was striving to be like...  I had to take step back and realize I was being silly.  He didn't attack my science or my knowledge or my skill; he just didn't care for the way it was presented.  I don't know everything about forensics, FAR from it, and I'm not afraid to admit it; but beyond that, even if Richard hated everything about my work, and called me a cotton-headed ninnymuggins, it wasn't going to affect my law enforcement career or the fact that I'll keep trying to be more knowledgeable tomorrow than I am today.  Once I got that through my head, I saw his comments for what they were, well-intentioned and meant to inform and guide, not to cast stones.  For those folks that remain crippled by this professional anxiety, they just have to remember that EVERY SINGLE MEMBER of our community has something worthwhile to offer the field, even if it is just as a sounding board for the Forensic Gods (that's right, I am pointing at you Casey, Bejtlich, Carvey, Carrier, and you others, you know who you are!) that move us forward. But I digress...

The folks that get into our field, in my experience, can be grouped, but each person seems to have their own motivations.  Generally, my students that are attracted to computer forensics seem to come from two primary areas of interest (not surprisingly): information technology/security and criminal justice.

The IT/IS folks are by far the more tech savvy, and as Rob Lee (or maybe it was you?) recently mentioned during a Forensic 4cast podcast, these are the folks that are way ahead right now as far as being ready to jump into computer forensics when they graduate.  I find my IT/IS students can be divided even further: those that are hardcore computer nerds (not a bad thing) and those that got into IT because it promised good jobs.  The computer nerds like forensics because of the added challenge it presents; it is an intellectual stimulation and provides opportunities for research, experimentation, and innovation that are not as often found in an Information Management position.  The ones that pursued a technology education because of the jobs are mostly looking for some way to stand out, to distinguish themselves from the crowd.  They are driven and look at the sea of IT bubbas that they're in school with and have already flowed out into the world, and they want to find a niche that will give them a competitive edge in the job market (plus, many of them have friends that have told them about the
sweet salaries to be made by folks that are good at digital forensics).

My CJ students are a different animal entirely.  For most of them,
computer forensics is a "hey, that sounds cool" schedule choice rather than a career path.  They seem to be less motivated by the science of it and more drawn to the "cool" factor.  But, if we do our jobs as teachers and ambassadors, many of these folks love what they're exposed to and decide to try to specialize (again, often lured by discussions of higher salaries for people that get good at it).  For these folks it is also less about challenging intellectual pursuit and more about some aspect of how this specialty can help them serve (e.g., protect kids, guard national security secrets, etc.).  These folks don't see themselves protecting a large corporate enterprise for a living, but rather chasing bad guys and putting them in jail.  They have studied victimology and criminology rather than SQL programming and IDS configuration.  In general, these folks are slower to filter into our field than the IT/IS graduates because the learning curve is more severe.  But, once these folks reach a level of proficiency, they are among the most talented and driven practitioners you'll ever meet.

AFoD:  I'd certainly fall in the criminal justice end of things when
it comes to starting point. I went from traditional physical law
enforcement into the private sector where I started to learn digital forensics by doing it.  I have a pair of liberal arts degrees rather than anything technical. I frequently wonder if I could do it over again, would I take the same path into forensics?  I suppose it would have been much better from a technical standpoint if people like you and I had started our educational lives studying computer engineering, computer science, or a similarly technical path. However, I also think people like us get quite a bit out of our formative years whether that's pushing a blue and white around in my case or working as a general criminal investigator in your case. What would we have lost if we hadn't taken the paths that we did?

One of the things I've learned is that teams get considerable benefit out of blended experiences and backgrounds so it's probably good that the community has a certain amount of people like us along with the technical intellectual giants that we've been talking about during the course of this conversation. So let me ask you this: What did you learn from those pre-digital forensics days as a general criminal investigator that helped craft you into the first rate digital forensics person you are today?

RP: Although I am flattered, Eric, I think it's stretch to call me
"first rate."  I just try to use the Finding Nemo philosophy... "Just
keep swimming..."

You know, I don't know if I would take the same path if I had it to do over again... I think the criminal justice experience is very valuable and now I wouldn't trade it for anything, but it was just so much gosh darned work! As these topics get more publicity and attention (thanks in large part to people like you), it seems that there are quicker ways to get from A to B academically, if not experientially.  It is certainly a different type of person, I think, that comes from this background (meaning, the bottom-up law enforcement route) and is now slinging bytes than a person that comes from an IT background.  It's a strange sort of maturity and complexity of character honed by diversity of experience that cops-turned-squints have, which it seems some science-only folks lack. That is not to say that non-law enforcement forensics guys and gals aren't great, in fact the opposite is true, as they are often fantastic and are more likely to be the scientific game-changers in our field. But, there is just something about a forensic examiner who has that depth of experience in other disciplines, I just can't put my finger on it...

I think there are two primary things I learned from those early, pre-examiner experiences as a general crimes guy that help me as a computer crime investigator and forensic examiner: 1) You have to appreciate non-technical perspectives on a case and 2) Sometimes you have to make intuitive leaps.

1. Non-technical perspectives.  Sometimes, as examiners, we lose touch with the fact that we may be the only ones who understand the data.  I work plenty of cases where the only forensics being done on any physical evidence is digital forensics.  People outside of my exam don't understand the process and they won't understand the findings unless they are put in the proper context.  This leads to other investigators, lawyers, and sometimes even the media asking what seem like idiotic questions about whether or not an exam is finished yet or why I can't tell them definitively that X, Y, and Z occurred.  I mean, these are frustrations that we've all experienced, but I was once part of the unwashed masses wondering why the damned computer forensics on my murder case were taking so long.  Now, I have the benefit of
perspective and have the ability to take a step back out of my forensic work and look at the situation from the point of view of the investigator or the attorney or the general public.  It helps me keep my cool when I just want to lose it on the next poor schmoe that calls and asks about his exam.  Also, it helps when I am writing my reports to remember what I would have wanted to know as the investigator, which often leads to a Bottom-Line-Up-Front (BLUF) that distills the findings down to easily digestible, concise language that is actually of benefit to the requester of the exam rather than pages and pages of techno-babble.

2. Intuitive leaps.  As scientists we often try to avoid intuition at all costs. We have this notion that everything is observable, everything is provable, everything is there, we just have to find it. The problem in digital forensics is that there are always gaps.  There are gaps in our knowledge and experience, there are gaps in timelines, gaps in available evidence, and sometimes it seems like we have more gaps than goodies.  What separates the good examiners from the great examiners is often what a lot of good cops do as a matter of habit, make intuitive leaps that can be tested and either shown to be true or proven to be a dead end.  We have to follow the breadcrumbs, but most often the line is broken and it sure enough isn’t straight.  As a general crimes guy, I learned that not everything is black and white, not everything is straightforward, and one clue does not always lead to the next.  You have to be able to develop scenarios for which there might currently be little support in order to take that next step of discovering where that support materializes.  Many examiners I have met follow the breadcrumbs and then just stop when the directly related digital clues seem to cease.  But, when others are met with this wall, they speculate, they innovate, they problem solve, and they spin a case in their minds like a metaphorical Rubic’s Cube looking at it from every angle in order to wring every last drop of forensic-y goodness out of it.  When these intuitive leaps pay off, they pay off big, and when they don't they just cost time.  Yet, so many examiners struggle with this. I am no exception... It is something I learned to do early on in my career, but it is a difficult skill to keep sharp.  I struggle with this on EVERY case, but I like to think those skills I practiced as a GC guy form a solid foundation.  Look, sometimes the data really is telling us more than we think.

AFoD:  We spend a lot of time as a community doing what we've done with our conversation here which taking about how to enter the community and land that first job. As we both well know, that's just the start of the learning process. We've both been involved in digital forensics for a long time and one of the things that has been a constant has been the increasing complexity of our jobs. When I first started, the primary area of focus for the community was relatively narrow in that Windows as the dominant operating system for both corporate and private purposes. Sure, there was a certain amount of other operating and file systems in the business and academic worlds, but taken as a whole it was Microsoft's world in which we lived in. That meant that a digital forensics person could be very employable with a strong grasp of just the Windows family of operating systems and just a few file systems like FAT and NTFS.  With the resurgence of Apple and the advent of the mobile device era where there are many strong players like Google and Nokia involved, we're in a very different world now. Microsoft's products are still a strong component of our lives as digital forensics people, but we now have to learn many more operating systems and file systems so that we can meet increasingly complex customer demands.

How does Ryan Pittman keep his digital forensic edge sharp in light of all of this change and increased complexity?

RP:  *drama warning* Oy...! Changing technology is the bane of my existence.  Things stay the same just long enough to get really good at them, and then they go and change the rules. It is usually some song and dance about making money, or whatever, but as we both know they never leave well enough alone.  As a consumer, the changes and improvements in digital technologies are fun and exciting, but as a forensic examiner, it just means more heavy lifting... Haha!

It isn't quite as bad as all that, but it is a double-edged sword. It can be a struggle to keep up because we have to be generalists of our discipline (I can't afford to focus just on memory forensics or Macintosh file systems), but what keeps me interested in this field is all the new stuff, fun challenges, and research opportunities.

So, since the world never stops turning, and Bill Gates, Steve Jobs,
and the Linus disciples never stop innovating, I have to accept the mantra "learn or die."  The first tool in my battle against obsolescence is reading... Everything I can get my hands on in our field. I look for the latest works by the biggies that I've come to trust, like Casey, Carvey, Bejtlich, and Carrier.  Then I read trade publications, like the Digital Investigations journal (for which I am also a reviewer, so I get to see a lot of the concept stuff too, even before it hits the printed page, which is AWESOME!).  Then I read blogs, and there are plenty to choose from. I like Harlan Carvey's blog, Lance Mueller's blog, the SANS blog, and Hogfly's blog.  And, catching podcasts like CyberSpeak and Forensic 4cast  is also very helpful.  Beyond that, it is just trying to keep my ears open for anything else that sounds cool... Trying to talk to smart guys like you on a regular basis helps too.

After trying to absorb all the printed (or broadcast) material I can get, it is about motivating myself to do research and testing.  I mean, if you've ever asked yourself a question like, "I wonder what actions will cause the timestamps for the .Trashes file on a  thumb drive to update," then you have a question begging for an answer. Research doesn't always have to be in a lab environment, and it doesn't have to solve world hunger.  It just has to be about, "I wonder if..."  Sometimes the small, easy tests you can perform in 15 minutes or less can be as personally rewarding as a giant six-month research project.  The best tests are the ones that result in knowledge you can apply immediately.

