Jad, can you tell us something about your background and how you became involved in digital forensics?
It all started when I was a teenager and first got exposed to computers and software. I immediately was drawn to understanding how things worked and began writing software to solve problems. In fact, at age 15 I sold a disk utility program that I developed to a Danish bank. After high school, I was formally educated in network security and computer science.
After spending some time in the corporate world as a network administrator at a large software company I decided to follow my dream of becoming a police officer. I started out as a Constable and later joined the Tech Crime Unit as one of the forensic examiners. This was a dream job for me as I could marry my love for computers with my passion for policing.It was during my time in the forensic lab that I realized there was a gap in the available tools to easily recover data such as chat, webmail, and web browsing history from a hard drive. What was available was complicated and took many hours of manual work. This was the genesis of Internet Evidence Finder (IEF) with the goal of making it simple to use and save precious time for an examiner.
As Founder & CTO of JADsoftware, what does your role involve? How involved are you with the development of Internet Evidence Finder (IEF)?
Up until Sept 2011, I was doing a lot of the programming myself with the help of a couple of developers. I now manage an entire team of developers that are writing the code. However, writing code is only part of the formula as it’s my experience with forensic investigations that allows us to really understand what examiners are looking for.
My role as CTO crosses a lot of areas of our business but I would boil down my focus to 3 main areas. The first area I spend a lot of my time on is product innovation & our future technology vision. The industry is changing rapidly and criminals are getting smarter so I’m doing a lot of research on new artifacts and methods to improve the data recovered to always be a step ahead. I’m also looking at ways to leverage our experience with IEF to develop tools that address some of the upcoming forensic challenges like cloud computing, solid state hard drives, and recovering data from live RAM.
The second area that I put a high priority on is getting out and meeting our customers. Our latest release of IEF was almost entirely based on customer feedback through face-to-face meetings, surveys, and discussions at industry events. The last thing we want to do is get complacent and think that we know what our customers want. We are in business to build long term relationships and create true partnerships.
The last priority area is attracting people to our company that have the same passion about building tools that are helping the greater society. Top notch talent is a very important part of continuing to innovate and bring the highest quality products to our customers.
What exactly does Internet Evidence Finder do and what are the main features which set it apart from similar forensic tools?
In a nutshell, IEF is a computer forensic tool that allows an examiner to automate data recovery on a hard drive, live RAM, or selected files for over 50 different types of artifacts.
The main features that set us a apart from other forensic tools include:
1. The ability to do a single search for 50+ artifacts including social networking, instant messaging, web browser history, webmail, and P2P. No manual carving or multiple scripts to run. Just select the artifacts and click “Find Evidence”. An examiner doesn’t have a complex configuration/installation to deal with and doesn’t have to run separate data recovery tools for different types of artifacts. IEF is an end-to-end integrated tool that you just point and click to use.
2. IEF searches in more locations on a hard drive than any other product. This includes entire logical or physical drives, unallocated/deleted data, RAM captures, network PCAP, pagefile.sys, hiberfil.sys files (including decompression), entire user-selected folders and subfolders, and special areas of the NTFS file system. There is not another data recovery tool that automatically targets the relevant search areas like IEF does.
3. We have made IEF one of the easiest forensic products to use. From the simple user interface to the report viewer we have made it as straightforward and intuitive as possible. Whether you are an experienced examiner or new to forensics you will feel comfortable with IEF. Unlike other products that require in-depth training you can get started quickly with IEF.
4. IEF provides relevant & accurate data recovery with less false positives. We have spent a lot of time refining our search and carving algorithms to make the recovered data as accurate and complete as possible.
5. The power of IEF in a portable product called IEF Triage that can be used in the field on live systems. It comes with a built-in live RAM capture capability, on-scene quick search, automated encrypted disk detector, and “stealth” mode that leaves no digital footprint.
Is there a typical user of Internet Evidence Finder?
We have customers across three segments including law enforcement, government, and corporate. For our law enforcement customers a typical user is a forensic examiner or investigator. For our government clients it usually is a forensic analyst/manager within a district attorney’s office, revenue agency, postal service, energy dept., and educational institutions. Users within our corporate clients can be cyber investigators, incident response personnel, e-discovery, and IT.
Validation of a forensic tool is clearly of paramount importance for investigators when presenting evidence. Tell us a little about the validation and verification procedures which have been used to ensure that evidence gathered with Internet Evidence Finder is admissible in court.
We conduct extensive testing and research when we add a new artifact to IEF, including but not limited to examining files/data in unallocated space, RAM captures, and network traffic. We make sure our recovery methods are repeatable and consistent across different datasets, with built-in verification/validation procedures that discard data that doesn’t mean certain criteria.
We also understand the importance of being able to validate IEF’s results with other forensic tools. In our report viewer where the results are displayed, all artifact locations map to the physical sector offset or file offset for easy validation with other forensic tools like FTK.
Live analysis of running systems has become more commonplace over the past few years. Tell us more about the RAM capture functionality of Internet Evidence Finder in the Triage version of the product.
With our IEF Triage product we added the ability to do a live RAM capture from within the software. The goal in adding this capability was to help streamline the workflow for an examiner. It eliminates the need to use a third party tool to capture and then search using IEF. Our RAM capture tool has a very small footprint, works on 32 and 64 bit operating systems (from Windows XP to 7, and also in early releases of Windows 8), and has been tested to successfully capture RAM images well beyond 4GB in size.
What trends do you see in forensic computing? How will JADsoftware (and Internet Evidence Finder) evolve to meet these challenges?
1. Cloud computing – The cloud is a hot topic right now is certainly an area to be aware of when conducting investigations. We have a number of products planned that will directly assist in recovering data related to usage of cloud services and retrieving data in the cloud.
2. SSD – SSD drives are starting to become more commonplace, with prices of these drives gradually dropping over the past few years. The use of these drives means that over time, there will be less data to be found in unallocated space. However, the good news for forensic examiners is that there are still many other areas to locate evidence (including live files of course), and the destruction of data in unallocated is not as drastic as some may think. Our tests have shown data living in unallocated clusters even after many days of use and idle time.
3. RAM – Somewhat related to the last point, analysis and examination of RAM captures will become more and more important over time as SSD drives become more prevalent, and RAM sizes increase. As less data is left behind on hard drives, more will be available in RAM. As well, the average system being sold today has around 4 to 6GB of RAM. As that average starts to hit 8, 16, 24GB and beyond, the importance of capturing the data in RAM will be that much more important. In developing IEF, we will continue to focus on implementing the ability to carve artifacts from sources like RAM.
4. New technologies – The speed with which mobile technologies are progressing means this will be an area that will be important to keep up with. New operating systems will emerge and that means new means of accessing these devices and recovering data from them will be needed. Gaming consoles are also evolving, becoming much more than just gaming systems, with the potential to contain a great deal of evidence. Add to all of this the increasing use of encryption, at the disk and file level. This trend will require investigators to rely on good ol’ police work in how they do their seizures to ensure they are getting devices/files in their unencrypted state.
What do you do to relax when you're not working?
When I’m not working I really cherish the time with my 3 young children and getting involved in their activities whether it’s soccer, hockey, or just playing in the backyard. I’m a car buff as well and love tinkering around with a beer in hand (I usually don’t end up getting much done but I enjoy the experience).
Coming from a policing background, I still like to work hard and play hard so I’m always up for an adventure or finding a new interesting place to share a few drinks with good friends. I also enjoy hitting the gym for a good weight lifting workout whenever I can, but since I’ve left the force the workouts have definitely declined. Hoping to change that while still keeping JADsoftware as my main focus.
Learn more about Internet Evidence Finder and other products from JADsoftware at www.jadsoftware.com.