Brad Garnett

Welcome to my Digital Forensics and Incident Response oasis!

Digital Forensics, Incident Response, and Information Security

Full CyberFetch Interview

In 2015 I was interviewed by DHS S&T’s CyberFetch Program. CyberFETCH is a program of the Department of Homeland Security (DHS) Science & Technology (S&T) Directorate. Below was the full interview that was posted to https://www.cyberfetch.org in September 2015.

I.         What are the main differences in conducting digital forensics for private sector vs. the public sector?  Do they differ in any fundamental (or subtle) ways?

There are subtle differences between public sector and private sector digital forensics. While the goals and scope are different in each sector, the fundamental way in which the examiner performs forensic analysis should not change. Most private sector forensic examiners work for a company performing in-house forensic examinations or a consulting firm where the forensic examiner is performing forensics on a per project or client engagement basis. However, there are instances where private sector forensic examiners are in a consulting role for public sector agencies. As a Digital Forensic Examiner with KCPAG in my post-law enforcement career, I have had the privilege to consult with the public sector. In my opinion, a big difference between the two is speed. Private sector digital forensics moves at an extremely rapid pace with clients demanding answers immediately. Whereas, the public sector (law enforcement) only moves as fast as the scales of justice will allow it, due to the many moving parts of our criminal justice system. Law enforcement forensic examiners have case backlogs and are constantly doing more with fewer resources. A law enforcement forensic examiner will triage many devices, especially those examiners that perform mobile device forensic examinations. The ability to quickly triage devices and get data back to the investigator is how agencies tackle caseloads and the large datasets. In the private sector, the forensic examiner is performing forensic work in-house, or in a consulting role being directly accountable to the client that is paying for forensic services. While stakes are high in both sectors, the private sector is fast and demands immediate results.

II.         With the multitude of different training courses and certifications that are out there, what are some advice you could give to someone that’s thinking of making a career in digital forensics?

This is an excellent question! A blend of education, training, and certifications is important. Having a college degree is not required, but choosing the right college with a reputable computer science and/or digital forensics program is important. The NSA lists institutions recognized as Center of Academic Excellence[1]. First, I think it is important for someone to know what career path he/she would choose. For example, if someone chooses the sworn local law enforcement career-path, he/she is going to have to meet the basic requirements to become a police officer. Most law enforcement agencies in the U.S. that use sworn forensic examiners pull examiners from different areas within the law enforcement agency. Most examiners began their career as street cops and worked their way into their role as a digital forensic examiner, which is the career path that found me initially. The path to landing your first digital forensics job is different for everyone. There are a plethora of training courses and certifications available. If you are in local law enforcement and you are looking into either beginning a digital forensics unit, or do not have a budget, the National White Collar Crime Center (NW3C) offers free training to local law enforcement[2]. The SANS Institute also offers a 50% discount on its digital forensics curriculum to local law enforcement. During my career, I have attended several SANS forensics courses and the training is top-notch and world class taught by instructors that are digital forensics practitioners in the field. Also, check your U.S. Secret Service Field Office for state-of-the-art digital forensic training opportunities through the National Computer Forensics Institute. There are also free courses available online that will allow anyone looking to grow a particular skillset. For example, Cybrary.IT has a growing course catalog and cyber security catalog[3]. As it relates to certifications, I would recommend a vendor-neutral certification for a foundational digital forensic certification, such as the CFCE, CCE, or GCFE. All three (3) are open to both public and private sector professionals. While certifications for the most part are not required, a respected forensic certification will show a prospective employer or boss that you have a demonstrative knowledge and skillset for performing digital forensic examinations.

If you are brand new to the digital forensics field, start with a virtualization platform and create several virtual machines. Use these virtual machines for malware static analysis, install/uninstall applications, and then run any of the Microsoft Sysinternals Suite of tools to see exactly what changes are occurring and the forensic artifacts present on the system when “X” occurs. Download the free SANS SIFT Workstation VM for a forensics platform for testing and begin your analysis. If you are looking for forensic images for testing in your lab environment, checkout Digital Corpora at http://digitalcorpora.org and the NIST CFReDS project at http://www.cfreds.nist.gov. While some of the forensic images are dated, they are still applicable for testing and validating tools.

III.         What were some of the hardest digital mediums to conduct digital forensics on? Which medium do you see as being the biggest challenge to examination in the future?

