Heather Mahalik, Senior Director Of Digital Intelligence, Cellebrite

Heather, tell us about yourself and your role at Cellebrite. What are you responsible for?

I have been in DFIR for almost 19 years and it has flown by. I joined Cellebrite as the Senior Director of Digital Intelligence in July 2019. I even wrote a blog about it. At Cellebrite, my role is to be an evangelist and speak on behalf of our customers and make our products stronger by educating our team on “how to think like examiners.” 

I feel that I use my voice to bridge the gap between the developer behind the Cellebrite product and the end-user or customer. We need to work together to get the greatest impact and extract the most Digital Intelligence, or the data extracted from data sources and the process by which agencies collect and analyze that data, from every investigation.

In addition to this, I research, blog, hold customer meetings, host webinars/Zoom meetings, and more. I love to research, share, learn, and educate! I love this job and the people I work with so much that it’s becoming a hobby.

Throughout your career in digital forensics, what’s stayed more or less constant since you started and what’s changed?

The only constant is you can never stop learning. When you think you know it all, you have lost your edge and it’s time to retire. Digital data changes so frequently. Think about it – when I started in 2002, there were no iPhones. Cloud was something we didn’t even really discuss and solid-state drives were something of the future. Technology has changed and will never stop evolving. As a result, we have to adapt and learn methods to access, manage, and analyze the data. Encryption, cloud and the use of applications is always changing and while it’s difficult, it’s fun! We love the challenge.

How did you adapt to those changes — what experiences and skills did you need? Would those same skills be useful in today’s mobile forensics landscape?

I constantly take new training courses and more importantly, I train myself. I work with a solid group of people and we research together. We dubbed ourselves the “Dream Team” as we dream things up and make them happen. We are friends who love our mission and love to research and share. We share our findings internally at Cellebrite and externally via “Life Has No Ctrl+Alt+Del” and “I Beg to DFIR,” two Cellebrite hosted customer webinars. 

We try to stay sharp and remain ahead of the curve. But a lot of our research stems from customer questions. We try to help them and, in turn, it helps the entire community. It really takes a village for some of these tougher cases. Devices are so large now, that it’s almost impossible to go file by file on every case.

The pressure from casework has become intense as data volumes and variety expand. How do you recommend practitioners stay up to date on new and emerging trends?

Practitioners need to do the following (in no specific order):

  1. Network and make “friends” with people who have specific skill sets. Leverage them and work with them – this can be done virtually and the listservs, Twitter and more are a great place for it!
  2. Get training – if you can’t afford it, create your own – attend webinars and then try what you learned, leverage public images to hunt artifacts you are curious about, create your own data, and examine it.
  3. Participate in community CTFs – these are capture-the-flag events that challenge everyone! You can learn something new with each one you play.
  4. Read – blogs, listservs, Google Groups, Twitter, etc. Set time to learn something new each week. Find something that intrigues you!
  5. Don’t be afraid to ask for help! Everyone has something to learn.

At DFRWS, you shared your research methodology with the audience. How do you recommend busy practitioners make time to dive deeper on research amidst everyday casework, especially if they don’t think of themselves as researchers?

First and foremost – don’t let “imposter syndrome” take over. Here is a podcast I recommend listening to. We have another podcast coming out soon on imposter syndrome. Everyone has something to contribute. Start small. If you are curious about one thing, research just that one single thing and then blog about it or shoot out a small Tweet. 

Ask someone you network with to review it. Everyone is busy. Asking someone to stop what they are doing to help your case may make sense sometimes, but cannot be the only way you function. Eventually, you are going to be told to do it yourself. 

Now, there are times where you need help and you should reach out. Just don’t be afraid to try something and validate what your gut is saying. That is how I started. I tried to re-create what I saw in a case. When I did it and the test reassured me, I felt so much better about my examinations!

You’ve talked about how important sharing is in the community. How do Cellebrite tools support and facilitate research and collaboration?

We recently worked on a CTF event that provided customers and those interested in our products with at least 4 public mobile images and the ability to try our tools for free and will be hosting more in the future. Cellebrite really tries to support our customers. As a Cellebrite customer for over a decade before joining the team myself, I can say that I worked a lot with the R&D and customer support teams on things that work wasn’t assigning us and new research. We love when our customers want to collaborate and share. 

Recently, I worked with one of our customers on research and talked him into blogging about it and running a “Life Has No Ctrl+Alt+Del” podcast episode, showing how much work he put into something that really impacts our iOS investigations that involve photos.

As far as collaboration goes, the Cellebrite Reader and the Cellebrite BlackLight Portable Case enable investigators to share data that they are working on without the requirement of an additional license. This is fantastic for those working on the same case. In the past, I would work investigations with people across the country. Leveraging tool capabilities like this is helpful. Especially when you can provide an attorney or investigator with data to flag or provide a triage view of the case while the examiner digs deeper into the data.

How do you think the pandemic affected both job-work and research, for better or worse? What are some lessons learned in the industry from these experiences?

I have never been busier! Isn’t that crazy? The pandemic changed a lot for those who have always been in the office. Think about this, if you work on classified material and have to go into a lab every day – your world was rocked! 

I know at Cellebrite, many of the R&D team were used to working beside one another. They had to learn how to communicate remotely. Our Solution Engineers (SE) were suddenly grounded and were forced to communicate with customers remotely. All of this made my life change. I have better working relationships with R&D, the SE team, customer support, and our customers than before. We Zoom, we talk and we have made so much progress. 

While I miss seeing people at conferences, Cellebrite Connect events and more, I feel closer to them. We get together with our customers on Mondays during “Life Has No Ctrl+Alt+Del,” during webinars, during customized Zoom sessions and now via our Cellebrite Community Roadshow and Cellebrite Virtual Connect events. Being home is hard for many because there are many distractions that we have to deal with. However, we are humans and we are surviving. 

Cellebrite was able to turn on a dime and enable us to work from home and supported our success in doing so. I think this pandemic will really change the belief that “you must travel to accomplish this task and you must be in the office from 9-5.” We have proven we can overcome this.

What are you most looking forward to at the end of 2020 and looking ahead to 2021?

Normally I would say the Cellebrite SKO (Sales Kick-off) trip to Tel Aviv, but this will be taking place virtually this year. I look forward to a vacation (seriously)! I’m also looking forward to the updated Physical Analyzer being released, which will make examiners’ lives so much better. I cannot wait to see this come to fruition. I also look forward to the efforts that Cellebrite and BlackBag have joined forces on that will be released. Looking ahead, I really want to get back to face-to-face meetings, events and see my team again. I miss them and I want to congratulate them and say, “what a ride this has been since March 2020!”

Leave a Comment