An Interview with Jake Jacobson

One of the many reasons I enjoy doing interviews for the blog is that I get to introduce to the readers people that they normally might not know about. There are so many people in the information security and digital forensics field that are both amazing and relatively unknown. Mike “Jake” Jacobson is one of those people. I’ve known Jake from back in his RCFL days and I really enjoy talking him about the issues of the day. He’s a tremendously sharp fellow and his current employer is lucky to have him. Since his current employer is the United States government, we’re all fortunate to have him and his team chasing bad guys on our behalf. I hope this interview illustrates why I think so highly of Jake and the work that his team does.

Professional Biography of Mike “Jake” Jacobson

I started cleaning ambulances when I was 14. By 18 I was an EMT and a Paramedic by 19. At age 20 I enlisted in the Marine Corps as a military policeman, where I spent six years on active duty, eventually specializing in accident investigation and reconstruction. Upon separation, I was hired by the Overland Park Police Department as a patrol officer. In 2000, I helped form the department's first full time high-tech crime unit while we were actively surveilling a serial killer. Those were interesting times. In 2003, I was transferred to the Heart of America Regional Computer Forensic Laboratory. I received Windows and UNIX CART certifications and also served as the operations manager for four years. In 2008, I was promoted to Sergeant, so back to patrol I went. In 2010 I decided it was time to look for new opportunities. Through a friend at the RCFL, I was introduced to Eric, who inspired me to go big.

I've learned many lessons through the years: You can't rinse a soapy ambulance in sub-freezing weather, the military is good for you, being poor in hardware, software, and professional training can be inspiring if you have a passion for what you do.

Today, I work for the federal government, where I'm very focused on managing workload as efficiently as possible without impacting quality. I believe we owe it to the taxpayers – and I'm one of them – to produce actionable results cost-effectively. My experience making do with so little continues to influence how I view my job responsibilities.

AFoD: So what led you into digital forensics? Was it primarily your serial killer case or had you been thinking about it previously?

JJ: Thankfully, I’d been preparing for that day for five years. In 1995, my police department felt my computer knowledge was sufficient to send me to a basic computer forensics course taught by SEARCH. In the course of one week, I realized how much I didn’t know. I had so much to learn and I couldn’t wait to begin. It would be almost five years before my next formal training in computer forensics. In hindsight, that was probably for the best.

For the next five years I devoured any information I could find on technology and computer forensics. I learned how the Internet worked by reading an O’Reilly book on DNS, email headers from a book on stopping spam, and a SAM’s book on HTML 4. I discovered a fantastic tutorial on how IP addressing works and read the entire “PC Maintenance and Repair” book. That was NOT exciting. I learned a lot about SCSI, which was really quite valuable back then, and some useful hacking techniques. I sold our District Attorney on sponsoring a local HTCIA, which I promptly joined. I also took computer, programming, database, and networking courses at the local junior college. You name it, I enrolled in it.

My eclectic education may have lacked a lot of specific digital forensic training, but I certainly gained a wide range of knowledge. When the big one hit, I was ready.

AFoD: How did working in the RCFL differ from working in your home agency's digital forensic unit?

JJ: The difference between an operation consisting of two people and an RCFL is significant. My department’s unit was well supported, but Jim Castaldo and I still needed to be resourceful to accomplish the mission. We were a hybrid unit tasked with the full investigation of computer crimes, audio/video forensics, and Internet crimes. We needed to be scrappy to get what we needed, especially forensic-specific training.

Conversely, the RCFL program is huge, consisting of 16 RCFLs throughout the United States. It’s designed to support federal, state, and local agencies and has a large, centralized support unit to handle administration, operations, and training.

The Heart of America RCFL had 16 examiners on board by the end of 2008. If my memory serves, we exceeded 600+ intakes that year. The RCFL is like hitting the forensic examiner’s lottery. The wealth of software and equipment is ridiculous and the training opportunities just get better every year, not to mention the great people with whom you work. Unfortunately, to manage the intake, an RCFL has to operate much like an assembly line. Support personnel handle the network, hardware, and software, distancing the examiner from some very valuable experience. On the plus side, examiners receive a heavy caseload with a wide variety of cases.

Small units just can’t compete with the RCFL’s embarrassment of riches. A well financed operation isn’t inherently “better.” Each RCFL is slightly different, and their performance and output quality vary. Building a lab from the ground up is an invaluable experience, but so is learning to manage and work within a high-speed, assembly line environment and finding a way to maintain quality. In the end, it doesn’t matter whether you’re large or small, law enforcement or civil, rich or poor. If you seek the truth, maintain your integrity, and strive to provide a quality work product in a timely manner, that’s all that matters.

AFoD: Can you explain what your present job is? Do you get the chance to do any digital forensics work or are you primarily in a management role now?

JJ: I’m the director of a digital forensics laboratory for an agency within a cabinet level department of the federal government in support of law enforcement. By the way, the opinions and ideas I express in this interview are my own. I manage digital forensic examiners, strive for peak efficiency while maintaining quality, manage a budget, study trends (i.e. gaze into the crystal ball), track statutory regulations and try my best to keep pace with emerging technologies. I apologize for the resume-speak, but that seems to capture the core of what I do with as few words as possible.

Right now, management duties have limited my forensic work, but perhaps that will change as time passes. I think it’s important to maintain some level of skill to better understand whether my performance expectations remain realistic and my budget planning appropriate.

AFoD: You've been spending a considerable amount of time during the past year researching data mining and digital forensics.  Can you talk about what you've been doing and what you've learned?

JJ: Lately, I’ve been looking at ways to apply the data mining process to best serve my Investigation Division’s needs as well as how it might positively impact digital forensic investigations.

The data mining bug bit me last July shortly after I brought in an employee from a data analysis division. I was curious how her data analyst skills would fare against a web server database one of my examiners had extracted. Within hours, she’d discovered significant financial anomalies in the database. Wait. What? How did she do that so fast? What software did she use? (Hyperion Intelligence) Where did she learn about data analysis? How does this provide added value to my agency? And how does any of this advance digital forensics? I had a lot of questions, few easy answers, and the excitement of knowing I might be onto something important.

Data mining is old news. It’s been around for some time, but only recently has it become so accessible. First, we need to define what data mining is and what it is not. There are a number of definitions, but they’re all quite similar: Data mining is the use of automation and/or machine intelligence to extract useful, often previously unknown information from data sources, primarily databases. Data mining is an algorithmic process, whereas data analysis is a human process. Too often data analysis is incorrectly referred to as “data mining”. Digital forensic examiners are not data mining – he or she is neither a computer nor an algorithm – they’re conducting an analysis of data using advanced tools. As an example, FTK 3x has at least one data mining algorithm known as explicit image detection, but serves primarily as a tool for data analysis.

I’m going to reference AccessData’s (AD) FTK 3 simply because I know little about EnCase v7 and FTK has a database backend. It fits the subject matter quite well. I’m not affiliated with AD and receive nothing of real or imaginary value from them unless I pay full price for it. For those of you who wish to advocate other tools (and you know who you are), please feel free to email Eric.

A data mining operation requires data sources and a central repository/database. Mining data is an automated process, so your data must be organized and standardized. Next, you’ll need to conduct research to determine with which data attributes your model will interact. You’ll need to run your algorithm against a set of data and compare your results to the test set. Although one might be tempted to call a search “data mining”, a data mining algorithm is far more complex.

I think this example will help: During the pre-processing phase, FTK will search for, recover, and dump all graphics under one tab. FTK’s Explicit Image Detection algorithm data mines graphics for flesh tone attributes. The algorithm calculates gradient values and scores its probability based upon statistical analysis. Data mining is a complex tool capable of prediction and analysis, yet it can’t differentiate an adult from a child. This model’s value is its ability to narrow the examiner’s focus, thereby improving efficiency. If you’re worried it might miss something, just remember; the algorithm doesn’t eliminate, it only scores. An analyst can quickly scan the segregated, lower scored graphics and easily identify the outliers from the noise. That’s its strength.

As another example, i2’s Workstation social network data mining model is impressive. Those of you who’ve worked a pen trap investigation have used some type of visualization software, often Analyst Notebook. The social network algorithm determines an organization’s hierarch based on call frequency and call direction, an incredibly valuable tool. This is something an analyst may miss due to the typically large data sets involved in many pen register investigations. Again, this doesn’t mean the algorithm’s qualitative evaluation is 100% correct; however, the quantitative results are correct and immediately available for further analysis. Once again, data mining helps narrow the focus, potentially eliminating countless man-hours evaluating the results.

An example of the importance of data visualization is this article on Edward Tufte, published by the Washington Monthly. Also, take a look at these graphs of 311 calls in New York City. As you can see, its value and impact are immediate. I also suggest searching for: “determining the author of anonymous email through data mining” and “data mining text using unsupervised discovery”, to get a far more technical grasp on data mining.

Another fantastic example of data mining is Microsoft’s PhotoDNA. They developed an algorithm that identifies child pornography graphics, even if they’re altered in some manner. After testing it against a known set and tuning it, they let it loose with incredible great. Here’s a link to quick video that shows how it all works.

A potential target area for data mining is unallocated space and timelines. Google is a fantastic example of free-text mining. Imagine the statistical evaluations necessary to identify and de-rank content farms from legitimate, quality sites (thank you, Google). If Google can differentiate between a content farm and a legitimate site, or an original content site vs. the article spinning sites, I think it’s possible to develop a problem definition for unallocated space.

I’d be remiss if I didn’t point out that data analysts are a critical part of the data mining equation. Data mining results are the product of extensive research, but the results must be evaluated and the algorithm periodically tuned to increase value and accuracy.

I hope I've provided an adequate overview of data mining's potential in digital forensics and eDiscovery. The key is to get past the idea of a basic search and the linear progression examiners take when tackling a data set. Of course, we mere humans need to approach large data sets with a plan or we'll just get lost in the data, and deviation is necessary and inevitable. Data mining simply reduces the noise and presents visual clues that will increase our ability to process or eliminate data more effectively and efficiently. 

I have a lot more questions than answers on how we might apply data mining principles to digital forensics. There's so much more to data mining than we can discuss here. It's a fascinating field of research and of great value to your agency, whether in digital forensics or other areas.

Here are some books I've read or I'm reading. I tend to read and listen to a variety of source material to further my education. Remember, I'm a manager:

I'm a fan of Malcolm Gladwell's analytical thinking:

The Tipping Point – If you're in narcotics, i.e. investigating it, take a look at chapter 2 on connectors.

Outliers – A fascinating look at the power of analytical thinking; apropos to our subject.

Head First Data Analysis – Some interesting search theory that might improve your searching skills. Over all, this is a good reminder that data mining is of little value without a properly trained, highly competent analyst. 

Data Mining Explained: A Manager's Guide to Customer-Centric Business Intelligence – A great overview of data mining and its potential.

AFoD: I think that’s one of the most approachable answers that I’ve seen in regards to explaining data mining. Let’s drill down into the practical application issues. Does implementation of data mining tools and methods require that organizations hire people who have a specific background in areas such as data mining and databases? Can it be done with existing staff such as traditional incident responders and digital forensic examiners?

JJ: Good question Eric. I think we all have a lot of pride in our hard fought knowledge and tend to believe there’s nothing we can’t figure out or accomplish given enough time. Writing an effective data mining algorithm may be that line in the sand many of us can’t reasonably expect to cross. Data science seems populated by people with PhDs and engineering level math skills. Although most of us could develop a model, collect data for algorithm development and testing, manage a database and format the data, most of us will have to wait for FTK and EnCase to provide us with additional data mining functionality, or hire a contractor.

We have an important role to play in advancing data mining and data visualization tools by engaging our preferred vendors in conversation about these capabilities. Once examiners become comfortable with data mining concepts, I think they’ll look at their datasets and forensic environment in a new way. We can also learn a lot from data analysts, who may be especially adept at complex search techniques.

AFoD: There is a tremendous amount of technical change occurring in consumer level computing such as increasingly inexpensive and sophisticated mobile devices and associated cloud computing services. How do you see all of this change impacting the digital forensics field?

JJ: We’re witnessing an important revolutionary shift in how we think about and use digital technology. The Internet is nearly as ubiquitous, inexpensive, and accessible as electricity. Computer processing power and traditional digital storage is now a commodity, and flash storage is the new star of the show. Combine all of this with highly portable, intuitive devices and suddenly the computer becomes a toaster.

As an example, Apple’s upcoming iOS5, iCloud, and current crop of devices is an example of form, functionality, and user experience over features and raw speed. The ability of normal (non geek) users to create, consume, and access data across multiple devices through seamless and transparent use of the cloud may well be a significant shift in behavior. We’ll have to wait and see how it all plays out. An SSD drive with native encryption will be a challenge, not to mention their other tendencies once powered up on a different device. As people become more concerned and better educated about security, they’ll become more comfortable with whole disk encryption. I’d venture to say there will be more live acquisitions and a big focus on cloud data in our future. After all, let’s not forget Amazon and Google.

From an Enterprise standpoint, Microsoft still has a lock on the enterprise. On one hand, you’d think much should remain familiar to us for quite some time, but that could change based upon new product lines. If it improves the bottom line, change will happen quickly. Don’t forget the rapid emergence of “the cloud” as an alternative to some in-house functionality, which has already changes how some of us do business. Another example is Google’s ChromeBook. I wonder if it will find its place in some portion of the enterprise as well as some homes and schools. How will we respond to these changes and how will they affect what we do?

It seems like everything changed overnight. Of course, that’s not the case. Microsoft’s PhotoDNA is a remarkable data mining tool that will make it much more difficult for child pornography to proliferate unchecked, yet it won’t eliminate the bad actors. Instead, investigators will have to adjust as the bad guys adapt. Likewise, consumer and enterprise advances by Apple, Google, Microsoft and WebOS will almost certainly require us to adapt and respond differently than we have in the past.

We best not ignore these changes and assume our jobs won’t change in some way. Don’t be lulled by the lag we see in intake from what’s actually occurring in real-time. Each of these advancements will have an impact on us; many sooner rather than later. I regretted being unable to attend the recent SANS Summit to hear others’ opinion on these changes. Obviously, I don’t believe we’re going to be rendered obsolete quite yet; however, we better have our eyes and ears wide open, prepared to try new processes and procedures, and willing to transition to new ways of operating as budgetary realities and technological advances dictate. We need to be flexible and be prepared to diversify.

I hope I imparted some useful information and sparked some interest in data mining. If you have such an operation within your organization, I encourage you seek them out. I think you’ll be surprised at many of the similarities. We can learn from data analysts, and they’re often just as fascinated in what we do. Even though there are many changes on the horizon, we’ll still have to deal with big datasets for quite some time. I think we can learn a lot from data mining principles, visualization tools, and data analysis techniques.

Thank You!

What was more surprising than being nominated for a Forensic 4cast award for Best Forensic Blog was actually winning the award when it was presented last week at the SANS Forensic Summit in Austin, Texas. I’ll try to resist nurturing my inner Sally Field with this post, but I’m deeply humbled and appreciative for the award and grateful to all who voted for the blog. I’d also like to thank all of the people who have generously granted me the opportunity to interview them for the blog. The interviews have been a considerable amount of fun for me to do and they are a nice way of injecting other people’s talents and energy into the overall effort.

Go Team

A recent article reported that one in four hackers in the United States are actually informants for the FBI and Secret Service. I tend to be skeptical when it comes to statistics like these, but it sounds plausible enough. While law enforcement has an uphill battle against cybercrime for a variety of reasons, they are getting much better at it and are scoring some nice wins against the bad guys. It doesn’t surprise me at all that agencies like the FBI and Secret Service are not only using their relatively new cyber investigation skills against the bad guys, but are also making effective use of their very well developed traditional skills such undercover operations and the use of confidential informants. It’s also very helpful that United States federal law enforcement has the big hammer of the federal criminal justice system not having any parole.

The Cloud

Not that we needed any more evidence that cloud computing is going to be increasingly ubiquitous at the consumer level, but we certainly received it last week when Apple announced their iCloud service and previewed their new iOS 5 operating system. While it is certainly possible that this particular service could fail to be popular with consumers, it’s another sign that companies like Apple have decided to bet on cloud computing in a big way. One of the biggest new features that we can expect with iOS 5 is removing the need to connect an iPad to a computer to activate it. This will make it easier for people to use an iPad as their sole computing device.

Beware The BST Monster

Not too long ago I was reviewing a timeline that was created by an outside organization and I couldn’t figure out why this timeline was stating that a file was accessed an hour before the same timeline said it was downloaded and appeared on the computer in question.  As I dug into it more, I found similar issues and it became clear to me that the examiner who had prepared the timeline had been attacked by the dreaded BST monster. 

A common misconception that I have seen over the years is that London is always in Greenwich Mean Time and never moves from +0000. An examiner will set the time zone on their Windows forensic machine to the GMT time zone with London in the title and assume that the machine is working in Coordinated Universal Time (UTC).  The problem is that London (and the rest of the United Kingdom) uses British Summer Time in the summer months which is +0100. The issue is that some digital forensic tools adjust their results to match the time zone of the examination machine. This problem can manifest itself when an examiner creates what they think is a UTC timeline using many different forensic programs, but wind up with a timeline that actually part UTC and part BST. It’s also important to remember that this problem can appear in other geographical areas that use summer time zones such as Western European Summer Time and Irish Standard Time.

