Jessica’s Professional Biography
Jessica Hyde has experience performing computer and
mobile device forensics in both the commercial and government sectors. Jessica
holds an MS in Computer Forensics from George Mason University. She is
currently the Director of Forensics for Magnet Forensics (USA) and an Adjunct
Professor at George Mason University where she teaches Mobile Device Forensics.
Prior to her current role, she was a Senior Mobile Exploitation Analyst and
team lead for Basis Technology, was part of the Cyber Crime Investigations team
at EY, and worked as a Senior Electrical Engineer for American Systems where
she specialized in the analysis of damaged mobile devices. She is currently
working on a book on Digital Forensics for the Internet of Things anticipated
for release in early 2019. Jessica is also a veteran of the United States
Marine Corps.
1.
Okay, Devil Dog, what
led you to join the United States Marine Corps and what did you do while you
were there?
I joined the Marine Corps in October 2001 in response to
the attacks on September 11th. In that moment, I knew I had to do
something that had more substance, more meaning, and to give back. It was a
deeply personal decision, and very directly tied to the grief I was
experiencing at the time, but honestly the best decision I ever made. The
Marine Corps ultimately set me up for the path that my life has taken.
As part of the enlistment process, one takes a test
called the Armed Services Vocational Aptitude Battery (ASVAB). The results of
that test, combined with my timing and the positions available, meant I was
assigned to go to Avionics school.
Working in Avionics on the AV8B Harrier II VSTOL
aircraft, my day-to-day function was to troubleshoot aircrafts and make
repairs, but it was the hardware and electrical engineering skills I learned
and used every day that became the foundation of the hardware analysis portions
of the forensic examinations I do today.
This is where I learned to solder, use a multimeter, read
schematics, extract data, work with binary and hexadecimal, read data sheets,
use oscilloscopes, and wave function generators, etc.… all tools and methods I
would use later to extract data from everything from mobile phones to drones to
telematics units to smart speakers.
Joining the USMC changed my life. At the time, I was a
high school dropout working in retail management. I had coded as a kid, writing
programs at the age of 6 on a Commodore 64 and taking programming courses all
the way through high school, but when I dropped out, I abandoned those aspects.
That aptitude test and a bit of timing brought me back to
something I forgot I had missed. The Corps reintroduced me to things I loved in
technology and helped build my confidence in doing technical work and solving
problems. Returning to technology gave me fulfillment. Doing technical work in
a mission-oriented environment for a greater cause was what brought me true
satisfaction.
The best part of my daily work in the Marines was that I
had the opportunity to solve problems with both my brain and my hands. A jet
would come in with a gripe, and I would first verify the issue by duplicating
the issue. Once I had recreated the discrepancy, I would then research via
schematics, data sheets, etc. and come up with a test plan.
Next, I would conduct tests, and based on the results I
would implement a fix (i.e. repair a wire, change a board). Once the repair was
complete, another avionics person would inspect the fix. Then we would test the
system to verify it was fixed.
A quality assurance rep would validate both the repair
and the functional tests. And then, you guessed it, I would have to write it
up. We logged all our steps in record books, tracked our work in a maintenance
management program, and tracked tools in a process called ATAF (all tools
accounted for). Then I would see that same bird that was “hard down” for a
gripe fly through the air. That was an amazing feeling.
Working in a Marine Corps avionics shop is not identical
to working in a forensics lab, but from a process perspective and an
engineering perspective, similarities are uncanny - Discover, Test, Find,
Parse, Validate/Verify, Report, all while maintaining a chain of custody and
using some sort of case management system. From a hardware perspective, it’s a
lot of the same tools and processes for reading data. Of course, there are also
Standard Operating Procedures.
I credit the Marine Corps with helping to make me the
person I am today. I learned a technical skill and ran with it, pursuing a
formal education in Engineering while on active duty, so I could make the
transition from HS dropout to eventual adjunct professor in a graduate school
program. It was a lot of work along the way. But every moment was worth it.
2. Why did you eventually leave the Marine Corps and what
did you do next?
Leaving the Marine Corps was the furthest thing from my
mind. The Corps treated me well -- I had met and married my husband there and
had my first child. I loved the work and was a good Marine, earning three
meritorious promotions and several awards. I honestly thought I could be the
first female Sergeant Major of the Marine Corps. I was motivated and dedicated
to the Corps.
When a technical school I was attending as a reenlistment
incentive was cut while I was mid-program, I fought to stay in that school and
brought up that my contract was being breached. I thought being the stellar
Marine I was, that they would let me finish school.
Lesson learned - don’t play hardball with the Marine
Corps. I assumed they would look at my stack of commendations and decide to
fulfill the incentive and let me complete the school. That didn’t happen. They
agreed that they had breached my reenlistment contract and gave me the choice to
separate from active duty or return to the squadron. Finishing the technical
school was not an option I was given. It was a difficult decision to leave
something I thought would be a career.
I decided to take the opportunity to separate honorably
and finish my undergraduate degree. I had taken classes while on active duty
and it made sense. So, I left the Corps and went to school full time. I had my
second son at this time as well. I was able to transition from the Montgomery
GI Bill to the Post-9/11 GI Bill, which provided better benefits and allowed me
to finish my degree quickly without taking on debt. I had enough months of
education left over to later complete my MS in Computer Forensics.
All in all, I attended five different colleges to
complete my undergraduate degree, thanks to pursuing it while both on active
duty and as a veteran. It took 8 years from start to finish. In the end, I
earned a BS in Electronic Engineering Technology and graduated Summa Cum Laude.
Despite the challenges of going to school fulltime while
having two small children, I think a later start worked out best for me. Had I
taken a more traditional route, I might not have chosen technical courses as I
discovered my interest and aptitude from the work I did in the Corps. I credit
my good grades to being serious and dedicated to my studies. I might not have
been as studious in my late teens.
I secured a position as an Electrical Engineer as a
government contractor, American Systems, just as I finished school. My Marine
Corps experience translated well when combined with the parchment. This
engineering position was unique, as it was in a reverse engineering lab and the
start of my digital forensics career.
My position started with reverse engineering circuits of
unknown origin, developing schematics and describing function, as well as
reverse-engineering microcontroller code. I was overwhelmed at first. Everyone
in the lab was so knowledgeable. As I did well with the reverse engineering, I
very quickly was moved to the electronic data recovery team.
This was my first exposure to digital forensics. Most of
my work involved extracting and analyzing data from damaged devices. It could
entail anything that stored data -- from mobile phones, to hard drives, to
telematics units, to any circuit board with embedded storage. I never knew what
the cases would entail, which made it exciting. Typically, I used chip-off and
JTAG methodologies to access the data.
The work was fantastic because it was my job to get into
devices that weren’t supported, pull off the data, and then analyze and report
on it. The challenge was intense, as often I worked on things that had never
been done before.
Fortunately, I worked with some brilliant engineers and
specialists. I was able to learn so much from the team and be challenged at the
same time. Since all the devices were damaged, I learned to utilize a lot of
state-of-the-art equipment, everything from Computed Tomography to Scanning
Electron Microscopes to Plasma and Laser Ablation.
Once the data was recovered, it was analysis time. Sometimes
I dealt with conventional hard drives and mobile phones and used traditional
forensics tools and methods post-data recovery.
However, I also often dealt with unsupported embedded
devices, and my next step was to figure out the data structures and file systems.
Then I could begin to analyze the data. Often the data structures were
proprietary and undefined. I spent much of my time in data sheets and hex
editors. The reporting included the extraction methodologies, device
characteristics, and analysis of the recovered data.
