Harlan Carvey

How did you get started in computer forensics, was there something in particular which appealed to you about investigating computer misuse?

When I first got started in computer security, I quickly noticed the number of people who were Linux or Unix gurus. The next thing I noticed was that there was an inability (or lack of desire) to transition to the Windows world. What I find most appealing about investigating computer misuse is that a great deal of it occurs on Windows systems, which is the platform that I’ve focused on, almost since the beginning.

Computer crimes require a good deal of technical knowledge in order for the examiner to thoroughly investigate them. However, this is not all that is required. The examiner must also have the ability to communicate his findings to the client, who may not be as technically proficient. And there is more to the picture than simply locating an artifact or two during an examination. The investigator must be able to correlate multiple artifacts, as the information can move from convicting to exonerating the individual.Finally, this field has no end of technical challenges.

Can you tell us something about where you work? What type of work do you do there?

I started out working for ISS on the Emergency Response Services team in Feb, 2006. Later that year, ISS was purchased by IBM, so I now do the same work but for IBM. Most of the work we do centers around issues of emergency computer incident response and forensic analysis.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Your book “Windows Forensics and Incident Recovery” was well received, can you give us some information about your next book, “Windows Forensic Analysis”?

This next book is not a follow-on or second edition to the first book. Instead, it’s a more technically detailed approach to performing live response and forensic analysis, specifically on Windows systems. There is more emphasis on log files, as well as emphasis on areas of study that have more recently been in focus, such as RAM dump or memory analysis, and Registry analysis. So far, the work I have done on the book has been very well received by the technical editors. I have to thank Jesse Kornblum and Troy Larson for their efforts in assisting me with this book.

In addition to writing books, you also manage to keep your blog at windowsir.blogspot.com up to date. Where does your motivation to write about computer forensics come from and what do you get out of the process?

I wouldn’t say that I really keep the blog up-to-date, per se. Much like others in the blogging world, one of the reasons I blog is because bookmarks simply have no context. Sometimes, I have no idea why I bookmarked something, whereas if I write a blog post, I can add context to the URL, and at the same time share that with others. Also, the blog is another vehicle for me to share information and things that I discover and come up with. If I have a challenge in a case that I’m working on, it has occurred to me that others might also have the same challenge, so I’ve posted information in my blog, as well as posted tools to the SourceForge site associated with the blog.

With the recent release of Vista, what new challenges might be in store for the forensics community?

A lot of responses to questions like this focus on technological issues, such as BitLocker and ReadyBoost, etc. I think that the real challenge that will be presented to the forensic community at large is one of communication and information sharing. The vast majority of folks within the “community” don’t have anything to contribute; they’re just there, and if they’re on public lists, they’re reading some of what others post, but for the most part, they don’t add anything to the knowledge base. A lot of the folks I talk to at conferences say things like, “I don’t have the time to do the research”, and I completely understand that…but there’s more to contributing than doing research and publishing. Some of us write tools and have even provided those tools to others, at their request…how about some feedback on the tools, their use, etc?

Not everyone has the ability or even the interest to program. Not everyone has the ability or interest to publish. No one is asking that everyone in the community do this. We all bring something to the table, and the strength of a community is based on those differences. If someone requests or downloads a copy of the tool, provide feedback to the author on how well it worked when deployed in various situations. Engage in discussions, provide your thoughts or opinions. Add to the foundation of knowledge in some way, even by simply asking the question, “why?”

As far as challenges specific to Vista, there are a number of issues that come up at first blush. Everyone’s pointing to BitLocker and whole-drive encryption as a “challenge”, but I think that we already have some viable solutions to this challenge in live response and memory/RAM collection and analysis. What about Registry analysis? How has the Registry changed with Vista, and how has it remained the same? How about memory analysis? We are just now starting to look at incorporating the pagefile into RAM analysis (thanks to Jesse Kornblum), and now Vista presents us with ReadyBoost. What about the Vista SuperFetch capability? I think that the real challenge with these issues will be to get the community to recognize their viability as forensic resources, so that study and research will be brought to bear on them and shared openly.

One of the questions we’re often asked at Forensic Focus is “how do I get started in a computer forensics career?” What advice would you give? What qualities do you think are most important for work in this field?

I don’t think that being a technological wizard is the most important quality to look for in someone in this field. To be “competent”, do you have to be able to understand and program in assembly? No. Computer forensics is about methodology and process, and communicating your results to others. From a hiring perspective, I’d rather hire someone that I need to work with to grow them technically, but they already have some sense of how to handle themselves in customer-facing situations, as well as the ability to write and communicate coherently.

Getting started in the field isn’t all that hard. Some examiners in the field come from programming and/or networking backgrounds, and it’s important to have a broader knowledge base than just imaging drives. One route for folks is the military…enlisting under contract to a specific specialty, or even a guarantee of specific job placement, is an option. It may also help to have some college coursework under your belt when you do that. Another option is to start out in an IT field, such as in the role of an administrator, and seek and develop your own opportunities from there. If your organization already has a security staff, you can bet that it is short-handed, so offering to assist will get you known to them.

What is the most rewarding part of your job?

Using technical acumen to address business issues.

What aspect of your job do you find most challenging?

Working within the confines of a business infrastructure, and not being able to bring all of my skills and resources to bear on an issue.

What do you do to relax when you’re not working?

I find incident response and computer forensics, particularly on Windows systems, to be fascinating, so it’s good that I have a job that I’m interested in. When I’m not working, I like to “think big thoughts” about technology and business challenges inherent to IR/CF, and how to address those challenges. I also like to spend time with my family and my church, lift weights, run, ride my horse, and read. I also get a great sense of accomplishment from completing a lot of the typical homeowner tasks, such as changing out light fixtures and chandeliers, power washing a deck, etc. Another hobby I’ve developed is an interest in beer, an interest that I promised my wife would stop short of actually brewing my own. Now and again, I like to go out someplace that I haven’t been before and try a new beer.

Harlan, thank you very much!

Leave a Comment

Latest Videos

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification 

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_VKk-mhlae1c

Becoming An Amped FIVE Certified Examiner (AFCE)

Forensic Focus 1st December 2023 4:25 pm

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data. 

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data.

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_4z-EgH54KZk

The Power Of Digital Forensics: How ADF Solutions Is Revolutionizing The Digital Forensics Industry

Forensic Focus 30th November 2023 2:57 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles