Joe, your BlackBag profile describes how you "drive innovation and pursue emerging areas of research" as Director of Research & Development. Can you describe for us what your day-to-day looks like?
Usually I’m managing shifting priorities, so there’s not always a “typical” day for me. Some days I spend my days in IDA Pro, reverse engineering OS subsystems to learn how on-disk artifacts can be analyzed. Other days, I’m mostly wearing my developer hat and writing code that will eventually be integrated into the backend of BlackBag’s tools.As with all things research, our initial approach doesn’t always work out, so there’s a lot of lessons learned and iteration going on behind the scenes.
You're also an adjunct professor at the University of New Orleans. How do your two roles inform one another?
In general, when I’m not being pestered by students, I find that there are benefits to being surrounded by academics. Having people to bounce ideas off of that have knowledge of prior work is always helpful. Having access to a talent pool of potential new hires from the recent graduates is also a plus.
I also feel like my students benefit greatly from my industry prospective, as a lot of the other professors are life-long academics, that haven’t had as much practical exposure.
How did you first become interested in digital forensics, and what led you to BlackBag?
I took a number of computer security and digital forensics classes during my CS undergrad, and I found that I really enjoyed the topic. I was offered a graduate research assistantship, which funded my master’s degree and piqued my interest in research.
After that, my business partner, Vico, and I started a small firm where we were doing a bit of everything (computer security and digital forensic services, research and development, training, etc). We did some contract development work for BlackBag and eventually decided it made more sense to combine efforts and join the team. The rest is history.
Looking into the near future, what do you see as some of the most critical technological challenges that the DFIR world faces? How is BlackBag helping to address these?
There are a number of challenges. Data is starting to move away from the devices and into managed cloud services, where our access is more limited. At the same time, the data that is on our devices is becoming less accessible and operating systems are improving their security models and implementing encryption in hardware by default. BlackBag has invested significant time and resources tackling these problems, some of which you’re already aware of with our work on physical acquisitions of T2 protected systems.
Your SANS DFIR Summit talk, a guide to the R&D process, relied on your own work with the APFS snapshots as well as your previous experience. Tell us about one of your hardest lessons learned, and how you made it work for you.
Operating Systems are complex – so much so where it’s not always possible to have a full picture of how even seemingly simple subsystems work. Changes in environment or hardware can often make drastic differences in forensic artifacts.
I learned that lesson the hard way when I published a paper that made specific claims about the behavior of Windows hibernation files that it turned out only applied to systems with SSDs. Other researchers who were attempting to reproduce the work were seeing data where I thought there should be none. It turns out they were using systems with spinning hard drives, and all of my test systems had been upgraded with solid state drives. That taught me the importance of testing with a wide variety of systems.
Do you have a favorite project or piece of research you've worked on? What was it, and what makes it your favorite?
I have a complex relationship with my research relating to high performance memory analysis, which was the subject of my Ph.D. work. In many ways, it’s my favorite work because it was a several years-long effort that eventually led to my degree, but the many sleepless nights that work gave me trigger a bit of PDSD (post dissertation stress disorder) in me when I think about revisiting it.
This year, BlackBag released a solution to produce a decrypted physical image of data stored on a T2 chip. How long was this solution in the making? Can you talk about some of the challenges your team encountered and overcame?
That work was probably about a year in the making. It was very challenging, because Apple has published very little technical information about how the T2 chip actually works, and no information about how software interacts with it.
Furthermore, Apple doesn’t provide any API access to interface with the chip, so there was a large reverse engineering and subsequent development effort to make it work in a stable way that doesn’t violate Apple’s development guidelines.
What's next for you and BlackBag in 2020? What are you most excited about?
No spoilers, but we’re focusing on a few innovations that will help us better serve our enterprise customers. In 2020, we’re also expanding our Research & Development team, so you should expect to see these innovations make it into our products at a faster pace, and that will take advantage of additional expertise.