Ashley, first of all, when did you start in this field?
I started in the field of computer forensics when I was in college. But I started with Guidance about 13 years ago, in 2003. I’ve had many roles at Guidance. I started out actually in quality assurance, and then I worked in project management and training.Can you tell us about the new products that Guidance has recently released?
Yeah, so we announced a couple of products – one is EnCase Mobile Investigator. EnCase Mobile Investigator is available for pre-sell, but it’s going to be available to Forensic customers and Endpoint Investigator customers. It’s really designed to review mobile acquisitions. We just did an announcement that in EnCase Forensic and EnCase Endpoint Investigator they’re going to get brand new support for mobile devices, both for the device itself and for backup files, jtag, binary files, all the different items people would tend to think of when they think of mobile devices.
Yes, I think that analyzing mobile devices is growing and growing. Computer forensics was in the past used most for intrusion or other kinds of digital investigation in terms of IT problems. IT accidents, IT fraud, IT security. Now, mobile devices are our daily life.
Absolutely. You may not have carried a computer with you ten years ago, but now you pretty much have it all the time, gather metrics about where you’ve been, what you like, who you talk with, what you take pictures of, what interests you, all of that is really at your fingertips all the time. So especially for law enforcement, when you’re looking at criminal investigations, that’s really a snapshot of what was going on with that person during different timeframes, and we know how important, how much the caseload has switched to that kind of need.
So that was one recent product. The next one that we announced was Endpoint Security 6.0, which I got to be involved in part of the design and development of, under my team, and I have loved the progress we made. I don’t think people are going to believe it when they see the new interface, that it’s from the Endpoint Security line. We’ve done a couple of shifts, we’ve built in a brand new detection and triage capability. So the ability to look at a machine and decide when you look at it if you want to collect from it. So you don’t have to just collect everything and then search through it, like looking for a needle in a haystack.
And then, when we do collect stuff, we actually filter it via some integrations that we’ve done recently. And that’s going to help you, even more, narrow down which machines are critical, so help you triage. So instead of giving you the whole haystack, we give you the needles, and then you can go after those needles for investigations. We’ve actually built in investigation workflows, where you can have your forensic examiner go and collect the event logs and the pre-fetch files, and dig into that investigation workflow, where then you find indicators, and then you do an IOC search. All of this is moving towards the web, in a really usable, beautiful interface. I can’t wait for people to get their hands on it.
Very interesting. And also because one of the problems that we face every day is the amount of data. I think a solution that permits us to gather relevant information for the investigation is a key point. Spending all the time in creating a forensic image, and then you need a year for the analysis!
Absolutely. The size of data has just grown, and you really are seeing a trend towards doing some narrowing down of what you’re looking at originally. You don’t want to look at the whole world, you probably want to do a first glance look through things. And then you’re going to hopefully have your tool guide you to where the information that you’re looking for is, instead of you having to know and navigate to those places.
I agree. The other question is what are some of the main challenges faced by digital forensics practitioners today and how do Guidance’s products help to address this? We’ve already spoken about Mobile and Endpoint. I also saw that there is a new Tableau?
Oh, yes, TX1. The TX1 is a hardware product and it actually allows you to acquire from multiple devices at the same time while being lightning fast. So you’re going to be doing real-time hashing, all of that is built in. I think that folks are going to really like the new interface. It’s a nice, tablet-style interface, super-easy…
We have it on our booth this week. So I know people are getting hands-on with that, they’re also getting hands-on with Mobile, and we have a special session for hands-on with Endpoint Security. So we really want people to get in there, touch them, play with them, see how easy it is to pick it up without someone standing over your shoulder telling you how to push the buttons. You can actually walk up to it and go, “Oh! I get this. Okay. I’m going to click here, or there.” So I think that’s exciting for us.
I did want to mention one more trend that we’re going to be doing a new announcement for, which is – because the data is so large, which we touched on, we need to be able to process it faster and take advantage of the hardware people are using. So we are actually going to be doing a new index engine, and that index engine is going to be beta this year. So you’re going to start to see some announcements this week about signing up for the beta. That will be available to anyone who owns EnCase Forensic or Endpoint Investigator.
And one of the questions we get from students or by people who visit our website – they ask for advice on how to start their career in digital forensics, as an analyst or as a developer. In your opinion, what are some pieces of advice?
There’s a couple of suggestions that I have. One is if you’re able to get yourself into one of the local school programs that actually has the tools, and see what you like and see what you’re drawn to, there’s lots of disciplines within digital forensics – there’s memory forensics, there’s disk forensics, there’s recovery, there’s all these different things. Schools, oftentimes, even community colleges, have programs that are really accessible.
But once you have that and you want to start working for an organization that does it, there’s different ways that you can get connected to that. There’s networking events – I would definitely say get onto Twitter, DFIR hashtag, follow that. There’s conferences where you can meet people, your local HTCI is another location to meet folks. But just reach out to the folks that are in your area that are interested in those types of jobs. And there’s also really good segments going from IT into digital forensics. If you’re interested in law enforcement, there’s different criminal departments of schools that have connections.
And just for your own development, do forensics on your own computer. Do forensics on your own mobile device. There’s nothing better to build your skills up. You know what’s there. Go find it. It’s a great way to get into the field.
And do you have any educational programs or discounts for students who want to start learning how to use your tools?
Sure. I know that we have a couple of courses that I believe are available without owning our products. But we definitely occasionally have student discounts for our training classes. So you can always sign up as “interested in training, I’m a student,” let folks know your local area. You can log on to our website and just request information. We don’t always have specials for students, but it’s something to reach out to the training department about.
Okay. Because one of the problems is of course the price. If you are a student, you can start with open source or freeware tools, and all this you can start through that, but if you really want to enter into the market, you have to know the tools that are used in the market.
Sure. And there are ways to combine a little bit of that. Like in our own training we have the ability for people to buy either a group of classes or even a group of on-demand classes, which is a little less expensive, and you can do it on your own. So it’s a good way to get exposed to our curriculum. We have a Foundations course that really introduces you to all the basics of digital forensics. That would be a great course to start with. Or we also have a course, if you’re more on the security side of DFIR, that is meant to be an overview of the field and gives you a feel for a lot of the functionality in the tool.
So if I were to pick a course, I would either start with foundations or, if I was on security, the incident responder course. And you don’t necessarily have to take all of the courses to get a feel for if this is the right way for you to go. Different learners learn different ways. I know, compared to SANS’ courses, ours are pretty competitively priced as well. And there is the option for things like the passport, where you can take unlimited courses for a whole year.
Paul was talking about the artifacts research intitiative, and how it’s going to be open for everyone and the research is going to be made open as well?
Right. And anybody who submits is welcome, and we encourage them to publish how they found the artefact, and that could be used by anybody else. We’re not laying claim to that as solely ours. So it still belongs to the person who developed the artefact parsing and that would still belong to them. So they can share it with as many companies or open source communities as they wanted to. We want to encourage people in the forensic field to be doing research. It’s not so much about us being able to put it in our product as much as just getting that information out there.
So in general, how important do you think it is for a corporation, academia, and law enforcement to work together, to collaborate and to cooperate in this field?
I think we do try and encourage that sharing in the community. Every company has their specific area that their expertise has been built up around, and they’ve developed and paid for the talent in their organization to keep up and support it. And it does take time and resources to do that. So there is a balance there.
Is there anything else you’d like to add?
One thing I would add is we are doing the Women in Technology initiative and I would love to see more women in the field. I’ve been in the field for over a decade, and we’re still outnumbered out here. So I encourage women to jump in. It’s awesome to have more women in there. We’re trying to create a space for us to connect, and there’s all different roles to fill.
Over the last ten years, have you seen more women join the field?
I will say yes, I do see more women than I did over a decade ago. I think that more women have become product managers in the field, more women have become engineers in the field. I still don’t see as many law enforcement agents as I would like to see, but in corporations I see a lot more women now than I did ten years ago. When I was doing training it was great. When I first started doing training, you maybe got, in a class of 30 men, two women. Now you might have four women! That’s like double! I mean, it’s still not great, but it’s better. It’s going in the right direction.
And I think part of it is some of the women have started to network and just say, “Hey, if you need someone to talk or that kind of thing…” Again, that’s one of the duties of the community, is that we just reach out to each other.
Ashley Hernandez is Director of Product Management at Guidance Software. You can find out more about Guidance's products and services on their website.
Forensic Focus interviewed Ashley Hernandez at Enfuse in Las Vegas, NV. For more details and to find out about next year's event, visit the official website.