Heather Mahalik, Senior Instructor, SANS

Heather, please tell us about your role as a Senior Instructor at SANS as well as a Forensic Scientist – what does your day-to-day routine look like?

As a Senior Instructor for SANS, I travel around the world to teach both FOR585, Advanced Mobile Forensics and FOR408, Windows Forensics Analysis about 10 times per year. I also teach online, which allows me to do my day job and spend two evenings a week teaching what I do all day. When I am not teaching, I am constantly testing new smartphone operating systems, apps and malware to see what is new, what the tools miss and methods for recovering the hard to find data. For FOR585, Advanced Smartphone Forensics, this is something that my co-authors and I do on a regular basis. Students rely on us to answer the hard questions and to teach them how to detect what the tools miss.For my day job, I am a Principal Forensic Scientist for Oceans Edge, a small business out of Reston, VA. I work off-site in PA, where I provide support to engineers who develop mobile applications and tools to support offensive efforts for our customers. I am primarily responsible for mobile application and secure communication analysis. Essentially, I try to tear-down the app to detect vulnerabilities, leaks and develop methods to decode the data.

Your course, Advanced Smartphone Forensics, is available now through SANS. Could you give us a brief overview of the course – what modules are included, and what can students hope to get out of it?

This course is the first of its kind because it’s completely vendor neutral and focuses primarily on analysis. In FOR585, we provide instructions in the course books for acquiring data from mobile devices. While we don’t teach acquisition, we cover the harder topics for acquisition such as handling locked devices, rooting and jailbreaking, flashing custom ROMs to devices, MDM and encryption. All of these factors can prevent your tools from acquiring data. Students need to be aware of work arounds to get the data for their investigation.

Each of the major smartphone operating systems are covered in the course. Some students will say, “Well, I don’t see iPhones, so why do I have to learn this material?” and my response to that is that each day is laid out in a way that EVERY student needs to learn that material. Why? Because what we teach on iPhone day applies to other smartphone OSs as well.

For example, we have an advanced decoding section that enables the student to determine if the phone or the user put the data on the device. The tool cannot decide this for you! It’s impossible. Every time your smartphone “thinks” or “suggests” something for you, that data is stored on the device. This is one of my favorite things to teach! We cover this every day and it pertains to all smartphones. So, what you learn on iPhone day will pertain to Android. What you learn on BlackBerry day (such as encryption on SD cards) will apply to Android and Windows Phone.

When we wrote this course, we kept in mind that everyone doesn’t see the same devices. We tried to incorporate as many hurdles into the labs to ensure that if you don’t see a BlackBerry, that module and lab is worth your time, because it will introduce you to examining encrypted data on SD cards. I cannot stress enough, that the course was written for everyone. Even if you don’t think you see that type of device, you will walk away with knowledge that you can apply to devices you regularly examine.

The major topics that are covered include: Malware, Android, iOS, BlackBerry, Windows Phone, Knock-off devices, Nokia, Encryption, Manual Decoding, 3rd Party Apps and recovering deleted data and traces of wear leveling. We have incorporated 17 labs to enforce what the students learn. Our capture the flag (forensic challenge) covers all aspects taught to the students throughout the week and allows them to test their skills on several devices to solve the investigation.

You're a co-author of "Practical Mobile Forensics" – tell us more about the book and the challenges authors face when writing about digital forensics issues.

This book was fun to write. I was lucky that I had the opportunity to write with two hackers, who have an entirely different perspective when handling mobile devices. I will say that we all learned a lot from one another, which made the process fun, but also hard to make sure the message was consistent. We wanted to give the community a book that teaches the basics of mobile device forensics with the use of free and open-source solutions, where possible. This is one of the topics that I am always asked by students who don’t have large budgets. They need to know how they can acquire and analyze smartphones on a budget. This book is their answer and will help them acquire and analyze data from Android, iOS, BlackBerry and Windows Phone devices all without buying commercial tools.

The hard part about writing a technical book, especially a smartphone book, is that the technology is always changing. New OS versions were released while we were writing and we found ourselves in final edits without the ability to add new material. This book could already have updates and it was released in July 2014. Having said that, the practicalities of the trade have not changed, so the book has a great foundation to continue to provide good advice to the community.

Many popular smartphone manufacturers are now including encryption as default on their devices. What are your views on this? Are we fighting a losing battle by trying to break encryption?

