Devon, tell us a bit about yourself. What's your background, and what's your current role?
My name is Devon Ackerman, and I am currently a Senior Director in Kroll’s Cyber Security and Investigations practice. In this role, I have leadership over an Incident Response team as well as client engagement responsibilities and hands-on investigations.
Prior to Kroll, I served as a Supervisory Special Agent and Senior Digital Forensic Examiner for the FBI. I began my career with the FBI back in 2006 and in 2008 entered the Academy to complete training as an FBI Special Agent. After graduation from the FBI Academy, I was assigned to North Carolina, or more specifically, the “Charlotte Division” of the FBI. I was initially assigned national security investigations and related matters that shared a cyber nexus, later gaining experience in cyber and DFIR matters across the board, to include traditional criminal matters.Fast forward a few years and I had completed the FBI’s year-long training and certification program known as CART, or the Computer Analysis Response Team. The certification brought me into the fold of a small segment of the FBI’s overall employee population who specifically were tasked with handling digital evidence in a forensically sound manner. Toward the end of my time with the FBI, I had also completed my Senior Forensic Examiner certification process and was one of only a handful of Agents in the Bureau to have successfully completed the process.
Most who have worked with the FBI will recognize CART as the brand name historically used to describe the FBI’s Digital Sciences field teams. As a Special Agent, I investigated a range of cyber matters throughout my career.
I handled matters of national security (i.e., APT/state actor groups, national infrastructure protection, economic espionage, terrorism, mishandling of classified material, etc.) and criminal matters (i.e., theft of intellectual property, network intrusions, cyber insurance and securities fraud, and violent crimes to include bank robbery, kidnapping, and crimes against children).
In my early days as an Agent, there was only one other cyber agent in the office. In addition to working together on a number of matters, we founded the FBI’s first North Carolina Cyber Security and Intrusion Working Group (e-Shield), which still continues even into 2017. Eventually I was promoted to Supervisory Special Agent, which took me back to Quantico, Virginia, where I worked out of the FBI’s Operational Technology Division. I had responsibility over a myriad of Digital Sciences-related matters, to include curriculum design and development as well as classroom instruction.
My main focus and passion though, if not the highlight of my career, was the oversight and coordination of the FBI’s digital forensics-related field operations across the United States, spanning a variety of matters such as domestic terrorism, mass shootings, and cyber-related (incident response) events. I had supervisory responsibility for over 500 forensic examiners across 56 domestic divisions, not including resources and assets strategically placed around the world. I also spent my spare time working with other cyber agents and computer scientists to develop a number of forensic tools and processes that were later pushed out to the broader enterprise to be used as needed during forensic examinations in the field. After almost a decade with the FBI, I was approached and offered an incredible opportunity by the executives at Kroll. Together with prayer and thoughtful consideration, my family and I decided that the time was right for a transition.
What was it that first drew you to digital forensics as a field?
During my undergraduate program, digital forensics was still a developing and evolving field, but I already had a background in traditional computer science and computer design from my earlier career with an information technology company. I looked at digital forensics as the ultimate blend of investigation and computer science, which was highly intriguing. Through my college and my contacts at the time, I was able to learn about a paid internship opportunity at one of the FBI’s Regional Computer Forensic Laboratories (RCFL). It was an incredible experience and the insights I gained during the process laid the groundwork and interest for the Special Agent Cyber and Digital Sciences career paths with the FBI.
You've recently released About DFIR – tell us about the project and its aims.
AboutDFIR.com was a project that began as an open source Google sheet back in 2014 that functioned almost as a notepad of links that some colleagues and I could reference on a regular basis. Interestingly enough, and this probably isn’t known to many, but the project was originally started as a collection of tools divided between forensic tools and technical tools. I had arranged the list so that I could quickly search by keywords for specific forensic artifacts or topics and refresh my memory on which script or tool was the better option. I would also track notes about my testing of the tools as well as issues that I had discovered or what the strengths and weaknesses were of certain tools compared to others.
It wasn’t until later that I began tracking forensic certifications, which is what I eventually took online to share openly. As most projects tend to do, the Google sheet began to grow and evolve with more and more information being added to it over the weeks and months that followed; eventually, I began to organize and subdivide into categories. It gained momentum and the traffic to the Google sheet began to increase at a surprising rate, so much so, that quite often I would go to make updates and the list of animals on the top right would be a drop down list versus a horizontal row. It really spoke to how much the DFIR industry was growing in terms of research, vocation, and general learning — people who are drawn to science and information technology are usually hungry for information. The project is a way for me to give back to the community and to arrange material in a single place on a single platform in an easy-to-navigate fashion.
There are quite a few digital forensics websites out there – what makes About DFIR stand out?
In my humble opinion, I feel that aboutDFIR.com is rather unique. Sure, there are other digital forensics websites out there, collections of links on github, and even hundreds more blogs beyond that. But what makes aboutDFIR.com stand out from the rest in my mind is that it’s a collection of information in a central location arranged in a manner to make discovery of new solutions or strategies quick and painless. It’s taken years to organize, collect, and arrange the content that is currently laid out and I have a number of new ideas for the website that will be released throughout 2017 as I have time. Since officially launching the site earlier this year, the daily and weekly visitor growth has exploded so much so that I had to migrate the website from one server to another with a larger pipe to handle the bandwidth load. That’s the best “Thank you” that I could have received from the community.
Digital forensics is a constantly growing field; how will you keep on top of new changes and additions, and how often will the site be updated?
I see this as a two-part question that speaks both to myself as an examiner and to the website as an information hub. For myself, in regards to staying on top of new changes within the industry, therein lies a problem faced by practitioners and examiners across the scope of the multifaceted science that is digital forensics. Without delving into semantics about it being an engineering discipline versus a science versus an investigative art, digital forensics and incident response are fundamentally a multi-pronged focus dependent on what the job requires. There is an overwhelming amount of information to read, learn, and test. Further still, not every job requires advanced techniques such as network forensics or malware analysis, just like not every investigation requires data recovery, which is what a lot of lay persons associate with digital forensics. Sometimes our discipline is as simple as the forensically sound handling of the evidence and extraction of a single incriminating email or document from allocated space. There are some really great infographics out there that show how DFIR encompasses so much more than just data recovery or e-discovery, and some have estimated there are 20 to 30 different subsets of digital forensics. That’s a lot to track and even more daunting when trying to track all of that evolving information that is updating almost faster than my spare time allows for me to catalogue on aboutdfir.com.
With that said, I care about the community and I have some obsessive-compulsive tendencies, so expect regular and continuing updates. Something that really helps is when the community uses the Submit function on the website to submit new certifications, training, conferences, etc., that they become aware of. Plus I always give credit if someone submits an idea. I also have a great friendship with Mary Ellen Kennel, and she’s now a co-author on the project and website updates. She brought a huge amount of her personally collected information with her, and we worked on the website for about four weeks straight before it officially launched and I retired the old Google sheet. With her help, the site will continue to be updated so that the community benefits.
About DFIR has an 'Associations & Memberships' tab – in your opinion, how valuable is it to become a member of professional organizations; are they just money-spinners, or can they help investigators to increase business?
In my experience, no two professional organizations are of the same quality. There are some that are formed with great goals in mind but have few members, and then there are some that have been formed from humble beginnings and their ranks have swollen to thousands of members.
I have found that usually the networking opportunities are valuable, and certainly there are certain digital forensics listservs that are very active and full of experts from the field. I think it helps bolster a resume or CV to the extent that it speaks to the professional’s goals and alignment with others in the profession. There are some organizations where membership is tied to certifications held and to the extent that membership within those organizations is tied to an industry recognized and accepted certification of substantial acclaim, then I think there is a balance of usefulness there.
Ultimately, experience and hands-on skill level will always matter more to me as a manager and practitioner than a list of certifications or a list of memberships. I want to see the application of that claimed knowledge and the practical display of skills more than a rolodex of contacts or a list of letters after someone’s name.
Finally, what do you like doing in your spare time?
Taking care of my family and our home. My family is incredible, and I am truly blessed beyond measure. I know that every proud parent thinks that their kids are the best, but my focus truly is as a husband and a father. Over the years, my wife and children have each been incredibly supportive of my vocation and interests, especially with the amount of travel that I have engaged in professionally for my career. If you had asked me this question 10 years ago, my answer would have been a resounding exclamation of video gaming and custom-computer building, but I recognize that is quite the nerd answer. I would say that one of the most important things we can do as parents is to invest the time in our children’s lives so that we are there for them when they ask questions. And they do ask a lot of questions in my “spare time.”
Devon Ackerman is a Senior Director with Kroll’s Cyber Security and Investigations practice. Devon is an authority on matters involving digital forensic science, cybercrime, and related incident response. Find out more about his personal projects, his passion for digital forensics, and his never ending quest for knowledge about aboutdfir.com.