The way to avoid the dreaded BST monster is to make sure that your examination machine is set to true UTC time zone. In Windows 7, for example, there is an actual time zone labeled “UTC Coordinated Universal Time” that can be used. The other way to avoid this is to understand how your forensic tools report date and time data and what, if any, adjustments the make for time zone settings. Some tools will adjust their settings based on what time zone your examination machine is in and others will allow the examiner to set how time zone issues are to be handled.  This is one of the things that I really like about EnCase because it allows the examiner to easily review and modify the time zone that it is set to report its results in.

Personal Thin Clients?

I’m still hearing skepticism in the information security and digital forensics world about the future sustainability of cloud computing, but I’m not one of the skeptics.  It’s here to stay in part because of increasingly affordable and reliable  high speed wireless access and a growing number of people who are poly-device users. While it might not be the norm yet, I’m seeing an expanding number of people who have devices such as desktops, laptops, smartphones, gaming devices (console and portable), and tablets and use them frequently. If a user is accessing their documents, music, email, photos, videos and other data frequently from many different devices, there is going to be a strong draw to a system that allows users to access their data from one central source (AKA The Cloud) without having to wade through trying to keep all of the data synchronized on many devices.

Now where I am a bit of a skeptic is with Google’s Chrome OS that will be entering the market very soon. It’s not that I don’t think it is a partial vision of our technological future, but I don’t think the speed and availability of wireless networks is at a place where the average consumer is going to feel comfortable using a laptop that requires network access to do most of what it’s designed to do. The nice thing about more traditional computing devices like laptops is that you can still be reasonably productive without an active network connection.

Regardless, I still find the concept of a Chrome style OS fascinating. It used to be that discussions of thin client computing revolved primarily around its viability in enterprise level computing. However, if the Chrome OS model does become popular, it means that it would have succeeded on a broad scale in the consumer market long before it did in the enterprise market.

The Broad Threat of Chinese Cyber Espionage

I ran across an excellent article by Richard Clarke recently that was posted on the website of the Belfer Center at Harvard’s Kennedy School. Clarke explains clearly and concisely that Chinese cyber espionage is actively and aggressively targeting a broad spectrum of industries around the globe and is not just confined to targeting the United States government and its contractors. This ties in nicely with what Richard Bejtlich recently pointed out over at his blog, which is that what ultimately counts is what the Chinese think about the utility of cyberwar rather than what we think about it. They have clearly decided that aggressively waging this sort of warfare against both governments and private industry is in its national interest.

What this means is that if you are working in an industry that is of interest to the Chinese government, it is very likely that you are going to be targeted in a similar manner to what the United States government and its contractors. This means that your network could very well be another front in this ongoing cyberwar. As Clarke points out in his article, the United States government is limited in what it can do to directly protect private networks. Therefore, it is up to private information security professionals to educate themselves and their organizations and aggressively engage in defending their networks in the name of the long term health of their organizations and the country as a whole.

A silver lining in this for those of us in the private sector information security world is that that we don’t necessarily have to be directly working for the government to be making a contribution to their efforts in protecting the nation. I figure if we all do the best that we can in the private sector protecting our organizations from this threat, it not only benefits our customers and shareholders, but it causes the bad guys to expend limited resources that might otherwise be used to go after our military people.

Girl, Unallocated

So the award for my current favorite Twitter handle to date goes to Girl, Unallocated. That’s the nom de cyber for a forensic examiner who prefers to stay in the shadows for now, but you should check out her blog. It’s a nice blend of forensics and humor and has been getting quite a bit of notice recently.

Mobile Devices Are Spy Devices

The recent news items relating to the ability of smart phones to monitor the location of their users are another fine illustration of how these devices are essentially almost perfect spy devices. Leo Laporte of TWiT has been pointing this out for quite some time now and he’s spot on. They have cameras, microphones, and GPS technology which means they can see and hear what is around you along with knowing exactly where “around you” actually is at any given moment. This technology is coming to an investigation near you like it did for the New York City Special Commissioner of Investigation who had an investigation that dealt with FlexiSpy.

So this means that we should work hard to keep these devices out of our environments, right? Wrong. It’s our job as security professionals to securely enable new technology that will help our businesses meet their objectives. Smart phones are part of our society and are increasingly part of the business world. As I have previously discussed, standing athwart technology yelling stop isn’t a viable option or a particularly wise career choice for those of us in the security world. We should not only be facilitating the use of this technology, but also encouraging our businesses to adopt it where we see it could meet a critical business need such as improved communication, collaboration, and product development.

How can mobile devices facilitate product development? The more we have people inside our business such as engineering and marketing people marinating in mobile technology as part of their daily personal and professional lives, the more these people will come up with innovative ways to use the technology to deliver products and services that people want to purchase. As security professionals, we should be encouraging our businesses to securely adopt new technology that helps meet their objectives. In the case of mobile devices, the people who are creating these devices as well as third parties are working to create solutions that will allow this technology to be securely integrated into businesses environments.

DFRWS 2011 Forensics Challenge

Speaking of mobile devices, the 2011 DFRWS forensics challenge has been posted on the DFRWS website. This year the challenge revolves around Android forensics. If you are interested in learning more about Android forensics, Andrew Hoog will have his book out on the subject very soon.

SANS New Jersey 2011

I recently had the pleasure of teaching FOR408 Computer Forensic Investigations - Windows In-Depth at SANS NJ 2011 in Morristown, New Jersey. We had a great class people who all came from various positions in the private sector security world. That allowed me  focus on life in the private sector digital forensics and investigations world since that was the role that most of the students would be returning to after class. One of the things I really enjoy about teaching others is that I always end up learning new things from the people I teach. For example, one of the students saw something in one of the Firefox SQLite artifacts that didn’t make sense to any of us. Some of us dug into it after class and we figured out how RSS feeds manifest themselves in Firefox. I’ll craft a blog post on what we found and get it posted soon.

You can read a nice write up of the class here from one of the students. It was very kind of him to take the time to do this and it’s always gratifying to have a student get so much out of class. This group really impressed me with how well they did on the Day 6 exercise. I know most of these folks didn’t have a strong understanding of digital forensics when they started the week and that’s why they were in class. They did a fantastic job and it really manifested itself on the final day. Well done team!

Symantec Buys Clearwell

The only thing that surprised me about the recently announced acquisition of Clearwell by Symantec is that something like this didn’t happen sooner. Many of us have been expecting companies like Symantec and McAfee to get into the eDisco and digital forensics markets through the M&A process. I still keep expecting that someone to snap up Access Data Group especially now that they offer a more end to end eDisco process through their recent merger with CT Summation.

Give me 64 Bits or Give Me Death

It’s increasingly clear to me that we’re at the tail end of the 32-bit era for digital forensics. Yes, we will continue to examine 32-bit systems for many years to come. However, the memory limits that are imposed by 32-bit operating systems coupled with memory requirements to make our comprehensive forensic suites like EnCase and FTK work well mean it doesn’t make much sense to build a forensics computer with a 32-bit operating system. Sure, you can do forensics in a 32-bit host environment, but why would you want to? It’s better to have a 64-bit system with a considerable amount of RAM especially given how cheap RAM is these days. Ultimately, I  think we’ll see companies like Guidance Software and Access Data Group phase out 32-bit support in future releases of their tools as the community abandons 32-bit operating systems for their examination platforms.

2011 Forensic 4cast Awards

Lee Whitfield has tabulated the nominations and posted the official ballot for the 2011 Forensic 4cast Awards. You can find the ballot here and the results will be announced at the 2011 SANS Forensics Summit in Austin.

A Fistful of Dongles was nominated for Best Digital Forensic Blog which is both surprising and humbling. Thank you very much to those who took the time to nominate the blog for this award. This blog has been a tremendous amount of fun to do and it’s flattering that others find it useful. Good luck to all of the nominees!

SANS@Night at SANS New Jersey 2011

A benefit of attending major SANS conferences like the annual SANSFIRE and Network Security training events is the opportunity to attend the various SANS@Night presentations in the evenings. Students can also experience this with some of the smaller SANS training events through a program that SANS calls “Community of Interest in Network Security” (COINS). One such event will be held during SANS New Jersey 2011.

Andrea Hogan at SANS has asked me to pass along this information to those who might be interested in attending.

SANS invites you to be our guest for our COINS (Community of Interest in Network Security) SANS@Night event in Morristown, NJ on Thursday, May 12^th.
Join us for an informative presentation where you will get the opportunity to mingle with other members of your local security community and SANS attendees.  SANS will provide complimentary snacks and beverages.
Yori Kvitchko will deliver his exciting presentation, “Staying Ahead of the Storm: An InfosSec Forecast”.
There is no cost to attend this event, but we do need you to register at:
(http://www.sans.org/new-jersey-2011-cs/special.php).
Complimentary SANS@Night Event Details
Date:                 Thursday, May 12, 2011
Time:                 6:30pm - 8:30pm
Location:          Hyatt Morristown at Headquarters Plaza
Morristown, NJ, USA 07960
Seating is limited so RSVP today at: (http://www.sans.org/new-jersey-2011-cs/special.php)
For more information on the reception or our training events please contact me at ahogan@sans.org.

Andrea has also told me that Bonnie Diehl will also be at this event and will be providing an overview of the SANS Technology Institute. I’ll be at this event and I look forward to being able to potentially meet some of the readers of the blog in person.

Augmented Reality: An Interview With Joseph Rampolla

One of the nice benefits of publishing this blog is that it has allowed me to talk to a variety of fascinating people who I normally might not have met.  Joe Rampolla is one of those people.  Joe and I were having a discussion about digital forensics when at the end of the conversation he asked me if I had ever heard of augmented reality. I had to admit that I knew nothing about it. Joe proceeded to amaze me with his level of knowledge on the subject and I was intrigued with the potential for both good and evil that this technology brings with it. I asked him if he would be interested in doing an interview for the blog and he readily accepted. As Joe will illustrate for you during the course of this interview, augmented reality has the potential to fundamentally change how we interact with each other and the world around us.

Professional Biography of Joseph Rampolla

Joseph Rampolla has been a law enforcement officer for sixteen years. In 1994 he received a Masters of Arts degree in Criminal Justice from John Jay College in New York City. Joseph holds a Bachelor of Arts degree in Law & Society from Ramapo College of New Jersey. He became a police officer in 1995 and currently holds the rank of Lieutenant for the Park Ridge Police Department. He has supervised numerous criminal investigations within the department and oversees the Detective Bureau. In 2003 he was assigned to a regional computer crimes task force. He has successfully completed training offered by county, state and federal agencies as well as leading technology companies with a focus in the areas of computer forensics, Internet child exploitation, cyber-bullying, cyber counter-terrorism, human trafficking, and Peer-to-Peer file sharing investigations. He is a member of the HTCIA, HTCC, and IACIS where he has earned the classification of Certified Forensic Computer Examiner (CFCE) and AccessData Certified Examiner (ACE). Joseph enjoys teaching the topics of cyber crimes, augmented reality / virtual worlds, cyber-bullying and advanced undercover Internet Relay Chat (IRC) investigations. He has taught International law enforcement at Microsoft in Redmond WA, in the Ontario Canadian Providence, and taught cybercrime topics to all levels of law enforcement for the National Internet Crimes Against Children Task Force. Joseph was the co-creator of the Internet Safety DVD Series – Point of No Return which featured the cyber-bullying video “Sticks and Stones” and the predator video “The Web.”

AFoD: You and I had an interesting discussion recently where you educated me on the topic of augmented reality. I found our conversation so fascinating that I had to get you to do an interview for the blog. Let's start with the basic question. What is augmented reality?

JR: Augmented Reality is taking digital or computer generated images and overlaying them over a real-time environment.  The best way people would relate to Augmented Reality, better known as AR, is by thinking of a fighter pilot.  We have all seen the view or Heads Up Display (HUD) of a pilots view that shows a digital overlay that shows an artificial horizon, the digital altitude, digital speed, and a host of pilot dashboard information seen looking out the cockpit window.  Another example would be the artificial first down marker that helps football TV viewers know how far the offensive team needs to go to get a first down.  We know that the yellow line is not really on the field, but once the digital overlay is placed into the live environment, it assists millions of viewers in a real time environment to enhance our viewing experience.  These examples are primitive compared to new exploding uses of a technology that has been around for quite a while.  The high quality of cameras, huge data and bandwidth pipes, along with the powerful computing power of smart phones has created the perfect storm.

AFoD: Why is augmented reality something that technical investigators need to be concerned about in regards to smart phones?

JR: There are a number of reasons why technical investigators need to be concerned about smart phones.  We are moving to a dominated mobile platform period (which will continue to increase in time).  All of your social networking and communication platforms will have a mobile presence.   The following types of investigations to name a few: Child pornography, cyberbullying / sexting, harassment, stalking, corporate espionage, digital piracy, terrorism, gang recruitment - will all move to a ubiquitous mobile platform.  The amount of mobile apps coming out each day is staggering.  The Android and iPhone smartphones are increasing in use which forces technical investigators to shift their focus to mobile forensics and concentrate on the mobile application programming interface (API).  A digital forensic shift in value is moving from the home PCs to mobile smartphones.  These smartphones give the user all the access they need to check email, text, check and post to social networking sites which will reduce the manhours of home PC use in my opinion.  This premise means more digital evidence nuggets will be on smartphones then on home PCs.  If technical investigators do not get ramped up on mobile forensic trends, they will find themselves reading by candlelight and writing with an ink and quill.  I find myself more reliant upon my smartphone then my home PC.  It is more critical for me to backup data and apps on my Droid then thinking about my mobileless home clunker.

AFoD: Can you give us some examples of how augmented reality would manifest itself in a way that would be relevant to an investigation? Just how are the bad guys using this technology?

JR: Because this technology is finally gaining traction, the better question will be "Just how WILL the bad guys use this technology."  The technology needs to become mainstreamed first and be ubiquitous before truly being utilized by perverts, crooks, criminals and terrorists.
This technology is poised to explode into mainstream society but has not done so yet.  It is currently being used in marketing and advertising realms at this moment but that should change very soon.  Companies like Viewdle and Polar Rose (which was recently acquired by Apple) are beta testing Augmented Reality and facial recognition.  As Augmented Reality facial recognition technology blends with social networking mediums, we will see issues of stalking, identity theft, harassment and other criminal uses.   The porn industry is investing large sums of money into augmented reality which will naturally pave the way for child pornography uses.  Wherever society finds pornography, child pornography is not too far behind.   Currently the porn industry has AR markers that can be held up to a web cam and show the viewer being surrounded by porn video clips.  This gives the viewer the experience of feeling like they are in the pornography and to give the illusion that they are part of the experience as opposed to being a remote viewer of the "action."  Imagine a scenario where a virtual avatar or character could sit at your kitchen table if you were wearing augmented reality glasses.  The glasses would show a digital depiction of that avatar sitting in front of you which could conspire on how to commit a criminal act while the person who is controlling the avatar could be safely out of reach of the US government.  This raises serious concerns for US National Security and US Law Enforcement.  Virtual criminal packages could be left in public areas and could only be detected by someone that is part of that Augmented Reality / virtual network.   The iPhone has an app called Tagdis.  You can write virtual graffiti on a public building or police station.  This virtual graffiti can only been seen with the use of the smartphone app.  Criminals, drug dealers, or other miscreants could leave virtual markings or clues for other criminals in virtual space and a person unaware of that digital space would pass by that location with no knowledge of the virtual message.
Digital investigators need to be aware that a new digital space will emerge with important evidence that will be related to future crimes and societal digital markings.  Digital investigators will need to focus on the remnants of evidence that will be left on smartphones and other electronic devices.  AR will change how we and society sees things just as we forget that invisible signals and beams are flying through our atmosphere and environment right under our naked eye.

AFoD: This is amazing stuff, Joe.  Before we dive into this further, can you recommend any resources on the web that might offer a visual illustration of what you are talking about?

JR:

Facial Recognition:

http://www.youtube.com/watch?v=0QBLKBYrgvk

http://www.youtube.com/watch?v=x0FasRTTk4k

Turn People into experts with Augmented Reality:

http://www.youtube.com/watch?v=P9KPJlA5yds

Augmented Reality HUD display - Vehicles

http://www.youtube.com/watch?v=REXer_yW6S8

Topps Baseball Cards

http://www.youtube.com/watch?v=I7jm-AsY0lU

Augmented Reality Pornography

http://www.youtube.com/watch?v=5GXuS1N1SSM

Planefinder AR

http://www.youtube.com/watch?v=b64xvlOvdlM&feature=related

AFoD: We're really just at the starting point of something very big with all of this, aren't we? I'm struck by how this could be used for some very positive things as well as for some deeply evil acts.  Do you have any concerns about this technology from a cyberbullying standpoint? For example, I can see how instead of just writing something nasty about some poor girl on a bathroom wall, you could now write those things on her virtually through this technology including how she can be located or contacted.