Last, I try to write or present whenever I can.  Putting stuff out there and having others in our field look at it is great motivation for trying to make sure your $#!~ is straight, particularly when you're writing about a new technology, technique, or artifact.  To get the benefits of this, you don't have to write a book or even an article... Go to a conference and make a presentation, teach a lecture course at your local college or university, guest write an entry for your favorite forensic blog, or look for opportunities to write portions of policy for your own organization or start innovative programs.

In short, it can be exhausting! But, we push forward because we love it and we are gluttons for punishment. And because we are all in it together...We all want to get from A to B, and when a new version of Windows comes out, we're all going to need to get from A to C.

An Interview With Hal Pomeranz

Welcome to the first AFoD blog post for 2011. I’ve decided to start the new year out with an interview with Hal Pomeranz. Hal is very well known in the information security community and is probably best known for this work with the SANS Institute as the driving force behind the Linux/Unix security content for SANS. Hal is also part of the SANS digital forensics team and has recently been spending quite a bit of time writing, researching, and teaching on various digital forensic topics.

Professional Biography of Hal Pomeranz

A dynamic and experienced technology authority, Hal Pomeranz is the Founder and Technical Lead of Deer Run Associates, a consulting company focusing on Computer Forensic Investigations and Information Security.  He has spent more than twenty years providing pragmatic Information Technology and Security solutions for some of the world's largest commercial, government, and academic institutions.

Hal is a Faculty Fellow of the SANS Institute, and it's longest-tenured instructor.  He is the track author and primary instructor for Sec506: the Linux/Unix Security certification track (GCUX).  He is also a GIAC Certified Forensic Analyst (GCFA) and an instructor in the SANS Computer Forensics curriculum.  Hal frequently contributes to the SANS Computer Forensics blog, and is a co-author with fellow SANS instructor Ed Skoudis and Tim Medin  of the weekly on-line Command Line Kung Fu column.

A leader in the community, Hal has served on the Board of Directors for USENIX, BayLISA, and BackBayLISA.  He is a co-founder of the IT Professionals Forum.  He is a frequent presenter at national and local technical gatherings, and the author of numerous books and articles on subjects ranging from Computer Forensics to Information Security to System and Network Management to Perl Programming.  Hal also served as the Technical Editor for Sys Admin Magazine during its last four years of publication.  He is a recipient of the SAGE Outstanding Achievement award for his teaching and leadership in the field of System Administration.

Prior to founding his consulting company, Hal's career included  a variety of roles from System and Network Operations, to Network and Security Architecture, and even Software Development.  He has worked for an equally diverse set of employers including AT&T Bell Laboratories, NASA, the University of Pennsylvania, TRW Financial Systems, and even an Internet start-up, NetMarket, which was the first company to conduct a secure financial transaction on the World-Wide Web.  As a consultant for Deer Run Associates, Hal's client list includes Cisco, Microsoft, eBay, the FBI and several other government agencies.

AFoD Interview with Hal Pomeranz

AFoD: Many of the top level people in our community come from a law enforcement or military background.  The paths that these people take into digital forensics are generally defined by traditional law enforcement and military career development processes.  You are part of the top level of people who have entered digital forensics from the information technology world.  Can you describe your journey into the digital forensics community?

HP: I started my career as a Unix Sys Admin.  My first boss, an early mentor of mine, saw my interest in Computer Security and nurtured that.  So I ended up as a Unix Admin who was also an InfoSec person.

As an InfoSec professional, you're bound to have at least some
interaction with computer crime events, even if it's just in the course of defending your own networks.  As it turns out, my second job was at the University of Pennsylvania, whose dial-up services were at the time being used by non-University folks for a lot of nefarious activity. This led to some interaction with law enforcement, including the local FBI office.

There were a couple of other watershed moments in my career that started me down the digital forensics path.  The first was incorporating forensic material into my SANS Linux/Unix security track when it was conceived in the early 2000's.  John Green-- who did incident response at NSWC Dahlgren and is now the CISO for the state of Virginia-- wrote and taught the original material in the track, and patiently answered lots of newbie questions from me.  When John went off to pursue other opportunities, I took over teaching and updating the material.  This forced me to learn a lot.  I'm also now one of the instructors in the SANS Computer Forensics curriculum, which has also been a great opportunity to help others, but also expand my own
knowledge.

But I still wasn't doing digital forensics as part of my professional
consulting practice, though I did occasionally help out friends who were in difficulty and I certainly worked on engagements where I was part of the IT/InfoSec cleanup crew in the wake of an incident.  A couple of years ago, however, Rob Lee approached me about an opportunity with Mandiant.  Essentially they were looking to develop relationships with other skilled consultants who they could reach out to on an as-needed basis for short-term help during unexpectedly busy periods.  "Surge Staff" is the name of the program.

As it turns out though, "unexpectedly busy" seems to be more the rule than the exception.  I've spent a lot of time in the last year and a half working on cases through Mandiant.  It's been a very positive relationship for both of us, and I've certainly seen my skills expand enormously with the benfit of this experience.  Long live the Surge!

AFoD: Becoming part of the SANS digital forensic team is a relatively recent development for you.  Doesn't your involvement with SANS predate your involvement with the digital forensics community?  I think I remember you saying that you were one of the original SANS Fellows.  Can you tell us about your SANS career and how that has impacted your professional development?

