Jan, tell us a bit about yourself. What's your role, and what does a typical day in your life look like?
Well, I am a research assistant of the Cyber Analysis & Defense department of the Fraunhofer FKIE in Bonn, Germany. We are doing a lot of research in the area of malware and firmware analysis, but also digital forensics. So this is currently also my research topic, especially file system forensics.Besides working on my own research, we are doing a lot of teaching with the University of Bonn and are working closely together with federal agencies for other projects.
What was it that first sparked your interest in digital forensics, and how did you get into the field?
Actually my colleague Martin Lambertz brought me there. When I was still a student at university, he was my supervisor for labs and seminars and also finally my master’s thesis. So he was the reason I started doing digital forensics.
You've recently published a paper about extending The Sleuth Kit. What challenges did your research aim to address?
The Sleuth Kit works great on all established file systems which are based on the “one file system to one volume” principle. But unfortunately when it comes to ZFS for example, this principle is not used anymore. We actually first thought about that when we used FreeNAS, which supports ZFS. We were just thinking, whether TSK can deal with such a file system and if it cannot, we had to find out why. And this new pooled storage file system principle was the reason.
Can you briefly outline for us the results of your research?
We came to the conclusion that TSK and the model it is based on need a new stage, which deals with the analysis of pools. Similar to the volume analysis, which is covered by the model and deals with the detection of partitions or RAIDs. So we extended the model and provided a prototypical implementation for TSK, which now works on ZFS plus all the established file systems it has supported before.
In your opinion, what are the main advantages of using open source tools like The Sleuth Kit?
I guess the biggest advantage is that people like me and my colleagues for example can contribute to these tools and extend their functionality. So it is not only a big advantage for users, who don’t need to pay anything, it is also a big enrichment for research and the development of digital forensics.
What are some of the challenges digital forensic investigators might come up against when using open source tools, and how can these be addressed?
Open source tools might not be tested as extensively as commercial tools. But from my own experience, the support of the community on open source tools has always been great, so I wouldn’t count that as a challenge.
Another thing is that open source tools might not be as well accepted as well established products from certain companies. This is typically not because of the quality of the open source tools but rather because they are not as widely used as their commercial counterparts.
Last, open source tools lacking a good community tend to become outdated. Nevertheless, we think that the advantages of open source tools outweigh these problems–especially from a research point of view.
Do you have any advice for students of digital forensics?
I would tell them that they made a very good decision! Digital forensics has so many areas like memory or network forensics, which have their own challenges we are currently facing. Students can and should talk to practitioners in order to find out more about these challenges, which should help them to aim their own research.
Finally, when you're not researching, what do you enjoy doing in your spare time?
I really like to travel around the world or play the piano in my spare time. And occasionally I like to go out for a drink or two!
After obtaining his university admission in 2010, Jan-Niclas Hilgert started his bachelor degree course at the RWTH Aachen. His interest in computer science was reinforced during these three years, which is why he focused even more on computer engineering by starting a master degree course in computer science at the University of Bonn. Besides working for the institute of robotics, he took his first steps into the world of digital forensics together with research assistants of Frauhofer FKIE. During that time he dedicated himself to file system and volume analysis including the creation of an analyzer for complex volume structures. This collaboration peaked in his master thesis "Evaluating the contemporary applicability of the standard model for file system analysis" in 2016 and a master's degree of science.
Afterwards, Jan-Niclas continued to work for Fraunhofer FKIE as a research assistant for digital forensics. Additionally, he is holding trainings about incident response, intrusion detection as well as network and storage forensics for public authorities and business partners.
You can find out more about FKIE's work here.