Encryption does hurt us. Anyone who says it doesn’t is fooling themselves. Full disk encryption makes acquisition and analysis sometimes impossible, depending on the device. I always teach students to try everything anyway, because you never know what you might get! One truth is that encrypted devices normally perform slower. Users do not like this, which often promotes them to disable it. I hope this remains to be true.

Encrypted devices and applications make our jobs harder. Yes, it protects us as users, but as an examiner, it’s so frustrating to come across a device where the data is fully encrypted (like BlackBerry). In FOR585, we teach methods around this. For example, can you crack the password to access the data on the device? How to acquire data on a device that is enforcing Full Disk Encryption and how to deal with encrypted apps. The encrypted apps are near and dear to my heart because I deal with this every single day. We teach the students methods for decryption as well as where to find the data leaks that may get them enough information to support their investigation.

One challenge faced by investigators is the speed at which new features and application updates are introduced, particularly on smartphones. What can be done to address this?

This is where the community really helps. We have a great DFIR community who all play a key role in keeping up. For FOR585, we provide the students with cheat sheets to help them identify where key evidence is stored on each smartphone. These cheat sheets are updated with every OS release and are stored in a protected FOR585 section of my website, smarterforensics.com. This provides FOR585 alumni with a way to stay current and ensure they aren’t missing data! The Authors of FOR585 try to do this for students. Why, because it’s our job and because we love unveiling new tricks to get data from these devices!

Another aspect to consider is what happens when a device is upgraded? Does the old data go away – absolutely not! Do you think all of the tools recover the old and new data? Absolutely not! Do you think we cover this in FOR585 – Absolutely! It is up the examiner to know the OS of the device, where the data is stored, how to decode it and how to determine if the device was upgraded and contains legacy data.

In your opinion, what does the future hold for digital forensics? Are we as an industry moving fast enough to keep up with current challenges?

I believe that mobile has really taken over in the last few years. Everyone has at least one smartphone or tablet. Even my father has both. These are the most personal electronic devices a person owns. Most people will share a laptop, but never their phone. I think that encryption will continue to challenge us, but that is where our jobs get interesting as we try to crack our way in to access the data. I also think that data synchronization across computers, tablets and phones will continue to increase and force us to learn multiple trades to solve one case. By this, I mean that the examiner must have a variety of forensic skills to successfully examine the data.

For example, let’s say that the investigation involves an iPhone and a Samsung laptop. To handle this data, the user will need to know Windows forensics and how to examine the iPhone. Now, consider this – what about data in the Cloud, Network storage, items running Memory and malware that could exist on both the laptop and the phone. This is why we have to keep learning and taking training. It’s hard enough to keep up with one trade and the way technology has advanced, you will not be good enough if you stick to simply one area of digital forensics. I know that training is expensive, but it’s possible to teach yourself and take the SANS free webcasts, which always teach a method for forensicating data.

What advice would you give to someone who is thinking of studying digital forensics? Are there any specific areas they should be focusing on?

I think this is a great field to branch into. There seems to be more work than qualified examiners. Make sure you look into what employers want for a beginner coming out into the workforce. I know that as a hiring manager, we were encouraged to find candidates who earned a BS in computer science, engineering or forensics. If you don’t have this type of degree, other areas that are considered are trainings and certifications. Take training courses that will help you grow as an examiner and make as many contacts in the community as possible. Getting your foot in the door is often the hardest thing to do. From there, I promise you, if you try hard and stay current, you will have limitless opportunity. For training, I would say learn the basics and then branch into incident response, network forensics and memory forensics. If the devices are fully encrypted and you cannot acquire the data, sometimes capturing data from memory may be your only and best evidence.

And finally, when you're not teaching or working in forensics, what do you enjoy doing in your spare time?

I am the mom of a 2 year old son, who keeps me on my toes. I love spending time with him and my husband. We travel, spend time at the beach and at our home in PA. When not being a mom/wife, I ride my horse! This is one of the best parts of my week. There is nothing like hopping on your horse and going on a fox hunt or just cantering through a field. Want to clear your mind, come meet my horse. I am also a wine enthusiast and love cooking. Again, something that I enjoy because you get immediate results, which we often don’t in our career. In forensics, in takes a while to solve some cases and problem sets. With dinner, I can whip up a meal that impresses my family and gives me satisfaction that some things can be achieved in a few hours.

Heather Mahalik is a Senior Instructor at SANS, a global provider of live and online training in digital forensics, as well as a Forensic Scientist at Smarter Forensics.

Leave a Comment