HP: Of currently active SANS faculty, I think I can lay claim to being the longest-tenured.  Randy Marchany, Gene Schultz, and I have a good-natured argument going about who's the "oldest" SANS faculty member, but we've all been presenting at SANS conferences since the beginning of the 1990's (before the organization was called SANS, by the way).  I taught my first paid tutorial for SANS in 1994-- a class called "Securing Solaris: Step-by-Step". Over time, that course gradually morphed in what is now SANS' "Sec506: Linux/Unix Security" track, which is the basis for the GIAC GCUX cert. We rolled the first version of the track out in 2001 I believe.  John Green and Lee Brotzman originally contributed material to the track, and much of John's forensics material is still visible.  But I've been pretty much the only instructor and author for several years now.

As far as professional development goes, mastering material well enough to teach it to others seems to me to be the highest order of technical expertise you can obtain.  I learn a huge amount updating and teaching my courses.  And not just from my own research: SANS attracts some incredibly bright experts as students, and I learn something from the folks I teach every time I do a class. Teaching a class in front of a high level technical audience and being open to admitting that there's something you don't know may be one of the most difficult tightrope acts I can imagine.  "How are you going to learning anything if you know everything already?", is a motto that appears in my SANS "author's statement" and I think it's true.  We are all experts and yet also students at different times and in different subject matter areas.  There is so much we can learn from each other!

In the IT community that I grew up in, there was a lot of knowledge transfer going on, both formally and informally.  I was lucky enough to be mentored by some truly famous people.  Their expectation was that when I achieved a decent level of proficiency, I would educate the next generation-- "pay it forward".  I've tried to live up to that. Aside from stimulating my own learning, the other obvious benefit to being out there in the community and teaching/writing, is the personal "networking" and reputation enhancement aspects.  For example, my current business association with Mandiant wouldn't have happened if I didn't know Rob Lee because of our mutual involvement in SANS. And certainly I've had former students who have become clients.

AFoD: Ovie Carroll is good at articulating the point about learning from others also. I agree with him when he says he can sit down with anyone learn a couple things from them.  There is just so much to know in our field that it's impossible to really master all of it.  That's why it's important for people to share even if they don't think they are at the level of someone like you or Rob. Now the fact of the matter is that you are in the top tier of digital forensics people.  What sort of skills did you develop over the years that helped you reach this level in the field?

HP: On the technical side of things, there's a whole body of low-level knowledge about file systems, networking, system devices, etc that System Admins in my generation were expected to master.  For example, one of the first posts I wrote for the SANS Forensics Blog was a trick that uses alternate superblocks to allow you to mount "dirty" EXT3 file systems.  How did I know about that trick?  Because twenty years ago recovering broken file systems from alternate superblocks wasn't just a cool trick-- it was a necessary survival strategy!  In any event, it turns out that a lot of this technical knowledge is directly applicable to understanding forensic artifacts.

The other technical item that Sys Admins were expected to master was the ability to write code to automate repetitive tasks.  I'm dealing with a case right now where I need to process three or four dozen system images.  If I tried to do this serially using some of the standard commercial tools, I'd never get it done.  But because I can quickly write small shells scripts, Perl programs, etc I can be doing lots of automatic processing in the background while I'm working on specific artifacts that pop out as "interesting".  Also, I can read other people's code, find bugs and vulnerabilities, understand what malware is doing, etc.  The ability to program provides so much leverage for forensic analysts!  It's a shame that more time isn't devoted to teaching these skills in typical forensic curricula.

Looking at non-technical skills, there's a problem-solving strategy that successful IT people tend to develop that's very similar to the process you go through when responding to an incident or working a case.  You end up asking the same sorts of questions: "What was the tip-off that something has gone wrong?", "What were you expecting to see instead?", "When was the last time the correct behavior occurred?", and so on.  Good IT shops spend a lot of time doing "root cause analysis"-- figuring out exactly what went wrong so that it never happens again.  But as forensic analysts we also spend a lot of time figuring out "what went wrong", and the skills sets overlap.

As an IT/InfoSec consultant, I'm also used to coming into lots of
different environments and quickly assessing system and network
architecture, getting an handle on the site's policies and procedures, and so on.  Sometimes I even have to try and deduce how things were supposed to be configured, and then try and figure out where bit rot and entropy have set in-- I call this "IT archeology".  You do the same sorts of things when you're pulling apart a forensic image and trying to figure out what the machine was supposed to be doing and what's been happening on the machine.

From a psychological perspective, succeeding in IT over the long term generally means you've developed a certain level of confidence in working with strange problems without much external support or documentation.  Computer systems are deterministic-- if you fully understand the technical underpinnings, you should be able to understand past failures and/or predict future behavior.  Certainly you develop strong research skills and good testing methodologies, but confidence is key.  In the current forensics space, where so much is undocumented and you're often left to your own devices to figure things out, this confidence that you will be able to find a solution is supremely important.

AFoD: There are plenty of people who are in information technology who are good problem solvers and can do some scripting of repetitive tasks, but we both know that doesn't automatically make them good candidates for a role in digital forensics.  What do you think are the fundamental building blocks that someone needs to have to be turned into a good digital forensic examiner?

HP: In a nutshell, you want to look for the ones who do the root cause analysis and don't just reboot the machine when something goes wrong. They're the ones who want to figure out *why* a problem happened, not just make it go away.  They're going to learn more and learn faster than their peers, and they've got the kind of staying power that comes in handy during investigations.