I became so interested in the forensic analysis portion
of the work that I decided to start working on my MS in Computer Forensics at
George Mason University. Despite doing what some would consider deep dive work,
I lacked fundamentals in computer forensics. I had gaps I needed to fill in my
skillset. Taking classes at GMU was a great way to strengthen my skills in the
areas where I was weak, as the instructors were practitioners and provided a
wealth of knowledge and experience.
It was difficult going to school while working in a high-pressure
forensics lab. I would receive high-priority projects, so I had to work through
the night to find answers. Sometimes I missed classes. I remember running out
of the lab for class during a high-priority case, and then rushing back to the
lab to continue through the night. I couldn’t procrastinate on my school
assignments, I had to start right away because I never knew if evidence with a
quick turnaround time would hit my desk at work.
Even more importantly than what I learned in the
classroom, were the relationships I built with the other students. Most were
digital forensics practitioners as well. We were able to work together not only
through our studies, but also to develop a network of other examiners to talk
through technical challenges with.
These relationships became crucial to solve complex
problems. We bounced ideas off each other. We learned each other’s specialties
and strengths. When we ran into challenges at work, we were one another’s
resources. I still keep in touch with several of the other examiners from my
classes. A couple of us are now instructors at GMU as well. It’s a great way to
give back to the forensic community.
I continued the work on my MS while working for American
Systems. I honestly don’t know if it was harder going to school while working
as an examiner or being a full-time student with young kids. Each was
challenging in its own regards. Eventually I left to round out my skill set
with more traditional computer forensic analysis at EY.
3. So now you are over at Ernst and Young. How did
things progress from there to the point where you ended up at Magnet in your
present position?
EY was a great organization to work for; however, I
travelled a lot and my kids were young. I tend to over-immerse myself in work,
so it wasn’t the right fit for my family. I also didn’t get to go as deep into exploration
or break into damaged devices.
I recall running IEF on nearly every case, and I began to
resent it – IEF found evidence so efficiently that my preliminary reports,
which included IEF results among other things, were all that was necessary, and
I would move on to the next case. I really wanted to spend more time digging!
Eventually, I moved on in my career and went to work in a
lab where I got to dig as deep as I could go! I had the opportunity to join
Heather Mahalik’s team at Basis Technology. It was incredible, my job was to
get into devices that the commercial tools couldn’t support.
Heather and Brian Carrier, unbeknownst to me, had hired
me to take over Heather’s role, as she was moving into another role. I was disappointed
not to work with her day in and day out, but it was an amazing opportunity with
a fantastic team doing challenging technical work. I was fortunate to get to
work with some of the smartest people to create innovative ways to get data from
devices.
Once the data was recovered from the device, I would run
the image through all the tools at my disposal and search for the data the
tools missed. I loved it! I got to deep dive on nearly every case I worked,
hunting for new artifacts. It was the perfect fit for me. I worked exclusively
mobile and other embedded devices at the time and incredibly happy.
As luck would have it, my relationship with Magnet
products grew. I used the Dynamic App Finder (DAF) feature in IEF because it
would save me time finding new databases of interest. It wasn’t the only way I
found them, I looked manually as well, but man, I enjoyed what DAF did for me. I
became a bigger fan of Magnet, as the tool helped me find areas to dig deeper
more quickly! Of course, I had a lot of tools in my tool box, and I used them
all. You need to in this field.
The next thing I knew, members of my team were on the
Magnet ACQUIRE beta. As a team that specialized in pulling data from
unsupported mobile devices, I was excited by the unique device agnostic
approach that Magnet had taken.
We were beta testing, and I enjoyed the robust logging. And
then a case came in with a device that wasn’t supported by the commercial tools
in my lab. We tried them all. It was an important case, and I knew, based on
the methods and robust logging that Magnet ACQUIRE showed, that it could likely
create an image of the device.
I could have manually rooted the device and obtained the
data via a shell, but the end customer preferred we not use that method. I got
an exemplar and tested ACQUIRE and it did exactly what we needed. The tool
acquired the data off the exemplar, with a detailed log that stated what had
happened to the device.
With that successful acquisition, I requested and
received approval to use the method on the evidence. Even with the tool being
in beta, the robust logging combined with the process proof on the exemplar delivered
resulted in us being able to use Magnet ACQUIRE on the case! I was an instant
fan.
A short time thereafter, I was at a forensics conference
and made sure to let the people from Magnet know in person how fantastic I
thought ACQUIRE was and how I liked the approach. Of course, I had seen Jad
Saliba speak at conferences and was amazed by his story, his passion, and his
drive to help the forensic community. I was also too star-struck to ever
approach him.
I clearly remember speaking with the VP of Product, Geoff
MacGillivray. He was incredibly appreciative of the feedback and took the time
to listen to my thoughts on the tool. I was super impressed and had no idea I
would be working with him closely in the future.
Fast forward a bit to the AXIOM. The team I was on was
lucky enough, once again, to be part of the beta. I participated in exchanges
with the UX designer, Diana Wiffen. She was so open and engaging. I was
generally touched by the fact that Magnet Forensics cared about what this one
examiner thought.
Magnet came down to meet with our team during the beta. We
were super fortunate that Jad and Adam came down along with Geoff and a few
others to hear our thoughts on AXIOM and to share what they were working on for
the future.
At the end of the meeting I had three disparate questions
that needed answers from people in completely different areas of the company. They
took my questions back and within 24 hours I had responses to all three
questions from three different people at Magnet.
I was blown away. The level of response, support, and
interest was unmatched by anything I had seen from any other forensic
organization. I could tell that the same passion to help the forensic community
that I had seen in Jad was in every “Magneteer” with whom I interacted.
When my lab relocated, the time came for me to look for a
new role. I reached out and applied for a position at Magnet. I couldn’t have
imagined a greater group of people to work with. After I spoke with multiple
members of the organization, Magnet created a role for me where I could work
with the product and development teams on a regular basis.
Since coming on board, I’ve been continually inspired by Magnet’s
core values and desire to do the right thing for the examiner above all else. At
its core, Magnet wants to help examiners work their cases more efficiently and
provide tools to help investigators and examiners find truth. It is wonderful
to be part of an organization with high integrity.
What really makes this place special is the people. There
is nothing like the people behind Magnet. I am fortunate to have a job that I
love with such an amazing team, and to get to work on great projects that
benefit the digital forensic community. In my previous roles, I worked one case
at a time; now my work can help multiple examiners on their cases
simultaneously.
4. What are your job responsibilities with Magnet and
what is a typical day like for you?
Good question. I have an interesting role. I sit on the
Product Team, but report to the North America VP of Sales. Sound confusing yet?
My duties in writing spell out work in 4 areas – Research and Development,
Product, Marketing, and Sales.
Overall, I’m responsible for helping to bring the
forensic examiner viewpoint to different areas. I spend most of my time working
with the developers and the Product team.
However, I also spend a fair amount of time in support of
Marketing (webinars, conference speaking, blogs). I also provide some support
to sales by attending customer meetings where I can provide specific value –
maybe because I have worked through a similar issue or environment as the
customer.
In my Product team support, I assist in a lot of
different ways. The Product team is responsible for the roadmap, the list of
things we plan to work on in the future. I often provide feedback from an
examiner perspective, as well as more importantly, feedback that I hear from
customers.
To help the rest of the product team develop the roadmap,
I also work closely with the product owners, who are responsible for prioritizing
the different development teams’ work. Often, my work here again is to explore new
features.
I also occasionally review things from the Documents team,
such as release notes and descriptions for the Artifact Reference Guide, for
technical accuracy. Sometimes I look at
UX designs for features our UX team has created. Other times I may assist Support
with a specific question they have received from a user.
The other team that needs a forensic examiner’s
perspective is Research and Development. At Magnet we have a variety of
different teams that work on different areas: artifact research in development,
data analytics/machine learning, cloud acquisition and analysis, mobile
acquisition, etc. I work with the different teams as needed, depending on where
I can provide value to features or research, but this is the core of much of my
work daily.
