Eoghan, you've been in digital forensics for a long time; how did you first get into the field?
I first got into the field by accident. The husband of a friend of mine was a violent crime investigator, he was a forensic scientist who was starting to specialise in serial violent offenders, and he needed some tech support. Basically understanding evidence on the internet. And I got interested in it in terms of the social contribution, and so started to pursue that and ultimately went and specialised in intrusion investigation for a while, but also helped criminal investigators as best my time could allow. And ultimately that’s my interest, I’ve now maybe split it out: one foot into the network intrusion side and one in the criminal. Which is nice, I like being able to do both.Could you tell us about some of the things you're working on at the moment?
Most of my work right now is in the smartphone forensic realm. Working with forensic examiners, who are the primary examiners on cases, to provide them with the support that they need to get additional data out of the applications, for example, that contain communications or pictures that are important to their investigation that their current tools aren’t providing. Basically, conferring on all sorts of cases involving smartphones, which is very interesting.
You also lecture and have written a lot of books for students. What would you say is the most common misconception by new students of digital forensics?
I wouldn’t say there’s one misconception. There are a couple of different misconceptions depending on the way that someone’s coming into it.
For example, people who are coming into forensics from the information security world sometimes don’t necessarily see the point in some of the processes and the forensic science side of things. My view is that it doesn’t matter what domain you’re in, those fundamental principles are important. And also the methods: just because they’re not in your domain, they can still be useful, and you can translate them and make use of them. So I think getting people to think outside of their own field or use case; it’s not a misconception as such, but it’s something I see as one of the biggest things that I have to overcome, is to get them to jump over the wall a little bit.
On the forum we see a lot of posts from people who are just coming to the end of their studies, and they're not sure what they should do to make themselves stand out and get their foot in the door of real-world digital forensics. Do you have any advice for them?
What I look for in anybody who’s trying to establish a career in digital forensics is a fundamental motivation. There are a lot of people who maybe can’t articulate why they want to do forensics. That’s the biggest thing, self-assessing honestly and being able to articulate why you’re motivated to establish a career in digital forensics or incident response. It shouldn’t just be to make a lot of money. I mean you’d hope that somebody would get a good salary out of it, but fundamentally I look for a passion of some sort, or some reason why people are involved. And that applies to people who are getting interested in the criminal investigation side or in the cyberthreat side. I look generally for more than just technical abilities, because although that’s important, I’ve seen people come from philosophy backgrounds and history backgrounds and acquire technical skills that make them fantastic forensic examiners, or even digital investigators. But if you don’t have the drive or some underlying passion that pushes you into the field, it won’t work. I think I’d pick the person who had less computer science strengths and programming mojo, and be looking at the person who really is passionate and motivated and can acquire those skills.
Some of the best forensic examiners I’ve worked with came from a different field. They’re bringing problem-solving skills, they’re bringing perspectives that actually make them maybe better equipped to understand the human behaviour they’re looking at.
We've been talking a lot as well this week about trying to get law enforcement, corporate and academia to all work together. How important do you think that is, and how can we achieve it?
It’s critical, and I think that’s what DFRWS is all about. And that’s what we try to continue to increase and encourage. So that’s one of the reasons why last year we added a practitioner presentation section. Because it’s a single-track conference but we were having difficulty getting the practitioner perspective, which defines the problems that researchers need to know about. Without that perspective, we’re weak. Forensic science is in application, it’s not in theory. It’s only useful if you can actually put it to some purpose in a case. So all the research theory can be worthless if you can’t use it.
How do you think the world of digital forensics is going to change and adapt over the next few years?
My hope is that digital forensics will be a digital forensic science and will be integral in many ways to forensic science overall. I’m striving to define digital forensic science so that we start thinking about a digital identity in the same way that we think about fingerprints and DNA, and we think about how data is used to attribute some criminal activity to an individual. And that then can have implications across the forensic sciences in biometrics, in pattern recognition; a lot of different subdisciplines. So I think what we’ll start to see is digital forensics becoming a more integral part, and a more visible and important part of every investigation that occurs.
That’s one level, but then at the practical level, it’s that everything is digital. Everything is moving to digital; you can’t really have an offence or a policy violation that doesn’t have some digital data. I think we’re going to start to see a lot more attention drawn to it.
You've spoken about the need for standardisation in digital forensics throughout the week. Could you elaborate on your views for our readers?
Yes, the one thing that I’m very interested in seeing is not just the collaboration between different groups of people interested in digital forensics, but the standardisation of how we communicate about what we’re doing, and the data. So tool developers need to be thinking about how they can output in a standardised format. And forensic examiners need to be thinking about how they can output their results in a standardised format. Organisations need to be thinking about how they can share their information in a controlled manner, in a standardised format. So we’re starting to need more correlation of data and more sharing of data in digital investigations. So we need to standardise how we do that, that’s the big thing for me.
Do you think there's anything within computer crime legislation that needs to change to make us able to do our jobs more effectively?
No. I think the one thing maybe that has to be more legislated is the protection of data, but that’s more at a corporate level. But as forensic examiners, I think we’re doing OK.
What do you do in your spare time?
I’m a dad. My family is certainly the most important thing to me. So when I’m not working or playing in digital forensics, I’m with my friends and family.
Eoghan Casey is a Founding Partner of CASEITE and Lead Cyber Security Engineer at MITRE Corporation. He is also Editor-In-Chief of the Journal of Digital Investigation and an Instructor and Researcher at Johns Hopkins University in Baltimore. Eoghan has authored several publications, including Digital Evidence & Computer Crime, Handbook of Digital Forensics and Investigation, and Malware Forensics: Investigating and Analysing Malicious Code.
Forensic Focus interviewed Eoghan at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.