It also helps if they can write.  Do they produce coherent documentation?  Are they writing articles or putting their ideas out in the community via other means?  Can they convey information to non-technical people?  Communication is key, because what we do is a "team sport" that involves lots of people, both technical and non-technical.

And to echo a theme from earlier interviews, I think you're looking for "passion".  Is working with computers a job or a calling for your candidate?  Do they spend significant amounts of time (especially their own time) on continuing education?  I've often said that if I won the lottery tomorrow and didn't have to work for a living, I'd still keep on doing what I do just because I have so much fun with it. There are plenty of frustrations around what we do, so I think you've got to love it in order to get over the rough spots.

AFoD: So lets say that we have someone who has all of the necessary fundamental skills and passion to get into digital forensics work. Let's talk about how you think they should go about it.  What would you tell the high school student who wants a career in digital forensics? 

What would you tell someone who already has an established career in information technology, but who wants to break into the field of digital forensics?

HP: One piece of the puzzle is having the necessary skills.  The question pre-supposes that our candidate has the necessary technical chops to handle the position.  But there's a difference between having a large body of technical knowledge under your belt and being able to apply it to an investigation.  Some sort of specific training in computer forensic tools and techniques plus some legal background to understand the laws as they apply to forensic investigations is clearly warranted. Obviously, I think SANS training is pretty darn good, but there are lots of other programs out there as well.  Caveat emptor.

Another important piece is getting some actual case experience.  This can be the hardest part for somebody trying to break into the field. If you're just starting out, then you'll probably have to pay some dues.  You might look into large e-discovery firms and contracting shops that do a lot of forensic work.  They're more likely to hire junior analysts.  Another avenue is law enforcement.  It seems like the FBI is interested in bringing on more qualified civilian employees in the computer forensics realm, and state and local law enforcement would probably like a few as well.

If you're already working in a company as an IT professional and would like to make the move into forensics, then you should start cultivating relationships with the people who do incident response for your company. In some cases, there might not be anybody currently in your firm who has that job.  In which case, you might talk to your own management about sending you to training so that you can become that person. There's lots of scare stories in the news these days that can bolster your case for creating an internal resource for forensics and incident response.

In the meantime, there are lots of forensic challenges out there that you can use to practice your skills.  If you do well in those challenges, it will be good resume material and will likely bring you to the attention of people who are needing to hire forensic experts.

Which brings us to career development item #3.  You need to start linking up with the community and getting your name out there. Networking is always the best way to find a job.  There's a really interesting forensics community developing on Twitter-- check out Joe Garcia's "Follow Friday" list for a good starting point to find people in the community.  Read what these people are saying and the links that they're posting (to their own research and others) and I guarantee you'll learn a lot.

But networking has to be more about giving than taking.  So start
doing your own research and writing your own blog posts, white papers, etc.  There are a lot of great Open Source forensics projects that you can contribute to.  Log2timeline, regripper, and volatility are all examples of projects where you can easily contribute small modules to expand the power of these tools.  Or take on a bigger project-- such as adding support for a new file system type in the Sleuthkit, like EXT4 or XFS (both of which are desperately needed, IMHO).

Try and find local groups in your area-- whether tech groups, ISSA, InfraGard, HTCIA, or what have you-- and find other people with common interests.  Get some practice speaking in front of these groups. Submit talks to security conferences, BSides, etc.  If you're doing interesting work and can be articulate about it, you'll get a job.

And finally, never ever stop learning.  The computer industry in general is all about constant retraining because technology changes so rapidly.  The computer forensics field is so new that there's an enormous amount that we don't know and research to be done.  That means it's even more important to stay up on the latest knowledge. It's like the sharks that die when they stop swimming-- if you stop learning and updating your skills then your career is going to die. Celeste Stokely taught me, "Learn one big new thing every year." It's good advice and I've tried to stick with it.

AFoD: One of the things we discussed recently on Forensic 4cast was whether someone who is interested in going into digital forensics should pursue an actual degree in digital forensics or something broader like computer science.  As I think more about it, it seems if you have a burning desire to get into digital forensics and you want to gain some academic training, it's reasonable to get a degree from one of the handful of good programs that are available.  However, this isn't going to be an option for many people.

For example, take a high school student here in the United States who doesn't have a lot of money to spend on college or who wisely don't want to start their professional career with a six figure debt burden.  Those students might be limited to situations where they can get in-state tuition at a school in their state of residence and those schools will likely not have a digital forensics program.  However, there are many state universities that have excellent programs in areas such computer science and engineering.

What would you recommend for those students? Regardless of their degree option, what topics would you encourage them to study to become better digital forensic examiners?

HP: When I think of specific topics from my educational background that help me in my daily practice it would be things like programming, operating systems, compiler design, algorithms, and so on.  I went to a pretty "Ivory Tower" Liberal Arts school, so some of the really practical stuff I had to get on my own by hacking around in the school computer labs (much to the detriment of my GPA).  In fact, my major was actually math because my school only offered a minor in computer science and not a full degree program.  But I learned a lot from the math curriculum too-- like how to model problems and estimate the computational complexity/processing time requirements, and how to construct proofs and logical arguments.

And I think this latter part-- learning how to think about problems-- is one of the most important things you can get out of college. The specific technologies I studied in school (Pascal programming anybody?) are no longer in vogue.  But I "learned how to learn", I learned how to write, and I was exposed to a broad range of topics that end up helping at the oddest times.  Heck, the Shakespeare I studied in English Lit once helped me defuse a raging flame-war on an intra-company mailing list!