Right now, for example, I’ve been spending a lot of time
with the artifacts teams, introducing additional artifacts. One of the things I
assist with is defining the relationships of each of a new artifact’s
individual attributes to others, for our Connections feature. Sometimes I
provide feedback on artifact prototypes, or participate in discussions of
different ways we can present the information.
Another area where I’ve spent a lot of time this past
year is with our data analytics team as they explored different machine
learning models and representations as part of our Magnet.AI module.
My role with Marketing is what most people may be more
familiar with, even though it is a smaller part of my time than I spend with
R&D and Product. This work includes the development and delivery of
presentations at conferences, blog posts, and webinars.
However, whatever material I present on during
“conference season” usually pertains to the work I’ve been involved with
throughout the year. Occasionally I’ll also do a Lunch and Lab session or a
Roadshow. Roadshows typically involve technical presentations at three cities
in a week, whereas Lunch and Labs are hands on sessions with AXIOM.
This is the work most people see me doing. Likewise,
people may know me from a meeting with Sales, although this is a very small
part of my role. We have a team of solutions consultants, many of whom spent
years working as examiners, who provide technical expertise in the sales cycle.
I tend to only join those meetings where I have some specific experience of
value to assist a customer.
What I like most about my role is that I’m given some
additional latitude outside of my responsibility to these four groups. Magnet
has been supportive of my personal research interests, including the external
work I do, such as writing a book on IoT forensics and teaching at George Mason
University.
For another example, last year I worked on Alexa
forensics with Brian Moran of BriMor Labs. My current research work is a
Chrome Forensics project with Jad Saliba, our CTO and founder – how amazing is
it that I get to work with Jad!
In addition to personal research, I regularly answer
questions from customers who reach out with challenges they may encounter. At
times this means I write a custom artifact to share with the customer and post
on the Magnet Artifact Exchange.
This is one of the parts of my role that I treasure, as I
feel it both helps keep me aware of relevant challenges in the field and allows
me to participate in a small way to the missions involved in the work we do as
forensic examiners. I often miss doing active investigations, so helping other
examiners with some small aspect of an examination helps fill that desire.
I’m far from the only person at Magnet who responds to
questions and challenges from customers. In addition to our Support Team there’s
a band of close to 20 of us at Magnet who have worked as examiners. We’re in a
variety of roles, from our CTO, to Product, Marketing, R&D, Training, and Sales
teams.
Even though we have different responsibilities, we make a
concerted effort to be an accessible resource to others in the organization who
need our examiner perspective. The group of examiners meets regularly to share
what we’re seeing, learning, and working on with each other. Working with this
group is a great privilege.
So, what does my typical day look like? I’m fortunate to
love what I do enough that the line between my hobby and my work is quite
blurry. I’m also an early riser, and I like to write in the quiet of the
morning before the family wakes up. I put my phone away to prevent me from
tending to messages and emails.
As a side note, writing a book is more challenging than I
ever expected. I would say the key to writing is to write. When I write daily,
it’s easy each morning to get up and write or research. However, when I take a
break due to work commitments, I find it hard to start back up again.
When I’m done writing, I look at my phone and catch up
with things – sometimes responding to questions from customers in the
Asia-Pacific and European regions, sometimes reading Twitter - and head out to
the gym. I was putting on “book weight” and decided that had to stop – so I
have become part of the #DFIRFit movement! Then is the start of the real day.
And that’s where my day will diverge. Every day is a bit
different. Looking at a typical day, it really depends on where we are in terms
of a release cycle, conference season, or where I am most needed. If I’m on the
road, most of my time may be spent prepping and rehearsing content, delivering
presentations, engaging with other forensicators, and learning from the presentations
of others.
Regardless of any meetings and presentations that may be
on my schedule, I fill in the gaps by responding to questions from either the
development team or customers. Those responses typically require a bit of
research.
On days that I’m not on the road, working from my home
office, I often go through feature tickets and update them based on what I
discover. Sometimes I respond to questions from developers, but typically, I
spend a good amount of time researching and trying to understand forensic
issues before I provide feedback.
I regularly test development builds of new features, and offer
feedback on those features, draft the artifacts’ connections, and help with the
fragment descriptions for the artifact reference guide. At times I work with
the content team to draft or provide a technical review of content.
I also spend a chunk of time in the evenings catching up
on all the information shared by the industry. There’s always so much to learn,
which is one of the greatest things about this field – new problems to solve
and new artifacts being discovered. There’s too much going on in the field for
anyone to know everything, which makes sharing with each other imperative.
Sometimes you can find me on Twitter in my down time.
I’m lucky to have a dream job where I get to do things
that I love to do, research forensic issues, and help others with questions
they may have. But in a role that you are passionate about, and that is also
global, there can be blurring of time off and on.
There are a lot of reasons for this blurring: working
with people in different time zones, having great friends in the forensics
space, and constant data generation. Because many of my friends are in
forensics, sometimes a casual chat may lead to jumping on my computer to carve
for data and check out an artifact.
I’m passionate about digital forensics, so this is a
natural flow for me. However, I do make a conscious effort to take time off
from work one day a week, which is positive for both my family and my
sanity.
It’s interesting because there’s quite a dichotomy
between my days on the road and my days in my home lab. At home, I spend most
of my day staring at a computer screen. I don’t have office mates to speak of,
which is great for allowing for deep focus and concentration.
In contrast, when I’m on the road at conferences, I
constantly engage with other people. The energy in these two arenas is very
different. I gain energy from learning new things – the secret is that both
people and data can stimulate the ability to gain more knowledge. There is
always so much to learn!
5. You make segues so easy for me. Part of the reason I
wanted to land an interview with one Jessica Hyde is your work into IoT
forensics and the book that will come out of it. Can you tell us more about
your research into IoT and your upcoming book?
Happily! Researching Internet of Things devices has been
a great deal of fun. As someone who worked on teams that specialized in mobile
device forensics, I often received the “weird” devices -- anything with an
embedded system. This included everything from smartwatches to dashboards from
vehicles to drones.
So, when the opportunity came along to work with Brian
Moran to dig into the Amazon Alexa “Echo-system” – I dug in! I loved the
complexity of coupling my hardware skills to obtain data from the devices, with
my love of parsing data from unsupported apps.
Then came the realization that I needed to understand how
to get data from “the cloud” and I was hooked! I began working on different IoT
systems, from smart homes to smart watches, to smart thermostats, robot
vacuums, light switches, and more. Can you think of something cooler to
research in your spare time? I mean, I get to play with devices in my home and
then tear them apart and find data, all in hopes of helping others. And I’m so
fortunate that my hobby and my work are in the same field.
As I did increasingly more of this work and shared
information in presentations and blog posts, more friends, acquaintances, and
people I’d never met started to inquire about how to get data from more of
these devices they were seeing on cases. In other words, as people begin to have
more devices in their homes and on their person, IoT devices are more regularly
becoming the witness, suspect, and victim in cases.
This led to ideas of what things to research next, and I
began to collaborate with other examiners. The important aspect with regards to
IoT forensics isn’t the recipe for how to get the data, because that can change
– particularly as cloud APIs change. The important skill is understanding the
methodology: how to identify IoT devices at the scene, create test data, find
where that data resides, parsing that data, and then apply the same methodology
to cases.
As I began to research more devices, and as I regularly
attempt to promote sharing in our community, it only made sense to challenge
myself to practice what I preach and provide the methods to exploit forensic
data from Internet connected devices. To do this, I’m collaborating with others
in different areas in the community to give them the opportunity to share their
IoT forensics work.
The book’s focus of the is to discuss the forensic value
of IoT devices, provide examples, and describe the skills necessary to test, acquire,
and analyze IoT devices in forensic
investigations.
As for the book’s format, there are really two main parts:
one part that speaks to methodology, and the second part that speaks to
examples. The methodology section is further broken down to describe ways to obtain
and analyze data from physical devices, associated applications, and the cloud.
This section explains concepts like In-System Programming (ISP) to read data from
devices, parsing unsupported applications from mobile devices, and dealing with
APIs and JSON data.
The second portion is broken down into different
categories of IoT devices, with examples of forensic analysis. It’s important
to note that this second section is meant to serve as an example, not a recipe.
Again, this is a rapidly changing area, and with a book the concept is to share
a resource about how to conduct the analysis.
This section will also include contributions from other
digital forensics professionals who have explored different IoT devices. I’m fortunate to know fantastic, talented forensicators
also working in this area who are interested to share what they’ve learned. This
will hopefully allow the reader to see other perspectives on IoT forensic
analysis and provide a wider depth and breadth than I could provide alone.
I hope to release the book in early 2019. If anyone has
any questions, ideas, or contributions, I happily welcome their input. The book’s
goal is to provide a methodology to investigate IoT devices the reader may
encounter in the field. I think IoT forensics will continue to become a larger
part of cases and a significant source of data and we all need to work together
to understand how to investigate it.
6. What is
your advice to someone who is looking for ways to give back to the community?
This is an area I’m quite passionate about, so I’m glad for
the opportunity to share my thoughts on ways to give back to the community.
There are so many ways in which those of us involved in
DFIR can give back. One of the most obvious ways is by sharing what you’ve
learned with others. This can take many forms, including everything from
mentoring to presentations.
I would like to point people to some really good posts on
this concept, including Harlan Carvey’s “Beyond Getting Started” and Brett Shaver’s “Sharing is Caring”. They discuss the importance of sharing back what you learn with the community.
Some of the ways to share your research and knowledge
with the community include developing scripts, giving presentations, posting
artifact details, teaching, answering questions on listservs, and of course
writing -- in the form of a blog, a whitepaper, article, book, or even peer
reviewing other’s work. I outlined my thoughts on each method more formally in this
blog post late last year which can be found here.
One of the current issue related to sharing a group of us
is currently discussing Rapid Peer Review for practitioners. There are a lot of
thoughts on this, including Brett’s “The RAPID PEER REVIEW” and
Joshua James’s “DFIR already has Rapid Peer Review – we can do better”.
The outcome of these discussions should serve to create a way for practitioners
to expand on and validate each other’s work at the practitioner level. I
encourage anyone who has ideas in this area to please reach out to me to be
involved.
Important to note that you don’t need to have as much
experience as you, Eric, or someone like Harlan or Brett to share! This
industry is so vast and there’s so much to figure out. If you figured something
out for an examination because you couldn’t find material on how to get data
off that device or parse that artifact, someone else may run into that same
scenario. There are so many unknowns that the only way we can succeed as a
community is to work together to share our knowledge.
But sharing can be even bigger! It doesn’t have to be
just within the confines of our community. Some people may have the motivation
to find ways to use their DFIR skills to give back in other ways. This can
include everything from discussing Internet safety and multi-factor
authentication in your community, to speaking at schools, to teaching victims
of abuse how not to be violated digitally by their abusers.
I just recently organized some of my thoughts on Giving
Back in DFIR in a blog post. I included
some specific organizations that are doing work to give back that people can
learn more about or find new ways to help others. I’m so proud to be a member
of this community where we can have impact in the world well beyond our cases
with our skillsets.
You can also give back by helping people learn about the
field. You can help introduce new examiners to the field by participating in
everything from resume clinics, to volunteering with groups that help bring
people to conferences.
I was fortunate enough to have an opportunity to
volunteer at a resume clinic run by Lesley Carhart at Circle
City Con. It was a tremendous experience and I met some great future DFIR
practitioners. Mentoring is also a great way to help others. Organizations like
H.E.R.O. Child Rescue Corps help transitioning wounded veterans move into law
enforcement careers ad trained counter-child-exploitation professionals.
There are also groups like Cyber Sleuth Science Lab that focus on bringing digital forensic education to underrepresented high
school students. In the words of DFIR practitioner Richie Cyrus, it is our
responsibility to “send the elevator back down”.
7. What is
your advice for someone who is looking to break into the digital forensics
field?
My advice is to learn and get involved. As far as
learning, there is great formalized training at both the university level, and
via training courses from vendors and organizations.
However, college degrees and expensive DFIR training have
a cost barrier. There are lots of great ways to access information outside of
those formalized courses. I highly recommend that anyone looking into the field
check out the following three resources, as they are a gateway to other
information: AboutDFIR.com, DFIR.training, and
subscribe to thisweekin4n6.com.
By using these resources, you should be able to find
archived content specific to what you’re seeking, as well as keep up on the
newest information that the community is sharing. That said, please look out
for scholarship opportunities to get access to training. I listed several in
the Giving Back in DFIR blog that I mentioned.
A lot of people ask what certifications or training they
should choose. Well, just like much of forensics, it depends. One thing I
suggest is to look at the requirements in job postings for your dream job and
start taking the steps to get there.
I also encourage people to apply for jobs where they
don’t meet every single requirement. Often that is just the “dream candidate,” it’s
unlikely that they’ll find someone who meets all the requirements. Apply
anyway! The worst that happens is that you don’t get the position, the best
that happens is that you get the job and the opportunity to learn skills you
might not otherwise have.
Of course, it’s important to have a CV/resume. But if you
have no experience, what goes there? If transitioning out of one career into a
new one, list cross-industry skills. This could include writing, technical
skills like networking or programming, or soft skills like the ability to brief
executives. Make sure your resume includes all the training and certifications
that you have gotten.
One of the most valuable things you can have on your
resume is a reference to your own work! If you’ve been sharing as you learn or
research, a place where you’ve blogged about that research can be a real foot in
the door.
When I hired forensic practitioners, I really appreciated
when the candidate had a public blog post on some research they had done. Not
only did this let me know that they could conduct, understand, and write about forensic
research; it also gave me a specific topic to focus on in the interview.
If you can go in depth about something you’ve researched,
chances are you’ll be a good fit. You may also be more comfortable than if the
interviewer asks randomly about some topic you haven’t spent as much time on with
practical hands-on work.
It isn’t always about the resume. Sometimes it all comes
down to networking. Often that’s because even finding the job opening can be a
struggle. This has gotten better thanks to sites like aboutDFIR.com having
a jobs page focused on our industry. I address several of the nuances in
finding a job in a blog post that can be found here.
Of note, in that post is a matrix to help figure out the
potential titles of positions you may be interested in applying. Sometimes
finding the actual requisitions to apply can be a tricky part of the process.
In general, though, networking is important in almost
every field. I’m a strong proponent of getting involved. So how can you do that?
It’s great if you can get out there and meet other people. They may know of a position,
or you may meet someone who’s hiring.
I highly recommend attending a conference in your
vicinity and looking for a local BSides conference. The wiki here is a
great place to find out about local BSides. You’re bound to learn something
there.
You can also try to get involved with an association in
your area. A great resource for finding some of these groups is to look at the Associations
page on DFIR.training. I also advocate joining the #DFIR community on Twitter. A
lot of great information is shared on Twitter first. If you follow me, @B1N2H3X,
I have two Twitter lists you can access on my profile to get you started with
finding other DFIR folks.
Thank you, Eric, for the opportunity to share. I have been a long-time reader of AFoD and it
is a true honor to have been invited to be interviewed by you. You and your blog do an amazing job of
sharing content with the community. Thank you again for this honor and
privilege.