JR: You raise some very good points.  There is definitely the ability to use this technology for cyberbullying or dissing people through public virtual postings.  I got a better one for you.  People start to advertise their virtual ads over the virtual space in times square.  I put a big virtual banner for Guess Jeans in virtual space over the JCPenny real billboard in Times Square.  Am I violating any advertising cybersquatting laws? (maybe cybersquatting is the wrong word on this one) Who knows.  I am sure the lawyers will come out of the woodwork on this one.

When it comes to cyberbullying I guess the issue will be could you anonymously put stuff in a virtual realm without being traced.  I guess this depends on what open virtual networks are created and how can a user anonymize their posting without a trail leading back to the person that posted it.  Will throw away smartphones be accessible to the public to pull this off?  Will nefarious people post virtual misinformation in the virtual realm to create confusion, spread lies / rumors.  It will be interesting to see where things move with this technology and how the business model takes it.  Advertising agencies are the leader in this area at the moment and the porn industry is investing a lot of money too.  I have more questions than answers unfortunately.

AFoD: As you look forward to the future, how do you think this technology will impact our culture from a social standpoint as well as how we conduct business?

JR: Augmented Reality will be a game changer.  It will have a huge impact on a culture in many different ways.  For starters, it will be embedded in social networking sites.  Social proximity networks will thrive with augmented reality because geolocation will change the way our society and culture sees technology.  People will utilize the scanning of people with smartphones and tie in to a person’s social networking profile.  Kids and adults will scan people in their live environment to identify each other and will reveal who we are and give glimpses as to our posts, our blogs, our profiles, and where we go in our daily lives.  People will voluntarily allow open networks to thrive and share real time information.  The scariness begins when closed networks begin to form.  Closed networks of criminal organizations, predator networks and secret societies will share information about law enforcement, adolescents, and other nefarious groups that share common criminal goals.  Stalking, identity theft, terrorism networks and beyond will put this amazing technology for bad purposes will eventually rear its ugly head.  Markerters, advertisers, and commercial applications will boom.  It will become integrated with our thirst for realtime information and aid in what items we buy, the groups we want to be a part of, and even groups that we are unaware of that want to know more about us.  This creates a slippery slope where many users are unaware of other users real intentions of why they want this information about us.  Think of the child predator groups that will form to trade information of unsuspected children who post their geolocations without a true understanding that they may be in harms way. Augmented Reality applications tied into devices such as the AR Parrot (remote helicopter) will create drone devices that can spy in hotel windows or spy on innocent victims.  There does not always have to be nefarious purpose to utilize this technology but eventually lawmakers will have to reconsider stronger privacy laws to protect society.  The long term effects will become apparent as the technology goes mainstream.  Society will never be the same as AR unfolds before our eyes.  Society will enjoy it but also can be repulsed as AR crimes began to take hold in our communities and our society.

AFoD: If you could gather all of the people who are going to be planning, developing, and marketing augmented reality applications into one room, what would you tell them? It sounds like a proper Uncle Ben speech is in order at a minimum.

JR: If I could gather all the stakeholders regarding AR into one room my message would be clear and simple.  The Wright Brothers took their first powered flight for 12 seconds in 1903.  Little did they know that their innovative efforts would pave the wave for Stealth Bombers and planes used as missiles in the 9/11 attacks.  I have had the pleasure to speak to many brilliant AR creators and developers who are benevolent and kind and want to have a positive impact with technology on our society.  I ask them to wear an "evil cap" also when developing new innovations and to think about the downside to this amazing technology.  Most developers would have no reason to think like a bad guy since it does achieve their final goal or complete their project.  Think of how criminals and miscreants can create harm and danger when developing AR.  Let’s not make it so easy for criminal elements to capitalize on this technology and get input from law enforcement, psychologists, child protective specialists, and other important disciplines while advancing technology.  I think it is important for all sectors of society to work with AR developers to create safe applications while limiting the knowledge of those with bad intentions.  It’s like having the formula for a potential atomic bomb and posting it on every blog in the world.  We must do everything in our capability not to release that dangerous blueprint to the wrong set of eyes.  Some could argue that it will get out anyway so why bother.  I would rather know that AR innovators took every precaution to safeguard this technology while utilizing this incredible innovation that will change our society like never before.

AFoD: What should lawmakers being doing at this point to address issues pertaining to augmented reality?

JR: Obviously lawmakers and the Criminal Justice System need to be up to speed on AR.  The next 12 months will be a good indicator on how this technology rolls out and advances.  As I mentioned previously, social proximity networks will become more popular as you can geographically see other "live & realtime" users within your immediate region.  I checked in with my FourSquare account the other day at Newark Airport and saw 63 other users check in around me (at that moment).  I could see their pictures, their posting, and a host of information they allowed me to view.  I could have easily stalked some of the FourSquare users since I knew what they looked like and what terminal they were sitting at as they awaited their flight.  As I viewed the other places they checked in and analyzed their friends, I could clearly profile their lives.  Some were young college students, others were struggling musicians, and some were successful white collar workers.  I saw their likes and dislikes and could easily approach them and capitalize on their unknowing "book of knowledge" they projected into cyberspace.  I couldn't help to think of the shrieking sound of "Danger Will Robinson...Danger."

AFoD: What else would you like people to know about augmented reality?

JR: Augmented Reality is a wonderful technology that could do so many good things.  I don't want to seem like an alarmist but having our heads in the sand is not productive either.  I want to work with developers in finding ways to use this technology to track bad guys and help law enforcement protect society.  Think of a wide scale emergency where Augmented Reality apps can lead a person to safety or alert them to dangers areas is an important arena.  Let’s imagine that there was a Hazmat spill in an urban setting.   Users with AR equipped smartphones could be alerted to the dangerous toxic cloud and use the AR app to evacuate the area.  Emergency crews could use AR to find victims or routes that will assist their rescue attempts while limiting their exposure to harmful gases.  AR can be used for an enormous amount of positive uses.  I don't want people to miss that point as I get out my message.  I want to work with developers and law enforcement officials to find positive ways to enhance our profession and safeguard our citizens.   I sometimes get blank stares from developers because when they hear that I am in law enforcement they don't understand why I am concerned or even involved with AR.  The AR concept is so new, many do not look down the road to understand its full capabilities.  I hope to raise awareness through lectures, presentations, and an upcoming book on Augmented Reality and the double edge sword it brings to the technological evolution.

Forensic 4cast EnCase 7 Interview

Lee and I interviewed Steve Salinas and Ashley Stockdale from Guidance Software about EnCase Version 7. I think Lee may have set an all time podcasting production record when he was able to get the podcast edited and posted in about three hours after we did the interview. EnCase is my primary file system digital forensics tool so I’m very excited to see what is in store for EnCase V7. Steve and Ashley were excellent interview subjects and did a fine job explaining what we can expect in the new version. Steve and some others have also been working hard to hit the road and talk to the community about V7. You can find a schedule of the presentations Guidance is giving all across the world at their website. If you are an existing user, you can also register for a preview of the software. I’ll be at the NYC sneak peak that will be held this coming Friday.

FTK News

According to Access Data, we can expect to see FTK version 3.3 released on Monday. It reportedly will provide some additional functionality to deal with iOS forensics in conjunction with MPE. Lee Reiber has provided some  information about the new version through Twitter. I’m also starting to hear rumblings about FTK Version 4 and I’ll bring you more information as I learn more.

Raptor 2.0

Forward Discovery has released Raptor 2.0 which is a nice live Linux distro that can be used for acquisition purposes. Their website also includes instructions on how to create a Raptor 2.0 USB.

Sleuth Kit and Open Source Digital Forensics Conference

The Sleuth Kit and Open Source Digital Forensics Conference will be held on June 14th.  Presenters at this conference will include Harlan Carvey, Cory Altheide, and Jon Stewart. Cory and Harlan will also have their open source forensics book released shortly.

Digital Forensics Search

Corey Harrell over at Journey Into Incident Response has crafted what he is calling the Digital Forensic Search using a variety of sources of information in the digital forensics world. This is a fantastic service that Corey has provided the community and he has an excellent blog that I recommend people follow.

Book Reviews

I enjoy reading and writing book reviews. It’s an art that I’m still learning and one of the people who I enjoy the most when it comes to book reviews is Richard Bejtlich. I’ve decided to add a book review list to the blog. You can find it to the right and it contains the RSS feeds of book reviewers who I follow. Right now it just contains my Amazon review feed and Richard’s. Let me know if you have some others that you like and I’ll add them to the list if I like their work. 

I recently reviewed Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats by Will Gragido and John Pirc.  You can find that review here. As you can see from the review, I absolutely loved this book and I think you will also. Let me know if you agree. Better yet, leave some feedback for everyone on Amazon if you read the book.

Mobile Malware

I ran across an interesting article recently about a variant of Zeus that is targeting mobile devices. It’s another good illustration of why we can’t ignore what is going on in the mobile device space. It’s going to be increasingly difficult for those who are working in security to ignore the mobile device world.  These devices are going to play an increasingly key role in modern criminal and intelligence gathering behavior. I’m working on an interview about mobile devices and augmented reality that has been an incredibly eye opening exercise for me. I hope to get it posted soon.

Twitageddon

I decided to make my semi-private @ericjhuber Twitter account “private”. While I’m not under any illusions that anything I post in a protected Twitter account is actually private, I decided it didn’t make any sense to offer out that account to the public along with my @AFoDBlog account. I had hundreds of people following the @ericjhuber account who I didn’t know and who followed me because they were curious about digital forensics and information security. I always felt bad when I’d tweet about things not related to digital forensics and cybercrime and felt pressure to be “on” with that account. I’ve decided to just use that account to socialize with digital forensics people and others who I know and who interact with me. I’ll continue to use the @AFoDBlog account as my public account where I tweet about digital forensics, information security, cybercrime, and the like. You can also talk with me and others at the blog’s Facebook page.

Thus, if you find that you suddenly aren’t following the @ericjhuber account, please don’t be offended. I drastically pared down the amount of people following that account to only to people who I actually knew and who interacted with me on a regular basis about things not just related to digital forensics.

An Interview with Shafik Punja

I’ve been wanting to do an interview with Shafik Punja for quite some time now. Shafik  is particularly well known for his work in the mobile device space with an emphasis on Blackberry forensics. He is one of the people who I call when I get stuck on a mobile device problem. He’s an extraordinarily sharp fellow and is very willing to share his knowledge. He’s an asset to the digital forensics community and a credit to the Calgary Police Service.

Professional Biography of Shafik Punja

A police officer with the Calgary Police Service for over 15 years, Mr. Punja has been working in digital forensics since 2003, and has conducted digital forensic examinations on a wide variety of digital data storage devices and operating systems. In 2005, Mr. Punja began researching and developing analytical techniques for mobile devices and smart phone platforms, and has become an expert in the analysis BlackBerry, among other devices. Mr. Punja has been qualified in the Canadian legal system as an expert in the area of digital forensics, and has been a guest instructor for the Technological Crimes Learning Institute (TCLI) at the Canadian Police College, in Ottawa, Ontario.

AFoD: How did you get involved in digital forensics?

SP: Well, it all started back in about Sept 2000.  I had never owned a computer (well maybe if you count the Commodore 64 back in the 1980s) with a high speed internet connection, until my wife said we should get one so we could communicate with her parents back home.

I was familiar with office productivity applications, and knew what Windows was and had friends that had a computer with Windows 98 with productivity suite, which I used.  But my first real experience at handling a computer came when my wife and I purchased one, and  also got our first high speed internet connection - all in the same day!  At that time the PC that we bought was a mid line machine, 900MHz AMD processor, with 512 MB RAM, and 32MB video card running Windows ME.

During this time I had about 5 years on as a police officer with my agency and was working uniform patrol, with my life centered around shift work.  I also have a passion for online gaming, so after my night shifts, to unwind I would play my share of PC video games.  This eventually wore off after about 4-5 months. I still played but not as extensively and started learning about my computer.  So what's the first thing I did?  Well I read the motherboard manual for our computer front to back and learned what a BIOS was.   I learned how to do BIOS upgrades, which were frowned upon.  I also discovered that I did not have a software firewall so I did some research on firewalls and discovered Zone Alarm which I promptly installed.

Pretty much that launched my interest into learning about the Internet, how it worked, protocols, firewall basics, and learning about data mining or open source intelligence gathering.  It was stunning to discover how much information could be found online about persons, places or things if you just looked hard enough. 
Eventually in 2001, I made a convincing argument to my Inspector at that time, who allowed me to take an distance learning course from the Canadian Police College called Internet Searching Techniques Basic.  I sailed through this course as everything that was contained in the student manual I had already learned on my own.  So it was a nice way to validate self taught knowledge.

I was still in patrol working shifts so I took another distance course offered by the University of Calgary, called Computer Crime Investigations and Computer Forensic Training.  This computer based training course taught me the basics of digital evidence preservation, hash values, hard drive structure, clusters, sectors, and MBR etc.  I finished this course and wanted to learn more! 

So with that in mind, in 2002, I transferred from patrol to a public relations unit, which took me away from shift work and back to a normal lifestyle.  Between 2002 and late 2003 I obtained my A+ certification and my CISSP certification (both on my own dime) and went to Ottawa (covered by agency and the RCMP) to take the basic 3 week Electronic Search and Seizure Course at the Canadian Police College.  I also finished the Intermediate and Advanced Internet Searching Techniques. 

In between I managed to muck around with Linux and teach myself the basics of Linux command line, dual booting Windows and Linux.  Hacking my own root password because I locked myself out of the local user account on the box, breaking the software on both Linux and Windows causing several re-installs and upgrades from Windows 98 to 2000 to eventually XP Pro.

I was lucky that I had an Inspector and a Staff Sergeant that supported my career aspirations.  They both knew that I had a desire to get into the Technological Crimes Unit (TCU) and do digital forensics. They realized that although I was doing a really good job where I was currently assigned, I belonged in another area. In November 2003 I was seconded into TCU and must have done a decent enough job that in March 2004 my transfer was made permanent.  

Since then I haven’t looked back. I have found a career in digital forensics to be the most rewarding, satisfying and challenging work, and would never consider anything else.  Every day there is a new challenge to learn and overcome; the quest for new knowledge and discovery.  And of course there is also the look on the face of the investigators when they ask how did you do that or how did you figure that out....and I just smile...elementary my dear...well you know the rest...:)

AFoD: Did you learn anything during your days working as a patrol officer that helped you become a better forensic examiner?

SP: Hmmm...interesting question Eric.  I have had to give this some serious thought.  My memories about my patrol days can essentially be divided into 2 categories.  Good partners and crappy partners.  It seems that my crappy partners were always bent on never wanting to really investigate anything, or never completing what they started and the left overs falling into my lap to finish up.  Seeking advice from them I realized was like pulling teeth. What this category of partners did teach me is what I would not do with any partner that I was either training out or working with.

Now to the good partners.  They taught me to become meticulous, and tenacious in what I was investigating.  They never offered any advice - rather they worked with me to complete the investigations; I was encouraged to trust my instinct and keep detailed notes about my investigative actions on any file that I was the primary investigator on.

One of the most important things I learned was to interview everyone and anyone that I came into contact with: witnesses, victim's, suspects and accused.  This taught me to appreciate how to extract, confirm and verify details. Every interaction with a member of the public, regardless of their position or reasoning for coming into contact with the police, was an opportunity to practice verbal skills, and experience the non-verbal mannerisms displayed by persons from diverse backgrounds.

So how does that apply to digital forensics?  Well, it’s the investigative mindset.  You see patrol work is primarily responsive policing.  Typically front line patrol officers are reactive policing resources.  They start off the initial investigation by being first responders on a scene. And after, they might continue to carry the case through to its resolution - whether is laying charges, or closing the file without charges depending upon the nature of the information.  In my case I was lucky enough to pick up investigative files and have an opportunity to work in an investigations unit, seconded temporarily from patrol for about 1 year.  I really enjoyed this and knew then that I wanted to investigate things.  I just didn’t know which direction my policing career would take to get me to investigations.

When I realized that technology and crime were the direction that policing was going back in 2001, I started to understand how to use the Internet to search out details about subjects I was pursuing.  And finally ending up working in the Technological Crimes Team (TCT) gave me that ability to assist with criminal investigations that have a technical component.  So having an interest in doing investigations, learned during my patrol days certainly has helped me when I deal with investigators that come seeking help from TCT and me.

AFoD: You've developed a reputation of being a leading practitioner and researcher in the area of mobile device forensics. What captured your interest about mobile device forensics and how did you develop your abilities in that area?

SP: Eric...you have an interesting perspective.  I honestly don’t feel that I have this reputation or am a leading practitioner of mobile device forensics.  But I am truly humbled and appreciative of your opinion.
What captured my interest in this area resulted from getting requests for extracting data from cell phones, blackberry and other pda devices.  This started around 2004 just after i got into tech crime. I remember speaking with my, then unit supervisor (now retired) and telling him that mobile devices are going to be the next big wave in forensics.

This precipitated finding software to do extractions of such devices such as manufacturer specific tools (PST), SIM Card software like SIMCon, BitPim, mobilEdit!, Oxygen Forensic (when they were all free); reading Svein Willassein's invaluable papers and not to mention Eoghan Casey, whom I recall as documenting in one his early digital forensics books on cell phone forensics and sim card analysis. 
Within a matter of months the TCT for the Calgary Police Service had gone from knowing very little about cell phone and sim card forensics to having a basic working grasp on how to extract the data.  Our trouble at that time was finding proper analytical tools that could parse the content.  Pretty much there was only Paraben, which in its older toolkit had PDA Seizure and Cell Phone Seizure, which is now combined into an integrated product called Paraben Device Seizure (PDS).

One of the ways in which I developed my abilities was to learn as much as I could about cell phone data extraction and analysis.  What information did the mobile device store versus the sim card?  What was the best method of processing an on state device versus an off state device? Short of Faraday shielding, I learned that Airplane Mode (or its equivalent) was a good method in radio isolating a device.

I also adapted concepts from general computer forensics and applied them in standard operating procedures for mobile device analysis, like device date/time verification against actual, manual verification of data extracted against the handset, photographic capture/documentation of any data not extracted, and following the concepts of most forensically sound process to the least forensically sound process.

It wasn’t until the late summer of August 2006 that I took my first real cell phone analysis course taught by the infamous John Thackray, who was at that time an instructor for Micro Systemation (XRY).  That course essentially grounded all the concepts that were self taught and verified that what I had learned through all the forums, white papers and numerous other electronic and print sources was correct.  In essence I had followed sound practice and methodology as best as one could with the tools that existed.

In December of 2007 a mentor and very good friend of mine, encouraged me to write a small article on cell phone forensics based on what I had learned.  Well that article turned into a white paper that I co-authored with Rick Mislan in SSDFJ.  It was my first attempt at documenting general mobile device concepts and analysis procedures.  What I didn’t know was that this was just the start.

Not soon after, whilst I was doing some guest instruction at the Canadian Police College in Ottawa, several questions were posed about the structure of the BlackBerry IPD file.  It was then that I realized there really was not a single source document that talked about BlackBerry forensics, the BES, or even a detailed overview of the IPD structure.  This realization spawned another research project with several LE colleagues and culminated in a presentation at MFW 2009 on BlackBerry Forensics.

In summary exposure to an overwhelming number of devices since 2004, lots of self based learning through white papers, guidance from colleagues and peers, and determination allowed me to develop my abilities. 

AFoD: You've engaged in a considerable amount of research in the area of Blackberry forensics. What's the current state of digital forensics tools and methods for Blackberries?

SP: Eric, I have been doing Blackberry forensics for the last 6-7 years now.  I remember starting to see BlackBerry devices as early as 2004.  From that time onward, I have not observed any one entity or commercial group really tackle the logical data extraction and parsing for this device.
One of the earliest methods of analyzing blackberry data was to "mount" the backup IPD file inside a BlackBerry simulator through a virtual USB connection.  In 2004 really no tools supported parsing the IPD structure.  Then through the forums ABC Amber BlackBerry Converter was being mentioned as the best solution, with a low cost. 

It essentially did what no "forensic" tool could do at that time and even up to recently.  Between 2004 and up to 2010 we have the following state of BlackBerry forensics:

1. The developer and creator of the ABC Amber BlackBerry Converter appears nowhere to be found.  My last communication from him was received at the end of September 2010.  Any attempts to purchase the software fail.

2. None of the major forensic vendors either on the computer side or the mobile device side have really taken the time to properly decode the BlackBerry IPD file structure. 

2a. EnCase as of now at version 6.18 still does not support the decoding of this file.  There are two third party scripts that do a decent job of parsing the IPD.

2b. FTK 3.2 just started supported parsing of the IPD file but only decodes a certain number of databases.

2c. Paraben Device Seizure, Oxygen Forensic Software, UFED Physical Analyzer Pro only support parsing a select number of databases within the IPD file.

3. There is a distinct lack of a standalone product which can properly read, decode and display the parsed data to the investigator at a decent price.

I know that my own research along with that done by my colleagues has determined that not all the data present within the IPD structure is being parsed.  Part of the reason I believe, is due to the fact that very poor documentation exists on its structure.  So this requires some significant time and effort, where the generated test data that is decoded needs to be validated against not only the device that generated the IPD file but also across different OS versions.

Here is a list of commercial software that supports parsing of an IPD file created with either BlackBerry Desktop Manager or UFED Physical.

1. Cellebrite Physical Analyzer Pro Software

2. EnCase Script by 42 LLC available for free from their website

3. FTK 3.2 - ensure that compound files are checked off otherwise it wont work

4. BK Forensics, Cell Phone Analyzer

5. Oxygen Forensic Suite Analyst Version

6. Paraben Device Seizure

Free tools that will parse IPD files to varying degrees:

1. IPDdump

2. MagicBerry

Beyond the tools, there is no BlackBerry Forensics book.  This smart phone device has been around longer than the iPhone and Android devices and yet there are numerous whitepapers and 2 books on iPhone Forensics, and a forthcoming book on Android Forensics. I approached both O'Reilly and Syngress about publishing the research conducted in 2009 as a book.  Unfortunately neither publisher expressed interest in the manual.  Thankfully around September 2010 a well respected peer and colleague approached me about publishing this research to which he has taken on securing an editor, who has already reviewed the manual.  I hope to have the 2009 research published finally by the end of 2011.

AFoD: That's great news, Shafik. The community could really use a good book on Blackberry forensics. You're also involved in a tool development project for Blackberry forensics.  Can you tell us more about that effort?

SP: My research colleague and myself and have been involved in understanding how to deconstruct the blackberry IPD file and parse the user data. Unfortunately there is very little documentation on it. The technical article provided by RIM only outlines the header data and how to understand the basic structure of the data record block.  It does not provide the structure for example, for call records and call record variations (incoming, outgoing, missed).

So obviously we will have to develop our own documentation on how to decode the values and parse out as much data as is retained within the IPD file. I would love to talk to you about the tool.  However at this time, we’re just trying to find ways to bring new capabilities to the market that will enhance the search for data on the BlackBerry.

AFoD: Got it. You could tell me, but you'd have to kill me. A common theme that I see on the digital forensics email lists is confusion over what tools work best for mobile device forensics.  What sort of tools are you finding the most useful for your examinations?

SP: The tools that I find the most useful for my examinations at the current time are:

1. Cellebrite - good general purpose tool
2. .XRY Complete - good general purpose tool
3. Lantern - iPhone specific
4. Secure View 2 - good general-purpose tool
- Both Cellebrite and .XRY support certain models for physical level analysis; they dont do every phone in that manner. 

Flasher Boxes
1. UFS/Tornado - good for physical level binary dumps of specific supported models of cell phones

For iPhone Backup Files:
1. Mobile Sync Browser (Windows and Mac)
2. Juice Phone (Mac)
3. iPhone Backup Extractor (there are 2 apps with the same name made by different companies, unrelated to each other)
3a - iPhone Backup Extractor- (Windows, Mac and Linux)
3b iPhone Backup Extractor - (Mac)
4. iTwin - (Windows)

iPhone (NOT Forensic Tools)
1. Phone View (Mac)
2. iPhone Explorer (Windows, Mac)

Photographic
1. Fernico ZRT

SQLite Database Analysis
1. SQLite Personal Expert - Free verison (Windows)
2. SQLite 2009 Pro (Windows)
3. SQLite Spy (Windows)
4. Base (Mac)
5. Froq (Mac)
6. SQLite Database Browser (Mac, Windows, Linux)

BlackBerry IPD Parsing
1. ABC Amber BlackBerry Converter
2. UFED Physical Analyzer Pro
3. 42 LLC EnScript for IPD Parsing in EnCase
4. Paraben Devices Seizure - only for IPD parsing as last resort
5. Magic Berry (Windows)
6. IPDdump (Windows, Linux, Mac)

Cell Phone/Smart Phone Binary File Analysis
1. UFED Physical Analyzer Pro

Data Carving Cell Phone Files
1. Phone Image Carver
2. FTK 1.81.6
3. EnCase

Now this looks like a lot of tools that I have listed.  And yes I have used each and every one of them depending upon what I needed to do.  The tools that my agency has in its arsenal are also dependent both on our software budget and the types of mobile devices that we encounter.  As you well know that no one tool does it all.  So its good to have several toolkits that attempt to cover the most number of devices that you are encountering.

AFoD: What sort of advice would you give to someone who is already proficient in traditional computer forensics such as Windows forensic analysis, but wants to become proficient in mobile device forensics?

SP: Traditional computer forensic skills provide an excellent foundation for mobile device forensics. Several things to consider though are the following:
· Mobile device forensics is not static forensics in that you cannot "write-protect" a mobile device currently
· Every user action on a live device can cause unintentional changes to memory - this is unavoidable, try to minimize this impact by doing some research about the device ahead prior to analysis
· Mobile devices can be susceptible to remote manipulation or wiping if they are not isolated from all wireless connections
· If you end up altering data on the device due to "fat-finger syndrome" - document it!!!
· There is no all-in-one solution that does every single device that gets everything from the device
· There are different levels of analysis as identified in the tool classification system white-paper by Sam Brothers: Manual Extraction (capture contents of device display), Logical Extraction (file system only), Physical Extraction (hex dump), Chip Read, and Micro Read.
· As you move along this continuum, the methods become more technical and the tools become more expensive
· Don't forget to utilize traditional computer forensic tools in data carving or data parsing (iLooKIX, EnCase, FTK, WinHex, ProDiscover etc)

AFoD: Do you have particular books, blogs, training programs, and the like that you can recommend?

SP: Books
Just like there is no all in one tool for mobile devices, there is no all in one book for mobile devices. There are platform specific books that one can purchase specifically for iOS devices, Android and hopefully soon to be BlackBerry. :)
1. iPhone Forensics - Jonathan Zdziarski
2. Mac OS X, iPod and iPhone Forensic Analysis - Ryan Kubasiak
3. iOS Forensic Analysis - Sean Morrissey
4. iPhone and iOS Forensics -  Andrew Hoog, Katie Strzempka - release date June 2011
5. Android Forensics - Andrew Hoog - release date June 2011

Blogs and Forensic Groups
1. Mobile Telephone Evidence
2. Mobile Device Forensics
3. Mobile Forensics Central - operated by Teel Technologies
4. viaForensics
5. OS X Forensics Blog
6. Mobile Forensics Inc
7. Katana Forensics Blog
8. E-Evidence - contains a large repository of links, papers etc
9. Yahoo Cell Phone Forensic Groups - need yahoo account
10. SANS Forensic Blog
11. Small Scale Digital Device Forensics Journal
The above list is certainly not exhaustive. I encourage any of the readers to examine these links to find more.

Training Classes
1. Teel Technologies
2. viaForensics
3. MFI - Mobile Forensics Inc
4. SANS Mobile Device Forensics 563
5. Cellebrite
6. XRY Microsystemation
7. Katana Forensics - specific to iOS Forensics
8. BK Forensics
9. Canadian Police College - Cell Phone Seizure and Analysis Course
10. Search.org - has basic 101 type classes on cell phone seizure and analysis

Again, the list above is not exhaustive - it contains both vendor specific and vendor neutral training. Gear your training to what you are encountering in the lab, if it all possible.  Much of the basic level knowledge can be acquired also by reading the many white-papers and resources that are available through the links.

As one of my esteemed and learned colleagues always says: "No man is an island".  This means that having a wealth of forums and groups that you can participate in will help you as well, especially if you’re stuck.  You can’t know it all or be expected to know it all.  However, what I would expect analyst to know is the basic tenets/foundational principles for digital forensics, which can be learned from the online resources. One last thing: there have been updates to both Cellebrite and XRY products regarding BlackBerry IPD file parsing. Cellebrite 2.0 can parse more of the IPD file than its 1.x predecessor. XRY 5.4 will now parse an imported IPD file under the BlackBerry/RIM profile.  Although its a little unclear on how to do this unless you read the release notes.

AFoD:  As you look out over the next five years or so, what do you think mobile device forensics is going to look like given all of the innovation that we've seen not only from companies like Apple, Motorola, and the rest but from the companies that provide tools and training for mobile device forensics?

SP: Given the inevitable convergence of mobile platforms with the traditional operating systems, like iOS for example, the distinction between traditional computer forensics and mobile device forensics will not be so cut and dried.  In both type of digital forensics there is the common theme or element of live forensics.

Further, the use of solid state drives (that contain nand memory components) on desktop and laptop hardware, is already present in mobile platforms and their tablet cousins. This means that smart mobile and tablet devices will exceed the 64GB storage capacity in no time.  Examination of such devices will take almost as long as traditional data storage devices.  So don’t expect it to be quick and easy like it was several years ago pre 2007 where you could do at least 2 -3 phones a day through logical level analysis.

I think that flasher box and chip level analysis is going to become not only more affordable, and will become another widely used option for data extraction from almost any device that uses nand chips.  This will allow for recovery of deleted artifacts, but on the other hand this analytical method will require more training and will be considered an advanced method for analysis.  We might also find the Cellebrites and XRY's add in parsing capability for these binary dumps into their toolkits.

Consider that Teel Technologies is already doing flasher box and chip level extraction research and development in order to provide quality training, knowing that digital forensic techniques for mobile devices are going to this level.

Now some readers might be thinking, why is going to such a lower level for data extraction required?  The logical (or allocated) data might sometimes be not enough.  As it was in one important case that I worked on, where the binary level reads done by Cellebrite Physical was critical.  With Ron Seber's (Co-CEO of Cellebrite) assistance, I was able to decode and recover deleted pictures, text messages, contacts and call history from the nand memory chip of a Samsung device.

Another thing for the reader to note is the integration of mobile device artifact extraction and analysis within the traditional digital forensic tools.  Examples are EnCase and Access Data's FTK 3.x product.  They have already been doing this for the last several years, but are adding more capacity.  The MPE+ product for Access Data (developed in conjunction with MFI) is, I feel, another toolkit for the analyst that might be worthy to possess. 

With the ability of mobile device platforms, specifically becoming like the operating systems that we are familiar with, we can leverage tools like CacheBack (SiQuest Corporation) for analysis of Internet history, web pages, and Facebook Chat recovery.

And lastly we have already seen platform specific analytical tools like Lantern (Katana Forensics) developed specifically for iOS devices.  I don’t doubt that you will likely see one for the Android and BlackBerry devices as well. 

The only challenge will be this:  How much budget money does one have to be able to have a wide array of tools?  It is an accepted fact that the more tools you have at your disposal the more likely you are to be able to successfully analyze a device or a fixed system.  Software and hardware tools that allow us to do our jobs can be expensive, just like the training required in this area.

AFoD: What can we expect to see from you in the next year or so?

SP: I hope to have the 2009 research published and ready for MFW 2011.  If all goes well look for the book in Myrtle Beach for its opening debut. After that the book will only be available as a hard copy from the publishing arm of SiQuest Corporation. Or alternately if you take a Teel Technologies BlackBerry Forensics Class, it will be provided as part of the class content in the future.

Expect more R n D being done on smart phone devices in general.  This includes chip read methods, and analysis.  I am assisting where needed on this project, which is being led by my learned, esteemed colleague and very good friend Detective Bob Elder from Victoria Police Department (Victoria, BC.).  Both Bob and myself have our own private sector companies that do R n D as well as training.  We are lucky that our respective agencies have allowed us the privilege of doing this.  It benefits our LE agencies as well as us especially when it comes to expertise and qualifications.

The intent behind this method is to address any data storage device that uses NAND storage flash memory.  If we can remove the chip, read it and apply the correct flash translation layer algorithms then we can recover the data.

There are a number of mobile forensics training courses that are being offered by Teel Technologies from the basic 101 type classes to the advanced classes for the BlackBerry, iPhone and Android platforms.  For those readers that are interested, check out www.teeltech.com.  Teel has Mobile Forensics Central database repository where examiners can make query mobile devices to see which tools work with which devices. 

Teel also has a specially designed Advanced BlackBerry Forensics training course that was first given to the members of the US FDA back in January 2011.  I designed this course based on the work that I have done in this area over the last 6 years.  The course content consists of 10 chapters/modules, with over 500 pages of material, which includes concepts on OS 5 and OS 6 and BlackBerry Messenger data extraction and parsing.

Also keep an eye out for CacheBack (developed by John Bradley of SiQuest Corporation).  This is an excellent Internet history, web page reconstruction and Facebook Chat recovery tool.  I have observed this tool mature from its 2.x version to a much more stable and faster 3.5.x release where it now supports parsing of Safari, Firefox and Google Chrome artifacts from a Mac OS X system.  It simply amazes me how quickly John is able to release updates to his product and respond to any bugs or issues with CacheBack.  I know that when I have identified something, he usually has an update release within 48 hours.  I see that as dedication and commitment to one's clients.

The BlackBerry research will continue onward in conjunction with my very close friend and research colleague, Sheran Gunasekera.  He has a very informative blog which contains scattered thoughts on security, and also includes forensics.

Overall, I'm very excited about all the research and tools coming out this year.  The BlackBerry is no longer the blackbox system that it used to be.  My hope is that other examiners are able to benefit from my research and tackle forensic examinations of the device with a little more ease.