Undergraduate programs are your chance to get a broad background and explore lots of different subjects.  Use this time wisely. If you're able, I would recommend doing your undergrad at a smaller, teaching-focused school where you can get more one-on-one time with the faculty, as opposed to a big research university where you get lost in the crowd.  If you get really interested in a field and want to study it in depth, then get into a graduate program-- probably at a well-funded research university, if possible-- and really dive in to your research.

AFoD: Let's talk a bit about the current state of digital forensics.  What is your impression of where we are as a community? What do we do well and what do we need to get better at as a community?

HP: We are so young as a discipline!  It would be easy to focus on what we don't know, the tools that we wish we had, short-comings in different curricula, and so on.  But being a "glass is half-full" kind of person, I have to say that it's pretty amazing what we can
do today as compared to a decade ago-- just take memory analysis as one example of many.  And we're getting better every day as the result of sterling work by the community.

What we're trying to do now is engineer solutions to problems on platforms where the vendors give us little or no direct support or documentation.  In the late 70's and early 80's, Unix people who were faced with a similar situation vis a vis a lack of Unix support from AT&T.  My people dealt with the problem by creating a community to share information that they had gleaned through their own research.

We're starting to see some of that in the forensics community, but we need to do more.  I'd like to see an ecology of forensics gatherings at least as rich in number and variety as the conferences for people who are interested in breaking systems.  And I'd like to see more forensics gatherings that are not sponsored by a single vendor of forensic tools, and which avoid government entanglements that inhibit the free flow of information.  Let me be clear that I'm not looking for people to share IoC's or technical details from actual cases.  I'd just like to see us sharing basic "block and tackle" type technology notes that will make everybody's lives easier.

We need better cross-platform tools.  The mature tools in the field
run largely on Windows and do a good job analyzing Windows-- Mac and Linux, not so much.  The Mac folks have a bunch of tools for analyzing Macs (and other Apple devices) that largely only run on the Mac platform.  Linux wizards mutter arcane command-line incantations and make data appear.  I shouldn't need three different computers to do my job! And that's not even counting the the mobile device insanity that's already threatening to overwhelm us.  I have a feeling that things are going to get worse before they get better here, because everybody's so focused on simply understanding all the details of their chosen platforms, but it really does make life hard for analysts who have to deal with cases involving multiple platforms.

And I think we have some more "bridge building" to do.  Within our own community we have people with a background in law enforcement or from a military service academy.  And then there are folks like me coming at this out of the "computer geek" community.  Both sides are still trying to understand where the other is coming from and what valuable stuff each side is bringing to the party.  But then there are also all of the external communities we touch: law enforcement, the Bar, Human Resources and other corporate gatekeepers, and even just normal citizens who have need of our services.  There's a lot of education and outreach that needs to be done so that these folks understand what we do and what help we can provide, and increase our understanding of what they need from us.

AFoD: You've been involved in the information security and digital forensics communities for a long time.  This has given you a unique position where you have had considerable exposure to people who have come into digital forensics from different paths whether from law enforcement or a more traditional information security background. What have learned about the differences between a law enforcement perspective on digital forensics compared to an information technology perspective? Are there any differences that you can see?

HP: From my perspective at the far end of the "nerd" part of the spectrum, I see a lot of differences.  One basic thing I really respect about my law enforcement colleagues is their ability to manage their case loads. As an IT person, I was always proud of my ability to "multi-task" and juggle multiple projects simultaneously.  But I realize now that I had nothing on an attorney who is simultaneously managing a couple of dozen cases all headed to trial or plea agreements on different schedules, or my LE friends who are having to work so many different kinds of crimes in parallel.

I've also gotten a terrific education from the LE and legal side of the house on what evidence is useful and relevant, as opposed to stuff that I think may be cool from a technical perspective, but which doesn't help them make the case.  This has helped me streamline my investigations, as well as my report writing.

Now the plus side of my being a computer person, and the reason I get called in to help on cases, is that I can often extract evidence that the LE folks lack the skills or processes to get at.  Sometimes I have to create new tools to do this, which is something I'm comfortable with because I'm confident around information technology.  The dark side of this ability, though, is that sometimes we computer folks get sucked down technological rat-holes, where we spend a huge amount of time producing evidence that doesn't really end up being that useful.  Somebody with less computer skills, but with more case experience might just move on to some other, more fruitful portion of the analysis.  Letting go of an interesting technical challenge and moving on to another piece of the investigation is a skill I'm only slowly getting hold of.

On the other side of the coin, I see my LE friends spending so much time on manual tasks that could be solved by a little scripting.  Like many people who aren't primarily technologists, they don't know what things should be easy to do with technology and what's hard-- or they just don't have the skills to implement solutions.  I once helped an agent who was manually cutting and pasting EXIF data from an image viewer into a spreadsheet-- about 30 minutes of my tinkering with awk and shell and the output of exiftool saved countless hours of investigator time.  It's a huge compliment to me when the LE guys say, "We like having Hal around, because he gets things done faster."

AFoD: You're bringing up a point that I'm seeing emphasized more and more by people in the top tiers of the profession.  Conducting an efficient investigation that answers specific questions that our customers want answered is the core of what we should be doing in digital forensics, isn't it? How do you go about scoping out and planning your investigations so that you get your customers what they want?

HP: I think the type of engagement has some bearing on whether you're targeting specific questions or going for a more wholistic approach. Lately I've been doing a lot of "lead generation" work for law enforcement, and that's definitely about honing in on very specific kinds of information.  E-discovery is much the same-- winnowing out particular types of information your client is interested in from huge volumes of data.  On the other hand, if I were working up a report on a system that was going to be crucial in a court case, I would want to do a more thorough job just to make sure I got at all the evidence: both inculpatory and exculpatory.

As far as the scoping question goes, I think the key is high levels of communication and short turn times.  With my law enforcement clients we'll start with a briefing for me on the particulars of the case, and I'll try and understand from them what sorts of information they're interested in.  For example, if they're looking for a pattern of on-line behavior, then I'll probably focus my initial efforts on browser artifacts, on-line chat, email, and so on.  If they need attribution data then maybe I'll look more at network data timelines, file meta-data, contact lists, the social networks, and so on.

This is not to say that I won't work up other data from the system, but I want to get into the case as quickly as possible and start extracting data.  I then take the data that I've found in my first pass which I think is "interesting" and show it to the client.  Maybe they say, "Great! We want more of that", or maybe it's uninteresting. Either answer helps guide my investigation.  Also, of course, evidence that I turn up sparks a whole new line of thought which may lead to them asking me for other kinds of information.

At this point I return to the images I'm analyzing for another pass.  That will turn up more information that I'll take back to the client, and so on.  Early on in the investigation I may talk with the client multiple times per day if they can spare the time. As we go through more cycles, we figure out more clearly the kinds of data we're interested in, and I need to interact with the client less often because I know what they're looking for.

Even if I don't need guidance on what to look for, however, I still
like to give the client quick updates on what kinds of information I'm finding, just to keep them up-to-speed on how the investigation is proceeding.  This is just quick status updates, mind you—possibly via short emails rather than live conversations-- I'll typically save full detail for the report.

The other advantage to these status updates is that it makes it pretty clear to everybody when we've reached the "point of diminishing returns" in the investigation.  Everybody's cost-conscious, and clients really appreciate it when they feel like you're looking out for their bottom-line.  They tend to remember things like that when they're needing to hire somebody to help with the next investigation.

AFoD: I'd like to discuss the topic of criminal defense work in the
digital forensics community. I have observed an increasing resistance to the "pariahization" of digital forensics people who do criminal defense work.  When I first entered the field, there wasn't much pushback on the idea that examiners who engaged in criminal defense work had gone over to "the dark side" and that it was essentially acceptable to push these examiners to the margins of our community. Now I'm seeing that attitude becoming much less prevalent. I suspect this is because we are seeing more people in the law enforcement community leave to start second careers in the private sector.  I also think one of the things that is causing a change in attitude is that we have more people from the traditional information security world entering the digital forensics field who don't view forensics through the lens of the justice system. This gets back into our previous discussion about the differences of people who enter the digital forensics community from an information technology background as opposed to a law enforcement one. What are your thoughts on digital forensic examiners who engage in criminal defense work?

HP: Maybe it's because I'm coming at this from a non law enforcement background, or maybe I'm just hopelessly naive, but it seems to me that forensic analysis should be first and foremost about science, and not about choosing sides.  Prosecution or defense, we as analysts should report on observed facts.  Where we're required to draw conclusions based on our observations, we need to be aware of our biases and avoid letting them distort our findings.  And because we sometimes have to make judgments based on incomplete evidence, it's incumbent upon us to acknowledge the gaps in our understanding and be scrupulous in our research and experimentation.  As scientists we should welcome peer review and encourage transparency.

Also, I was raised to believe in "innocent until proven guilty", and that everybody is entitled to a "robust defense" regardless of their ability to pay.  To me that means that the defendant should also have access to the same level of forensic experts that the prosecution enjoys and not just the people who have "lowered themselves" in some way to work defense cases.

OK, that's the "perfect world" view anyway.  The history of jurisprudence is littered with examples of witnesses, forensic analysts (both digital and traditional), attorneys, and law enforcement personnel who have-- intentionally or otherwise-- manipulated a case and achieved an outcome that was directly contradicted by the available evidence.  And rising legal costs mean that justice can be trumped by deep pockets.

I don't know how to solve these problems in our current justice system. But I do think that reducing the adversarial nature of the current system would be a good first step.  Shouldn't a trial be a collective search for the truth rather than a slap fight?  Wouldn't cooperation reduce costs for both sides?

As forensic analysts, we can't control how attorneys, judges, and other members of the justice system behave, but we should at least begin by unwinding artificial "us vs. them" divisions in our own field. Let's not ostracize fellow practitioners based on the types of cases they work on.  Instead, let's grow the size of our community so that we can expose-- through peer review and science-- those members who act unprofessionally or unethically regardless of which side of the aisle they're currently sitting on.

AFoD: What can we expect to see from you in 2011?

HP:  The SANS Forensics curriculum is just exploding in popularity and all of the qualified faculty are scrambling to meet the demand.  As an independent, I've got a bit more "flex" in my schedule than some of the other faculty who've got full-time employers, so I expect to be teaching more for SANS in 2011.  In particular, I seem to be picking up some of the dates for Lenny Zeltser's excellent Reverse Engineering Malware class--particularly the international training.  Also, Chad Tilbury and I are co-teaching For508 via SANS' vLive! distance-learning technology later this year, and I'm really looking forward to that.

I'm also getting out to some non-SANS forensic events in 2011.
For example, I'm giving a couple of talks at the DoD Cyber Crime Conference in January, and a couple more at CEIC in May(apparently I need to find a non-SANS venue for the Fall as well).  And while I'm on the road so much, I've been trying to make appearances at various local user groups-- for 2011 I've got confirmed dates to speak at the ISSA meeting in Tacoma, WA, NECERT's Cyber Security Forum in Omaha, and the Linux User Group in Boulder.  (you can follow my travels on the Deer Run Associates home page).  There are so many folks that I've been corresponding with via email and Twitter that I'm hoping to meet in person in 2011!

I've also got a plan to continue writing articles for the SANS Forensics Blog every 4-6 weeks.  I've got a backlog of topic ideas-- it's the research and the writing that can be difficult to find time for!  For example, there's at least two more articles planned in the series I started recently on EXT4.  And of course there's the weekly Command Line Kung Fu blog that I'm co-writing with Tim Medin.

The big one, however, is that I promised Rob Lee I'd develop a Linux Forensics class for SANS.  This is a huge undertaking-- hundreds of hours of work-- that I need to find time for in 2011.  I'm cheating a bit in that the research, blog posts, and presentations I'm doing lately are all development work that's going to end up feeding into the final version of the Linux Forensics class.  But it's still going to be a massive effort to give birth to this baby.

Thank You

I want to thank everyone from the bottom of my heart for their generous support of the blog this past year. From about the time I first started in digital forensics, I've been active in communicating with my peers through forums and all of the great email lists that we have available to us. I decided to start this blog so that I could have a more permanent place to store things that I  wish to share with the community. When I started it, I didn't know how well it would be received given the number of excellent blogs in the information security and digital forensics space. I've been amazed and humbled to see the blog’s metrics in areas like monthly page views increase from being counted in the dozens to the thousands.

My hope is that I will continue to meet and exceed your expectations in 2011. To that end, I have some excellent interviews that I’m hoping to accomplish including ones that are almost complete with people such as Hal Pomeranz and Ryan Pittman. I will to use next year’s interviews to do things like introduce to you people in the community who you might not know and to promote the excellent work of others. I will continue to blog about the issues of the day that impact our community such as regulatory issues. I will also use the blog to share my research efforts. For example,  I am hoping to start on a memory forensics project next year.

I will also start using the blog to periodically post book reviews that I will be placing on the Amazon website. For example, I expect to get a proper review completed for Hacking Exposed Wireless, Second Edition early next year. I’m finding writing book reviews to be a new challenge that I’m happy to pursue. A good book review needs to be pithy, but also provide the reader with more than simply saying, “This is a great book. You should buy it.” 

As always, I’m particularly grateful to those who take the time to leave comments on the blog or to contact me privately. It means a great deal to those of us who blog to get feedback and suggestions from our readers. Thank you very much for your support this year. Merry Christmas and Happy New Year to you all!

Standing Athwart Information Technology

I read a discussion recently where a group of very sharp information security professionals were discussing the topic of deploying mobile devices in an enterprise environment. The discussion quickly turned to a variety of “what if” scenarios that we love do to in information security. During this discussion someone made the excellent point that we could “what if” almost any bit of technology to death and come up with reasons why adopting that technology is a bad idea.

One of the classic faults of information security people is to automatically look for reasons to tell our customers not to deploy new technologies or to greatly limited their usefulness if deployed. Security people are fantastic for coming up for reasons not to do something and creating sometimes elaborate doomsday scenarios that could come to pass if our advice is not taken. While it is understandable that a community of people who spend their careers thinking about and responding to serious security incidents would think like this, it is not an attitude that is in the best interest of our customers.

Our job as trusted advisors is to facilitate the secure use of technology. As information security professionals, we should not to be standing athwart information technology yelling stop. It is not good for our customers and it is not good for our careers. We are in a time of rapid and exciting technological advances whether it is something such as “Cloud Computing”, social networking, or mobile device technology. We should be technology enablers rather than preventers.

The invaluable Mike Cloppert wrote a fantastic piece recently where he argued that we should be working to enable “Cloud Computing” for our customers rather than working against it in the name of fear of the unknown. We should take this same attitude with mobile device technology. It’s here now and it is a very powerful tool for our customers to utilize in advancing their objectives. As digital forensics and information security professionals, we should be continuously looking over the horizon to discover and understand technological advances early so that we can work with our customers to adopt, secure, and maximize their potential.

In the digital forensics community, we have been paying a lot of attention to mobile devices because they are playing an increasingly important role in our investigations. Because we’ve spent so much time studying this technology, we are in an excellent position to not only work with our customers to secure it, but to encourage them to adopt it.

We live in an era where powerful mobile devices are cheap and accessible to large numbers of people. We’re also entering an era of widely available high speed data connections for these devices. For example, Sprint has had their high speed mobile network up for some time now and Verizon’s LTE network just came online. This means there are going to be millions upon millions of people around the world with inexpensive, portable, and powerful devices that will be connected to increasingly fast and affordable data networks. We should be encouraging our customers to quickly embrace this technology so as to obtain an advantage over their competitors. As Margaret Thatcher might advise us, this is no time to go wobbly.