Karan Dwivedi, Security Engineering Manager, Google

FF: Can you introduce yourself and tell us a little about what you do?

Karan: It is a pleasure to be here. I have been in the security industry for 7+ years now. Currently I am a security engineering manager at Google leading a team of engineers who help reduce risk to Alphabet in their use of GCP.

At Google, I have held technical leadership roles to bolster security of products and services with more than a billion users by building detection and response capabilities.

Previously, I was part of the incident response team at Yahoo who were the ones to respond to the world’s largest data breach. In my past life I was a software engineer at Honeywell where I worked to develop backend software for access control and digital video management service.

I run a blog where I write about security engineering interviewing tips which are provided by Google’s hiring team to prospective candidates.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

How do you think digital forensics has evolved in the last decade?

From a technology perspective, we have come a long way from the era of simple client and server model to now a more decentralized and distributed network of interconnected systems. With this change, we have seen forensics evolve from practitioners conducting a simple host and network based analysis to now collecting data across a multitude of sources (smartphones, IoT devices, watches, gaming consoles, open source intelligence,  etc).

There is a widespread adoption of cloud technologies which has shifted our traditional collection, analysis and retention methods to the cloud as well. We used to have the generic term ”forensic experts/examiners” earlier, however now we are seeing more specializations emerging in the field because of the increased technological scope and expertise required for each.

Finally, a decade ago big data also wasn’t as popular as it is today and that has opened up a slew of tools for examiners (e.g. ELK stack i.e. Elasticsearch, Logstash, and Kibana, Splunk etc) which have become mainstream for analysis. 

From that evolution, what present-day challenges do you see that we’re facing as a digital forensics community?

There are significant challenges with collecting and analyzing evidence from IoT (Internet of things) devices. With the huge influx of IoT devices from hundreds of manufacturers, there is no set standard that applies to all of them when collecting and analyzing evidence.

This is because for each device, manufacturers are free to choose a combination of operating systems, hardware platforms and software on top that powers the device’s functionality. Furthermore, with every software update, functionality can change, pushing practitioners and forensic examiners to always be on their feet, researching and applying them in their roles.

The second big challenge, I feel, is finding and churning through data to find high quality information. Digital forensics is not just a science but also an art where an examiner can use their experience and “gut” check to invalidate certain pieces of evidence within a huge pile of data. It is only by cutting down the noise do we get to the needle in the haystack.

This is another reason why we are now seeing more data analyst roles show up in the industry who can help us narrow down signals for finding and improving data quality.

What are some of the personal lessons you’ve learnt in your career? 

Very intriguing question! There are quite a few lessons I learnt throughout my career:

  1. Be curious, remain humble: It is almost impossible to know everything in not only digital forensics but also any broad field. It is only by asking questions, learning from people around you and accepting when you don’t really know something do you see real, continuous, incremental growth.
  2. Communicate often, early and clearly: Whether it is talking to your peers, management, friends or family, it helps build relationships at home and fosters rapport at work. In the digital forensics space, written and oral communication is one of the key skills that differentiates a good examiner from a great examiner. When you are investigating incidents, this mantra has proven useful to keep stakeholders informed and for them to make the right decisions for the company.
  3. Collaboration, not competition: It is easier to get more done, obtain diverse opinions and differing points of view when you get to collaborate with others, especially if they are slightly different than you or your ideas. In digital forensics, when another examiner challenges your point of view or questions your artifacts and methods, it is one of the best exercises to prove validity. This makes a huge difference when the stakes are high (court cases, large breaches etc)

What’s next for digital forensics? Where do you see the future evolving, not just in the technology to be investigated, but in the ways examiners use to investigate it?

Technology wise, I believe it is going to be more complex to correlate data between the myriad of devices and software we have today and the ones to be launched in the future.

We will at some point also shift more towards using web3 and the newer technologies primarily for investigations e.g. tracking transactions on different blockchains and correlating them with transactions in the physical world with credit and debit cards.

From a tooling and data utilization standpoint, tools like log2timeline will play an even critical role in helping examiners across data sources as it will be easy to get lost tracing events.

I also expect to see a lot of conclusions being drawn from side channel information (implicit evidence) e.g. if an examiner sees evidence of outbound network traffic from an actor’s home network to a cloud command and control service for a set of IP ranges every weekend, the examiner may think of it as an action the user performs on a weekend.

However, if the examiner also knows that the actor owns a vacuum bot whose vendor owns the IP ranges, then it may be possible that it is not the user who is doing an activity but rather the vacuum bot which is running on a schedule cleaning the home. Relevance of such information completely changes attribution of events and this is expected to become mainstream.

As technology and investigative tools become more complex and maybe, at least in some ways, less transparent, how can examiners best communicate their findings to management and other stakeholders? 

I feel the simplest way is by following the approach “Bottom line up front” a.k.a BLUF. This is similar to TL;DR used in emails these days. This approach gives the benefit that your audience knows (at least in a summarized form) what the issue is, current status, next steps or action items on their end pretty much right away. Cyber intelligence touts this approach to brief executives and government officials as well. 

Now to your point about technology becoming less transparent (we can also refer to it as abstracting the complexity away from the user), this is where BLUF shines because parts which were summarized initially can be followed up with more details for the curious reader. This is basically a layered approach to communication where each layer provides more information to understand the entire picture better. 

When you’re not working, what do you like to do in your spare time?

I enjoy taking long drives and visiting beaches (being in California is a blessing for these activities). In general I love to travel and am on track to visit all 50 U.S. states.

I also spend time thinking and researching new security topics and ideas. I am into public speaking and have been speaking at conferences, universities and in podcasts. I volunteer to help people 1:1 in their careers by way of mentorship through Linkedin. In the last few years, I have answered career questions from hundreds of professionals with an average of ~50-100 questions per month.

Leave a Comment

Latest Videos

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification 

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_VKk-mhlae1c

Becoming An Amped FIVE Certified Examiner (AFCE)

Forensic Focus 1st December 2023 4:25 pm

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data. 

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data.

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_4z-EgH54KZk

The Power Of Digital Forensics: How ADF Solutions Is Revolutionizing The Digital Forensics Industry

Forensic Focus 30th November 2023 2:57 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles