Amanda, tell us a little about yourself. You went from child advocacy to law enforcement to private consulting to your current role. What made you interested in digital forensics?
For a while my life was dedicated to being a mom, starting back in 1999. In 2006, while living in Denver, I met a couple that worked at a restaurant with me named John and Sara. One morning John brought their kids into the dining room and sat them at a corner booth. It was early but late enough to know they were probably late for school. As the older boy sat at the table, his head bobbed as he desperately tried to stay awake. I offered them a drink but was promptly put in my place by John telling me they were fine and did not need anything. Although I found this to be a little bit odd, I continued my day. I didn’t know it at the time, but this is where my career path began.
After moving to Florida in 2007, I received a phone call from a former workmate to share the news with me that Sara and John had been arrested for the murder of their son. They had starved him to death.
That evening, I sat alone on my couch wondering what I could’ve done to change the sequence of tragic events. The more I found out about the case, the more I felt a pang of a smidgen of responsibility. Maybe I should’ve investigated a little further the morning I saw the little boy struggling to stay awake. Perhaps, the one day he came in with his stepmother, Sara, I should’ve watched a little closer and asked questions when she told me he was in trouble and that was the reason for him sitting in the corner while she worked a 4 hour shift.
This self-questioning went on for a couple of hours, along with a few tears. Later that evening the background noise of the TV became a little more than noise. A lady from the State of Florida Guardian ad Litem program was on a local tv news station asking for volunteers. I’d never heard of anything like this and followed up with a lot of research. For me, this was life telling me to stop questioning the what-ifs and actually do something to make a positive impact. “DO SOMETHING!” This is what I kept hearing. This is when I trained and became a child advocate.
As life unfolded, I decided to go back to college and finish my degree. The choice of Criminal Justice with a concentration in Digital Forensics was a given for me. Tragedy pushed me toward becoming law enforcement, and my hobbies pointed me to digital forensics.
During my last term, I chose two places to complete internships. My first was Autauga County Sheriff’s Office followed by Central Alabama CrimeStoppers. This was my introduction to law enforcement and I quickly realized that I belonged in a lab with computers and cell phones and most certainly not in a patrol car. After being asked to consider working for ACSO with the caveat of attending the academy, I decided that being sworn was not for me. However, If they wanted an analyst, I was in!
After being told that there were no positions available for non-sworn personnel, my first question was, “Who makes the decision to add the position?”
“The County Commission.”
“DO SOMETHING” — I heard that again. So, I went to a Commission meeting as a citizen of Autauga county and presented to them all of the reasons why they should expand their LE personnel to include a civilian analyst. At that time, ACSO had to send all of their digital forensic work to the city police department or the State. Two months later, I received a call from the SO. The commission had listened and agreed. They needed an analyst.
After establishing a digital forensic lab from nothing, hundreds of hours of classes, diving deep into every piece of software I could get my hands on, and helping to bring the ICAC Task Force to the SO, I was ready for a mental break. I had no idea when my career path began that I would be analyzing CSAM at some point and after about two years of that, I was ready to move on.
I had already been teaching on a contractual basis for Oxygen Forensics for about a year when in one of my classes, sits my new boss, Keith Lockhart. Things just went crazy from there, in a good way, for training. We both had so many ideas on how to improve and grow the curriculum. It was a very easy decision to make the move into the civilian world with Oxygen. This was my go-to software for analytics and I knew it well.
What led you to Oxygen Forensics, and what’s a typical day in your life like?
When first establishing my lab at ACSO, I had a budget of zero dollars which forced me into the open source software world. As I researched and asked around, two or three software products were repeatedly mentioned. Once I did a price comparison along with what I would get with each product, it was an easy choice. Oxygen Forensics beat them all for price and functionality so this is what originally led me to it as a user.
Once I was chosen to attend [the US Secret Service’s National Computer Forensic Institute] for multiple classes, I acquired all three of the software products I spoke of previously. I found myself going back to Oxygen each time I needed a product rich with analytic functions. No matter how I extracted a device, I always imported it into Detective to view the parsed data.
A typical day for me is determined by whether or not I am teaching a Live Online Training class that particular week, whether or not a new release is coming out, if I need to record a new Knowledge Nugget for our training page, or perhaps it is time to test new types of extractions. Some days are spent restoring all of my lab machines to the original state for the next class.
However, my absolute favorite daily process is when I am in the throes of a new class. With it comes a new set of minds and the opportunity to teach the software. Sprinkle in a few use cases and stories of my own and now we have great conversation going on. I learn something new every class.
Every work day you will also catch me in a conference call with Keith and/or Jessica Stevens, who is the Training Coordinator. I am super grateful for the work she has done and she is a major contributor of the continuing success of our training program.
After all of the meetings, classes, and calls an almost daily process begins: testing phones with Keith. We are on a mission to master as many types of extractions with as many devices as we can so we can stay current with the constant changes of both the software and the device world. Detective updates an average of 13 times a year, which keeps us busy testing and exploring all of the new upgrades.
What are the biggest challenges you see the trainees in your classes facing, and how do you help them work through them?
By far, their biggest challenges are obtaining the extraction you need from a phone. Sure, it’s cake once you’ve completed that process but for the majority of the cell phone forensic population, they are not yet comfortable with tearing a phone apart to short it into EDL or attempting the latest exploits for fear of bricking a phone. This is the reason we built our curriculum to show some of these processes. Confidence grows the next great cell phone examiner guru. “Now… Watch me unbrick this phone.”
How did training at Oxygen Forensics — and you as a trainer — pivot in response to the pandemic? What’s been most successful about this pivot?
We timed our own pivot perfectly and it had nothing to do with the pandemic. After purchasing our brand new lab for remote learning we started hearing about this nasty little virus. Lockhart’s idea of teaching from home definitely gave us a boost here. We were already ready.
I am teaching a full week of class almost every other week at this point from my spare-room-turned-office. One wall holds all of my lab machines as I sit in front of them and chat with them like they’re the actual people I am teaching. The most successful part of this is being able to maintain a platform for learning even when no one can travel. Although I am looking forward to traveling again someday, I can’t see the live online training classes going away.
What new challenges are on the horizon for forensic examiners overall, looking to the new year and beyond? How can training prepare them to address these?
The first is specific to the mobile device realm and you all know it as the cat-and-mouse game. Software products are always chasing the new updates and security patches to find a new way to exploit them. This one is neverending.
The other, of course, are the courtroom challenges. Can we even use the words “phone dump” on the stand anymore? Fine tuning how we refer to processes and managing how we maintain the integrity of our evidence is a must. I make sure to cover these conversations and welcome new intel from the classroom.
A lot of the newer LE labs will admit that they do not have any set policy and procedures to handle evidence, since they were just promoted into their role and/or allowed by commissioners or the boss to start a mobile forensic lab. I always make sure to mention where to find the information they need to make this happen.
New tools such as image categorization and facial recognition/clustering bring about ease and quick work, but do you use them wide open? This is another great conversation for the classroom. Do you turn your image categorization on and run all of the algorithms against all images? Better watch out because you very well could be exceeding your [search] scope. LE students need to think like a defense attorney when they are processing data and performing auto searches and vice versa. The point is, get ready to be challenged. Be prepared.
What do you love most about training and/or technical writing?
This is an easy one to answer. I love teaching. Specifically I love teaching investigators how to find missing links, parse the unparsed data, find the hidden needle, and link data together to present the true story. There isn’t much worse than when an investigator builds his case around a charge, which as LE we’ve all seen happen at least once. We, as examiners, have a story to tell and it’s one that solely involves facts. I think that this is comforting on some level. All we have to do is state fact. I want to be able to show everyone that sits in my classroom how to find the information that is there and present it in a factual manner.
Of course, my heart is in child advocacy. So, I can easily say that another huge perk of being able to teach is to be able to show how Oxygen Forensics can help in cases involving CSAM. We have some tools that I like to call “brain-saver buttons”. These turn off thumbnail views in reports and the interface so that the examiner only has to identify the illicit images by the hash value. There are things you cannot unsee and the ongoing joke about eyeball bleach is just that, a joke.
I’ll wrap this answer up with a reminder to all of those who do exam CSAM to make sure they are taking care of their mental well being and when you feel like you need out, GO! There is no shame in moving onto other work. If child advocacy is something you want to remain doing, work proactively as a chatter to snatch them off of the streets before they can injure another child.
You also volunteer on the boards of some local organizations. How does your digital forensics experience inform that work — and in turn, how does volunteering inform your job?
From my internship until mid-2020, I was a Board Member at Central Alabama CrimeStoppers (CACS). During that term, I had the opportunity to observe the needs of local agencies and would reach out to introduce them to open source material and to offer my lab if they needed it, while still active as LE.
I enjoyed speaking to all of the other agencies to offer and gratefully receive advice from them regarding the forensic world. It greatly and quickly grew into a network that I relied on. Tony Garrett is the key to the formation of this operation and I am fortunate and thankful to be part of the team during their growth into the powerhouse that they currently are.
Something important I took away from volunteering here is the importance of facial clustering software which has now been integrated into Detective. We were always asking the public if they recognized certain faces of suspects so why not turn to a computer algorithm to help out?
I have recently decided to move on to other opportunities to volunteer. The local high school has a JROTC program in which for years I have been a coach and Booster Club member. This volunteer work slowed down since my daughter graduated but I am hopeful to be returning soon to help raise funds for their travels and meets. Volunteering for these kids is a great brain break from forensics, which I consider a must have.
When you’re not working, what do you enjoy doing in your spare time?
I like to be outdoors or doing anything that forces me outside. Recently I made a passing remark to my family that I’d always wanted to have a few chickens. A month and 6 chicks later, my husband built a huge walk-in chicken pen and coop and now I am harvesting a half dozen eggs a day. I find myself sitting out by them every morning drinking my coffee as they cluck away and pick on each other.
Teaching my son day trading is my newest hobby. We’ve recently challenged ourselves to grow as much as possible from $100 in stocks. I enjoy teaching my kids the things that I know they won’t learn in school so this one has been on my list for a while. He has gotten the hang of it but has recently decided that this is definitely not the career path for him!
