Joe Sylve, Director Of Research And Development, BlackBag Technologies

Joe, your BlackBag profile describes how you "drive innovation and pursue emerging areas of research" as Director of Research & Development. Can you describe for us what your day-to-day looks like?

Usually I’m managing shifting priorities, so there’s not always a “typical” day for me. Some days I spend my days in IDA Pro, reverse engineering OS subsystems to learn how on-disk artifacts can be analyzed. Other days, I’m mostly wearing my developer hat and writing code that will eventually be integrated into the backend of BlackBag’s tools.As with all things research, our initial approach doesn’t always work out, so there’s a lot of lessons learned and iteration going on behind the scenes.

You're also an adjunct professor at the University of New Orleans. How do your two roles inform one another?

In general, when I’m not being pestered by students, I find that there are benefits to being surrounded by academics. Having people to bounce ideas off of that have knowledge of prior work is always helpful. Having access to a talent pool of potential new hires from the recent graduates is also a plus.

I also feel like my students benefit greatly from my industry prospective, as a lot of the other professors are life-long academics, that haven’t had as much practical exposure.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

How did you first become interested in digital forensics, and what led you to BlackBag?

I took a number of computer security and digital forensics classes during my CS undergrad, and I found that I really enjoyed the topic. I was offered a graduate research assistantship, which funded my master’s degree and piqued my interest in research.

After that, my business partner, Vico, and I started a small firm where we were doing a bit of everything (computer security and digital forensic services, research and development, training, etc). We did some contract development work for BlackBag and eventually decided it made more sense to combine efforts and join the team. The rest is history.

Looking into the near future, what do you see as some of the most critical technological challenges that the DFIR world faces? How is BlackBag helping to address these?

There are a number of challenges. Data is starting to move away from the devices and into managed cloud services, where our access is more limited. At the same time, the data that is on our devices is becoming less accessible and operating systems are improving their security models and implementing encryption in hardware by default. BlackBag has invested significant time and resources tackling these problems, some of which you’re already aware of with our work on physical acquisitions of T2 protected systems.

Your SANS DFIR Summit talk, a guide to the R&D process, relied on your own work with the APFS snapshots as well as your previous experience. Tell us about one of your hardest lessons learned, and how you made it work for you.

Operating Systems are complex – so much so where it’s not always possible to have a full picture of how even seemingly simple subsystems work. Changes in environment or hardware can often make drastic differences in forensic artifacts.

I learned that lesson the hard way when I published a paper that made specific claims about the behavior of Windows hibernation files that it turned out only applied to systems with SSDs. Other researchers who were attempting to reproduce the work were seeing data where I thought there should be none. It turns out they were using systems with spinning hard drives, and all of my test systems had been upgraded with solid state drives. That taught me the importance of testing with a wide variety of systems.

Do you have a favorite project or piece of research you've worked on? What was it, and what makes it your favorite?

I have a complex relationship with my research relating to high performance memory analysis, which was the subject of my Ph.D. work. In many ways, it’s my favorite work because it was a several years-long effort that eventually led to my degree, but the many sleepless nights that work gave me trigger a bit of PDSD (post dissertation stress disorder) in me when I think about revisiting it.

This year, BlackBag released a solution to produce a decrypted physical image of data stored on a T2 chip. How long was this solution in the making? Can you talk about some of the challenges your team encountered and overcame?

That work was probably about a year in the making. It was very challenging, because Apple has published very little technical information about how the T2 chip actually works, and no information about how software interacts with it.

Furthermore, Apple doesn’t provide any API access to interface with the chip, so there was a large reverse engineering and subsequent development effort to make it work in a stable way that doesn’t violate Apple’s development guidelines.

What's next for you and BlackBag in 2020? What are you most excited about?

No spoilers, but we’re focusing on a few innovations that will help us better serve our enterprise customers. In 2020, we’re also expanding our Research & Development team, so you should expect to see these innovations make it into our products at a faster pace, and that will take advantage of additional expertise.

Leave a Comment

Latest Videos

Magnet Forensics' Matt Suiche on the Rise of e-Crime and Info Stealers

Forensic Focus 12th January 2023 3:00 am

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast. 

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading -  https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast.

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading - https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BhrBg5_sAKo

Si and Desi Holiday Special 2022

Forensic Focus 16th December 2022 12:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...