Harlan Carvey

by

How did you get started in computer forensics, was there something in particular which appealed to you about investigating computer misuse?

When I first got started in computer security, I quickly noticed the number of people who were Linux or Unix gurus. The next thing I noticed was that there was an inability (or lack of desire) to transition to the Windows world. What I find most appealing about investigating computer misuse is that a great deal of it occurs on Windows systems, which is the platform that I’ve focused on, almost since the beginning.

Computer crimes require a good deal of technical knowledge in order for the examiner to thoroughly investigate them. However, this is not all that is required. The examiner must also have the ability to communicate his findings to the client, who may not be as technically proficient. And there is more to the picture than simply locating an artifact or two during an examination. The investigator must be able to correlate multiple artifacts, as the information can move from convicting to exonerating the individual.Finally, this field has no end of technical challenges.

Can you tell us something about where you work? What type of work do you do there?

I started out working for ISS on the Emergency Response Services team in Feb, 2006. Later that year, ISS was purchased by IBM, so I now do the same work but for IBM. Most of the work we do centers around issues of emergency computer incident response and forensic analysis.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Your book “Windows Forensics and Incident Recovery” was well received, can you give us some information about your next book, “Windows Forensic Analysis”?

This next book is not a follow-on or second edition to the first book. Instead, it’s a more technically detailed approach to performing live response and forensic analysis, specifically on Windows systems. There is more emphasis on log files, as well as emphasis on areas of study that have more recently been in focus, such as RAM dump or memory analysis, and Registry analysis. So far, the work I have done on the book has been very well received by the technical editors. I have to thank Jesse Kornblum and Troy Larson for their efforts in assisting me with this book.

In addition to writing books, you also manage to keep your blog at windowsir.blogspot.com up to date. Where does your motivation to write about computer forensics come from and what do you get out of the process?

I wouldn’t say that I really keep the blog up-to-date, per se. Much like others in the blogging world, one of the reasons I blog is because bookmarks simply have no context. Sometimes, I have no idea why I bookmarked something, whereas if I write a blog post, I can add context to the URL, and at the same time share that with others. Also, the blog is another vehicle for me to share information and things that I discover and come up with. If I have a challenge in a case that I’m working on, it has occurred to me that others might also have the same challenge, so I’ve posted information in my blog, as well as posted tools to the SourceForge site associated with the blog.

With the recent release of Vista, what new challenges might be in store for the forensics community?

A lot of responses to questions like this focus on technological issues, such as BitLocker and ReadyBoost, etc. I think that the real challenge that will be presented to the forensic community at large is one of communication and information sharing. The vast majority of folks within the “community” don’t have anything to contribute; they’re just there, and if they’re on public lists, they’re reading some of what others post, but for the most part, they don’t add anything to the knowledge base. A lot of the folks I talk to at conferences say things like, “I don’t have the time to do the research”, and I completely understand that…but there’s more to contributing than doing research and publishing. Some of us write tools and have even provided those tools to others, at their request…how about some feedback on the tools, their use, etc?

Not everyone has the ability or even the interest to program. Not everyone has the ability or interest to publish. No one is asking that everyone in the community do this. We all bring something to the table, and the strength of a community is based on those differences. If someone requests or downloads a copy of the tool, provide feedback to the author on how well it worked when deployed in various situations. Engage in discussions, provide your thoughts or opinions. Add to the foundation of knowledge in some way, even by simply asking the question, “why?”

As far as challenges specific to Vista, there are a number of issues that come up at first blush. Everyone’s pointing to BitLocker and whole-drive encryption as a “challenge”, but I think that we already have some viable solutions to this challenge in live response and memory/RAM collection and analysis. What about Registry analysis? How has the Registry changed with Vista, and how has it remained the same? How about memory analysis? We are just now starting to look at incorporating the pagefile into RAM analysis (thanks to Jesse Kornblum), and now Vista presents us with ReadyBoost. What about the Vista SuperFetch capability? I think that the real challenge with these issues will be to get the community to recognize their viability as forensic resources, so that study and research will be brought to bear on them and shared openly.

One of the questions we’re often asked at Forensic Focus is “how do I get started in a computer forensics career?” What advice would you give? What qualities do you think are most important for work in this field?

I don’t think that being a technological wizard is the most important quality to look for in someone in this field. To be “competent”, do you have to be able to understand and program in assembly? No. Computer forensics is about methodology and process, and communicating your results to others. From a hiring perspective, I’d rather hire someone that I need to work with to grow them technically, but they already have some sense of how to handle themselves in customer-facing situations, as well as the ability to write and communicate coherently.

Getting started in the field isn’t all that hard. Some examiners in the field come from programming and/or networking backgrounds, and it’s important to have a broader knowledge base than just imaging drives. One route for folks is the military…enlisting under contract to a specific specialty, or even a guarantee of specific job placement, is an option. It may also help to have some college coursework under your belt when you do that. Another option is to start out in an IT field, such as in the role of an administrator, and seek and develop your own opportunities from there. If your organization already has a security staff, you can bet that it is short-handed, so offering to assist will get you known to them.

What is the most rewarding part of your job?

Using technical acumen to address business issues.

What aspect of your job do you find most challenging?

Working within the confines of a business infrastructure, and not being able to bring all of my skills and resources to bear on an issue.

What do you do to relax when you’re not working?

I find incident response and computer forensics, particularly on Windows systems, to be fascinating, so it’s good that I have a job that I’m interested in. When I’m not working, I like to “think big thoughts” about technology and business challenges inherent to IR/CF, and how to address those challenges. I also like to spend time with my family and my church, lift weights, run, ride my horse, and read. I also get a great sense of accomplishment from completing a lot of the typical homeowner tasks, such as changing out light fixtures and chandeliers, power washing a deck, etc. Another hobby I’ve developed is an interest in beer, an interest that I promised my wife would stop short of actually brewing my own. Now and again, I like to go out someplace that I haven’t been before and try a new beer.

Harlan, thank you very much!

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi. Show Notes: A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234 YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/ Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

As a hybrid working environment continues to be a way of life for many professionals, the way employees communicate has been altered as well. The scope and volume of data that needs to be collected and reviewed from computers, mobile devices and cloud applications is evolving. As the devices and collaboration platforms employees use changes, the approach to collecting data generated on emerging devices and platforms grows increasingly complex as a result. In a 2022 Endpoint Intelligence benchmark survey, only 65% of legal professionals are confident in their ability to collect relevant data from endpoints. Understanding this ever-changing collection landscape is essential for legal and litigation technology professionals as modern data increases in volume in discovery. Join Monica Harris, Product Manager at Cellebrite Enterprise Solutions for an educational discussion on the what, when, why and how of modern data collections for legal teams.

As a hybrid working environment continues to be a way of life for many professionals, the way employees communicate has been altered as well. The scope and volume of data that needs to be collected and reviewed from computers, mobile devices and cloud applications is evolving.

As the devices and collaboration platforms employees use changes, the approach to collecting data generated on emerging devices and platforms grows increasingly complex as a result. In a 2022 Endpoint Intelligence benchmark survey, only 65% of legal professionals are confident in their ability to collect relevant data from endpoints.

Understanding this ever-changing collection landscape is essential for legal and litigation technology professionals as modern data increases in volume in discovery.

Join Monica Harris, Product Manager at Cellebrite Enterprise Solutions for an educational discussion on the what, when, why and how of modern data collections for legal teams.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_jVTDS1UTTtA

We’re Not in Document Land Anymore: Modern Data Collections for Litigation Technology Professionals

Forensic Focus 6th March 2023 11:00 am

Load More... Subscribe
This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Detego Global Teams Up With MH Service To Deliver Free Access To Cutting-Edge DFIR Tools
News

Detego Global Teams Up With MH Service To Deliver Free Access To Cutting-Edge DFIR Tools

ByDetego Digital ForensicsMar 27, 2023
Digital Forensics Round-Up, March 23 2023
News

Digital Forensics Round-Up, March 23 2023

ByForensic FocusMar 23, 2023
UPCOMING WEBINAR – Identifying And Triaging Security Risks In Your Organization
News

UPCOMING WEBINAR – Identifying And Triaging Security Risks In Your Organization

ByCellebriteMar 23, 2023
AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases
Podcast

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

ByForensic FocusMar 22, 2023
Tips And Tricks: Data Collection For Cloud Workplace Applications
Webinars

Tips And Tricks: Data Collection For Cloud Workplace Applications

ByCellebriteMar 20, 2023
ADF Solutions Offers Complimentary Mobile Forensics Training On March 22nd
News

ADF Solutions Offers Complimentary Mobile Forensics Training On March 22nd

ByadfsolutionsMar 16, 2023
Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly