Heather Mahalik, Senior Instructor, SANS

Heather, please tell us about your role as a Senior Instructor at SANS as well as a Forensic Scientist – what does your day-to-day routine look like?

As a Senior Instructor for SANS, I travel around the world to teach both FOR585, Advanced Mobile Forensics and FOR408, Windows Forensics Analysis about 10 times per year. I also teach online, which allows me to do my day job and spend two evenings a week teaching what I do all day. When I am not teaching, I am constantly testing new smartphone operating systems, apps and malware to see what is new, what the tools miss and methods for recovering the hard to find data. For FOR585, Advanced Smartphone Forensics, this is something that my co-authors and I do on a regular basis. Students rely on us to answer the hard questions and to teach them how to detect what the tools miss.For my day job, I am a Principal Forensic Scientist for Oceans Edge, a small business out of Reston, VA. I work off-site in PA, where I provide support to engineers who develop mobile applications and tools to support offensive efforts for our customers. I am primarily responsible for mobile application and secure communication analysis. Essentially, I try to tear-down the app to detect vulnerabilities, leaks and develop methods to decode the data.

Your course, Advanced Smartphone Forensics, is available now through SANS. Could you give us a brief overview of the course – what modules are included, and what can students hope to get out of it?

This course is the first of its kind because it’s completely vendor neutral and focuses primarily on analysis. In FOR585, we provide instructions in the course books for acquiring data from mobile devices. While we don’t teach acquisition, we cover the harder topics for acquisition such as handling locked devices, rooting and jailbreaking, flashing custom ROMs to devices, MDM and encryption. All of these factors can prevent your tools from acquiring data. Students need to be aware of work arounds to get the data for their investigation.

Each of the major smartphone operating systems are covered in the course. Some students will say, “Well, I don’t see iPhones, so why do I have to learn this material?” and my response to that is that each day is laid out in a way that EVERY student needs to learn that material. Why? Because what we teach on iPhone day applies to other smartphone OSs as well.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

For example, we have an advanced decoding section that enables the student to determine if the phone or the user put the data on the device. The tool cannot decide this for you! It’s impossible. Every time your smartphone “thinks” or “suggests” something for you, that data is stored on the device. This is one of my favorite things to teach! We cover this every day and it pertains to all smartphones. So, what you learn on iPhone day will pertain to Android. What you learn on BlackBerry day (such as encryption on SD cards) will apply to Android and Windows Phone.

When we wrote this course, we kept in mind that everyone doesn’t see the same devices. We tried to incorporate as many hurdles into the labs to ensure that if you don’t see a BlackBerry, that module and lab is worth your time, because it will introduce you to examining encrypted data on SD cards. I cannot stress enough, that the course was written for everyone. Even if you don’t think you see that type of device, you will walk away with knowledge that you can apply to devices you regularly examine.

The major topics that are covered include: Malware, Android, iOS, BlackBerry, Windows Phone, Knock-off devices, Nokia, Encryption, Manual Decoding, 3rd Party Apps and recovering deleted data and traces of wear leveling. We have incorporated 17 labs to enforce what the students learn. Our capture the flag (forensic challenge) covers all aspects taught to the students throughout the week and allows them to test their skills on several devices to solve the investigation.

You're a co-author of "Practical Mobile Forensics" – tell us more about the book and the challenges authors face when writing about digital forensics issues.

This book was fun to write. I was lucky that I had the opportunity to write with two hackers, who have an entirely different perspective when handling mobile devices. I will say that we all learned a lot from one another, which made the process fun, but also hard to make sure the message was consistent. We wanted to give the community a book that teaches the basics of mobile device forensics with the use of free and open-source solutions, where possible. This is one of the topics that I am always asked by students who don’t have large budgets. They need to know how they can acquire and analyze smartphones on a budget. This book is their answer and will help them acquire and analyze data from Android, iOS, BlackBerry and Windows Phone devices all without buying commercial tools.

The hard part about writing a technical book, especially a smartphone book, is that the technology is always changing. New OS versions were released while we were writing and we found ourselves in final edits without the ability to add new material. This book could already have updates and it was released in July 2014. Having said that, the practicalities of the trade have not changed, so the book has a great foundation to continue to provide good advice to the community.

Many popular smartphone manufacturers are now including encryption as default on their devices. What are your views on this? Are we fighting a losing battle by trying to break encryption?

Encryption does hurt us. Anyone who says it doesn’t is fooling themselves. Full disk encryption makes acquisition and analysis sometimes impossible, depending on the device. I always teach students to try everything anyway, because you never know what you might get! One truth is that encrypted devices normally perform slower. Users do not like this, which often promotes them to disable it. I hope this remains to be true.