I am going to say it is getting harder, based on the number of data-storing capable devices, cloud data, and encryption. Many of the obstacles that I come across are not necessarily being able to acquire or analyze the data; it is the end user or client understanding their network and environment. Usually after posing several questions to the client, they are able to identify devices of interest and request forensic analysis on the most critical devices. We now live in a technological age where there is a push for the Internet of Things[4]. As businesses and users begin pushing more to the cloud the techniques and processes forensic examiners utilize to collect this data will change. As the need for collection and analysis of cloud-based data grows, the legal and forensic technology communities will need to continue to adapt. Finally, the rapid changes that are occurring in the mobile phone industry make mobile device forensic examinations harder and harder. Encryption is becoming more of a standard on mobile devices. The next few years there will be a fundamental shift in performing mobile device forensics. During my law enforcement career, I only came across encryption twice and today encryption is very common.

IV.         What is a Lethal Forensicator coin? What did it take to receive it?

The story of the challenge coin goes back decades and introduced by our military to improve morale.[5] I received my first challenge coin during my time at the Indiana Law Enforcement Academy. Most graduating classes now design a challenge coin that they can identify with during his/her time at the academy. Integrity, camaraderie, and professionalism are three words that come to mind to describe my academy RMO (Round Metal Object), or challenge coin holders. The Lethal Forensicator coin is a challenge coin sponsored and recognized by the SANS Institute for individuals in the field of digital forensics for leadership, talent, and expertise.[6]

You can earn the SANS Institute Lethal Forensicator Coin in several ways. I have earned two (2) Lethal Forensicator coins through the years for my contributions to the SANS Digital Forensics blog and for winning a SANS DFIR Course Challenge.

V.         How did your law enforcement background influence your digital forensics career in the private sector? Would you recommend a law enforcement background/education for someone entering the digital forensics field?

I think my law enforcement background was not only influential, but also instrumental in my public and private sector digital forensics career. Like many digital forensic practitioners, the career found me during my law enforcement days. My agency had a need to have someone trained in the area of computer crimes and computer forensics. As I began handling all computer and electronic crimes, I developed a passion for forensics and putting the suspect behind the keyboard.

I would recommend a law enforcement background for someone entering the digital forensics field. My educational background spans both law enforcement and information technology, which has been a perfect blend for me in my chosen career path. Some of the best digital forensic professionals that I know today have a law enforcement, intelligence, or military background. In my opinion, public service is an extremely important trait I would look for in a digital forensic professional. A solid educational/vocational background is important, but core-investigative skills you acquire through experience. Either, you have it or you don’t. Earlier, I mentioned how digital forensics found me. As I was beginning my digital forensics career in law enforcement and developing a computer crimes investigative unit for my agency, I was pulling double duties. As the saying goes, “there isn’t anything routine about law enforcement”. During my career of all the high-speed pursuits I was in, one stands out to this day, and I would later find out would play a pivotal role in obtaining computer forensic equipment my agency needed to begin computer forensic exams for computer crimes cases.

Now some background on the above video. This pursuit was before Facebook and Twitter, so I had no idea that CourtTV (now TruTV) would be calling my agency about that high-speed police pursuit. The television network contacted the Sheriff’s Office on a Friday afternoon and were sending a crew on the following Monday for the interview. So what was the problem? I was leaving Sunday for a Monday morning forensic training class. So what was the solution? The television network agreed to conduct the interview that next day (a Saturday afternoon) and made a gracious donation to the new computer crimes unit, which helped with the procurement of the hardware and software needed to perform computer forensic examinations, which was a win…win! That is the untold story behind that pursuit, and the video had over 200,000 views several years ago.

VI.         I have heard the terms digital forensics and e-discovery used often, sometimes interchangeably. Is there a difference between the two?

There is a fundamental difference between digital forensics and e-discovery. However, there is an overlap in some of the processes. From identification to production, electronic discovery (e-discovery) is the process of exchanging electronically stored information (ESI) between opposing parties, or legal counsel during the litigation process. There are similarities to forensics during the preservation, collection, and processing phases of e-discovery. E-discovery is very heavy on data deduplication and production of data.

VII.         What is the most frequent cyber problem people approach you and/or your company with? Insider investigation, breach recovery, deleted data, something else?

The primary area of my digital forensic practice is in the area of litigation support. I work either directly or indirectly (i.e. via legal counsel) with small to medium-size businesses. The type of “cyber” issue varies by case or engagement. I like to approach each case by asking clients what question they are wanting answered through forensic technology. Oftentimes the stakes are high and my clients are looking for quick answers. In the private sector and civil litigation arena, decisions made involve what is best for the business, or resolving the dispute. The data may exist, but it may not be cost-effective, or fruitful for the case. Cost and/or pending litigation are the driving factors to decide the route a case will take as decided by the stakeholders in the forensic engagement. Mostly, I work reactive cases; however, over the course of this past year, I have begun to see a trend where clients are requesting forensic services before an incident, or litigation occurs. This is good to see and helps clients keep costs down. It may also be an indicator that the career outlook for the digital forensics profession looks bright and viewed as a required service, or function for doing business in the world of “cyber”. With the digital forensics profession receiving media spotlight, businesses are beginning to adapt (“I just terminated John Doe’s employment and I believe should have forensic analysis conducted on his phone for intellectual property theft.”). The case types that I work vary, but intellectual property (IP) theft, sexual harassment, internal investigations, and deleted data are very common cases I see within my forensic services consulting practice. Deleted data and metadata cases are very common.

VIII.         I bet you’ve got some good stories throughout your years in digital forensics and law enforcement. What’s the craziest/funniest thing you’ve seen?

During my law enforcement career, there are many crazy and inhumane things that I witnessed or investigated. Earlier, I mentioned one of the high-speed pursuits that ended up fruitful for my agency’s computer crimes unit. Nothing is routine in law enforcement, or the winding road an investigation takes. As far as funny stories, I could be here most of the day sharing, but I will a snippet of one story. In one high-profile case, we were serving a residential search warrant searching for computers, mobile devices, and removable media for video recordings. Officers had secured the scene and were conducting an interview of the suspect. I spoke to the detective as I began the triage process and on-site forensic preview process. I was in the dining room area setting up my mobile forensic workstation when I heard another detective in the kitchen area talking to the suspect. As I entered the kitchen, the suspect had his hands over his head and as the detective was patting the suspect down, a Western Digital external USB drive fell out of the suspect’s pant legs onto the kitchen floor. You could have heard a pen hit the floor as quiet as it was in the kitchen. The look on the suspect’s face was priceless! I casually stated, “Well, we now have our first device for forensic preview.” Approximately, fifteen minutes later, I identified the video recording on the device and corroborated an informant’s information that was included in the affidavit of probable cause. Criminal-minds will go at great depths to conceal information from law enforcement. During search warrants, we would include searching interior walls for electronic devices, but you cannot forget the obvious…the suspect.

IX.         Having a law enforcement background, what is your perspective on the current encryption debate in the industry? (consumer privacy vs. government backdoor/keys)

This is a very hot topic now at all levels of industry and politics. From a law enforcement perspective, you are normally on the reactive end of the spectrum when it comes to responding to crimes. When you look at encryption this is a fundamental problem that may hinder a law enforcement investigation. For the sake of debate, U.S. consumer privacy is fundamental; however, an enemy combatant in a U.S. led terrorism investigation is different from domestic law enforcement. In its simplest, fundamental form the U.S. Constitution is what makes the United States of America great! Our founding fathers’ intentions were clear:

We the people of the United States, in order to form a more perfect union, establish justice, insure domestic tranquility, provide for common defense, promote general welfare, and secure the blessings of liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.[7]

The phrase: “establish justice, insure domestic tranquility,” can easily be applied to today’s cyber challenges. Bring criminals to justice through good old-fashioned police work, while protecting U.S. citizens privacy rights under the Fourth Amendment.

The underlying geo-political issue is consumer privacy in a global marketplace. How do we ensure consumer privacy, yet providing law enforcement with every tool possible to investigate national security and terrorism cases? If you are selective, then is it really privacy anymore? For U.S. domestic law enforcement investigating U.S. citizens for crimes under our penal code system, then good old-fashioned police work is what solves cases. Since the beginning of time, law enforcement is excellent about sharing tools and techniques within the law enforcement community. This effort helps officers solve crimes, while making certain aspects of their processes or intelligence “law enforcement sensitive” and out of the public domain. Our current law enforcement generation is becoming more and more tech savvy. I have no doubt that this will spur innovation to help combat today’s technology challenges for investigating computer crimes. Law enforcement administrators must support their high tech crimes and forensic units to cultivate innovation, which traditionally has been lacking in the law enforcement community.

[1] National Security Agency: Retrieved 20 September 2015 from http://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml

[2] National White Collar Crime Center: Retrieved 20 September 2015 from http://nw3c.org/training/computer-crime.

[3] Cybrary.IT: Retrieved 20 September 2015 from https://www.cybrary.it/cyber-security/

[4] Wikipedia: Retrieved 20 September 2015 from https://en.wikipedia.org/wiki/Internet_of_Things.

[5] Wikipedia: Retrieved 20 September 2015 from https://en.wikipedia.org/wiki/Challenge_coin.

[6] SANS Lethal Forensicator Coin: Retrieved 16 September 2015 from https://digital-forensics.sans.org/community/lethal-forensicator#challenge.

[7] Cornell University Law School (2015). U.S. Constitution Preamble. Retrieved 20 September 2015 from https://www.law.cornell.edu/constitution/preamble