Jeff Hedlesky, Forensic Evangelist For Tableau Hardware, OpenText

Jeff, you've worked at OpenText and (prior to its acquisition) Guidance Software for nearly nine years. What attracted you to work here initially?

Digital forensics was in its infancy back when I was working for Oxford Semiconductor in the early 2000s. When two people I knew and respected in the computer industry, James Wiebe (founder of WiebeTech) and Robert Botchek (founder of Tableau) both independently began work on digital forensic write blockers, both based around one of our OxSemi components, I knew there was something special happening. I’m an (old) nerd, but I’m also an Eagle Scout, so when I found an industry which used a variety of cutting-edge technologies to help the good guys “do their best” to stop the bad guys, I was hooked.

As a Forensic Evangelist, what does a typical workday look like for you?

I think the most ‘typical’ thing about my days is that they’re rarely typical.When Robert hired me to work for him at Tableau, he purposely gave me my title, so that it would be very difficult for Guidance Software to pigeon-hole me into “just” a sales role, or a marketing role, or an engineering role. On any given day, I might be helping put together our next marketing piece on a Tableau TX1, jumping on a call to help one of our sales team walk a customer through their hardware needs for that new DF lab they’re constructing, assisting our support team with tricky hardware questions, or getting prepped for my next presentation at OT’s next DF trade event.

Some days I’m in Waukesha, working directly with our team there on product development projects. Some days I’m in Australia, or Kenya, or Brazil, or Egypt, or in a really strange place called Washington, DC.

As the digital forensics industry has evolved to include a much broader range of storage media, how have you seen Tableau customers and their needs change?What are their primary technical and procedural challenges now, versus nine years ago when you started?

The trick is to decide which axis of “change” to focus on. Nine years ago, the folks doing DF were centered in defense, intelligence and law enforcement. They were primarily “self-taught”, in that none of them started their careers to be DF examiners; they volunteered to enter this emerging market, and pulled themselves up by their bootstraps.

Today, kids are graduating all across the country from university DF programs, and they’re entering many more industries with that training. Fortune 1000 companies are growing their DF staffs, and those staffs (like their cousins still in defense/intelligence/law enforcement) are increasingly evolving into DFIR activities. That’s primarily because ‘the work’ is no longer limited to desktop / laptop computers. Sure, our customers still expect us to enable them to acquire evidence from any digital media they might encounter (including all the new flavors of PCIe media), but the evidence is also now on mobile devices, in the cloud, and on the internet. This means we have to keep doing a great job on what we’ve always done, but also do new things, like mobile, cloud and internet forensics.

How has the Tableau product line evolved over time to meet those challenges, in both technical and procedural terms? What feedback are you receiving from customers?

With the release of the OpenText Tableau TX1 Forensic Imager, we really increased our focus on network-based operations. Whether that be imaging from network volumes (CIFS/SAMBA or iSCSI) or outputting to a NAS in the field (or a SAN, Storage Area Network, in the lab), or the addition of HTML-based remote operations, we’re really re-imagining what a modern forensic imager can do. This focus on network-based operations (made painless by our inclusion of crazy-fast 10Gb Ethernet on TX1) is the direct result of the many hundreds of conversations we’ve had with our end-customers, all around the world. Likewise, with the 2020 launch of our API for TX1, we’re responding to our customers’ requests for better ways to integrate and automate their Tableau imaging operations.

Forensic procedures have changed over the years, and Tableau has frequently been an agent of that change. Back in 2008, we released the TD1 forensic duplicator at a time when most imaging was still done with forensic bridges. TD1 changed that, with its compelling feature set, performance and price. Suddenly, federal agencies were switching their “best practice” in the field from bridges and laptops to forensic duplicators. The feedback we got from those “early adopters” led directly to the release of TD2, while other customers told us they needed something “more”, and that “more” became TD3, the world’s best-selling forensic imager, ever. (But we wouldn’t be offended if TX1 eventually steals that title.)

Tell us a little more about the product line itself. What different use cases and scenarios do the different imagers support?

We really have four classes of products: Portable bridges, which is where Tableau began, primarily used in field investigations in conjunction with a laptop running a software forensic tool like EnCase; OEM bridges, which go into the drive bay of a forensic workstation, designed and built by one of our global partners; forensic duplicators, which are small, fast and easy to use in field imaging operations; and forensic imagers, like the TX1 (and the TD3 before it) which can be used in the field or in the lab to provide broad media support, simultaneous operations and blistering performance.

Most of our customers use a combination of these hardware tools in various stages of their investigation workflow. Sometimes they’ll use the bridges, along with their forensic software tools, for preview and triage, saving the actual bulk imaging for TX1, once they’ve identified and prioritized where the critical evidence resides.

Your recent announcement stated that the Tableau forensic hardware now includes first-to-market innovations to help save critical time for investigators via the ability to pause and resume any forensic imaging job, even after a power cycle. Looking back, what are some other market-leading innovations Tableau has introduced?

Gosh, that’s a tricky one, as we’ve had so many firsts. If I focus on “customer favorites”, I’d say one of the biggest innovations we introduced was simultaneous hashing on our duplicators, with near-zero performance impact, and that’s directly related to the skill of our engineering team working all the way down to the “bare metal” of our designs.

Another would be how we’ve always been pioneers in our handling of HPA/DCO/AMA hidden partition management, whether we’re exposing, unlocking, shelving, restoring or trimming, always in a forensically sound manner. And let’s not forget how we were years ahead of anyone in providing forensic hardware tools, both bridges and imagers, for PCIe media, the fastest growing segment in PC/laptop storage.

How do these developments support forensic examinations with EnCase Forensic and other tools in your product suite?

As I alluded to earlier, EnCase Forensic (and EnCase Endpoint Investigator) is frequently used with our bridges ahead of the imaging stage to preview or triage large caches of digital media, to sort and prioritize that media into high/medium/low importance “piles”. This “triage” is useful when the investigator’s time is limited on-scene, either by warrant restrictions or by the situation on the ground. They need to know they’re focusing their collection activities on the digital evidence most responsive to their case, once imaging commences.

EnCase is also used to help decide what digital media requires a full physical image and what media can be logically imaged, saving time and destination storage space.

What excites you most for the Tableau product line, looking ahead to 2020?

Hmmm… There might be some “new” and exciting engineering development projects kicking off, early in 2020, but I’m not allowed to say much about that.

I think I’ll go with broad strokes and just say that we’re getting tons of feedback from our rapidly growing global TX1 user community and that feedback significantly informs our development roadmap. TX1 3.0, launched earlier this year, was the largest and most expansive feature release ever in Tableau’s history, and the 4.0 release won’t disappoint, either.

We’re certainly excited about getting our shiny new API for TX1 into the hands of our larger customers, and we might have a few surprises on the subject of Tableau / EnCase integration.

But mostly? We celebrate the little victories. A customer-requested feature here, a compatibility enhancement there, and always a relentless quest to offer products which not only reflect great $$$ value but which also provide significant operational value to our customers’ wide-ranging forensic workflows.

Leave a Comment