Encrypted devices and applications make our jobs harder. Yes, it protects us as users, but as an examiner, it’s so frustrating to come across a device where the data is fully encrypted (like BlackBerry). In FOR585, we teach methods around this. For example, can you crack the password to access the data on the device? How to acquire data on a device that is enforcing Full Disk Encryption and how to deal with encrypted apps. The encrypted apps are near and dear to my heart because I deal with this every single day. We teach the students methods for decryption as well as where to find the data leaks that may get them enough information to support their investigation.

One challenge faced by investigators is the speed at which new features and application updates are introduced, particularly on smartphones. What can be done to address this?

This is where the community really helps. We have a great DFIR community who all play a key role in keeping up. For FOR585, we provide the students with cheat sheets to help them identify where key evidence is stored on each smartphone. These cheat sheets are updated with every OS release and are stored in a protected FOR585 section of my website, smarterforensics.com. This provides FOR585 alumni with a way to stay current and ensure they aren’t missing data! The Authors of FOR585 try to do this for students. Why, because it’s our job and because we love unveiling new tricks to get data from these devices!

Another aspect to consider is what happens when a device is upgraded? Does the old data go away – absolutely not! Do you think all of the tools recover the old and new data? Absolutely not! Do you think we cover this in FOR585 – Absolutely! It is up the examiner to know the OS of the device, where the data is stored, how to decode it and how to determine if the device was upgraded and contains legacy data.

In your opinion, what does the future hold for digital forensics? Are we as an industry moving fast enough to keep up with current challenges?

I believe that mobile has really taken over in the last few years. Everyone has at least one smartphone or tablet. Even my father has both. These are the most personal electronic devices a person owns. Most people will share a laptop, but never their phone. I think that encryption will continue to challenge us, but that is where our jobs get interesting as we try to crack our way in to access the data. I also think that data synchronization across computers, tablets and phones will continue to increase and force us to learn multiple trades to solve one case. By this, I mean that the examiner must have a variety of forensic skills to successfully examine the data.

For example, let’s say that the investigation involves an iPhone and a Samsung laptop. To handle this data, the user will need to know Windows forensics and how to examine the iPhone. Now, consider this – what about data in the Cloud, Network storage, items running Memory and malware that could exist on both the laptop and the phone. This is why we have to keep learning and taking training. It’s hard enough to keep up with one trade and the way technology has advanced, you will not be good enough if you stick to simply one area of digital forensics. I know that training is expensive, but it’s possible to teach yourself and take the SANS free webcasts, which always teach a method for forensicating data.

What advice would you give to someone who is thinking of studying digital forensics? Are there any specific areas they should be focusing on?

I think this is a great field to branch into. There seems to be more work than qualified examiners. Make sure you look into what employers want for a beginner coming out into the workforce. I know that as a hiring manager, we were encouraged to find candidates who earned a BS in computer science, engineering or forensics. If you don’t have this type of degree, other areas that are considered are trainings and certifications. Take training courses that will help you grow as an examiner and make as many contacts in the community as possible. Getting your foot in the door is often the hardest thing to do. From there, I promise you, if you try hard and stay current, you will have limitless opportunity. For training, I would say learn the basics and then branch into incident response, network forensics and memory forensics. If the devices are fully encrypted and you cannot acquire the data, sometimes capturing data from memory may be your only and best evidence.

And finally, when you're not teaching or working in forensics, what do you enjoy doing in your spare time?

I am the mom of a 2 year old son, who keeps me on my toes. I love spending time with him and my husband. We travel, spend time at the beach and at our home in PA. When not being a mom/wife, I ride my horse! This is one of the best parts of my week. There is nothing like hopping on your horse and going on a fox hunt or just cantering through a field. Want to clear your mind, come meet my horse. I am also a wine enthusiast and love cooking. Again, something that I enjoy because you get immediate results, which we often don’t in our career. In forensics, in takes a while to solve some cases and problem sets. With dinner, I can whip up a meal that impresses my family and gives me satisfaction that some things can be achieved in a few hours.

Heather Mahalik is a Senior Instructor at SANS, a global provider of live and online training in digital forensics, as well as a Forensic Scientist at Smarter Forensics.

Leave a Comment

Latest Videos

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 8 hours ago

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i41eg24YGZg

Deepfake Videos And Altered Images - A Challenge For Digital Forensics?

Forensic Focus 13th February 2023 10:30 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...