Kathy, you're a Senior Forensic Examiner and eDiscovery Specialist at Gillware. Tell us more about your role – what does a typical day look like for you?
Each day I’m interacting with clients, whether it be scoping for a new case we’ll be working on together, giving updates on the progress of data processing and analysis, or discussing results. I will perform collections of laptops, cell phones, servers, or anything we can pull data from.I process data and prepare it for either keyword searching or analysis. My favorite part of each day is getting to perform analysis, whether it be reviewing search query results or diving into a laptop or cell phone and putting together a timeline of activity.
How did you start out in digital forensics and eDiscovery?
My start in digital forensics was a complete fluke. I originally wanted to be a Forensic Chemist but when applying for a Graduate Assistantship, I discovered the only job left was in the digital forensics lab. Being a graduate student and needing extra money, I applied and interviewed for the position. By about day three of my work in the lab, I fell in love and realized this was what I wanted to do.
I had wonderful mentors who I am extremely grateful for: Ian Levstein, Joshua Brunty, and Christopher Vance. With their patience and support I researched and studied and learned everything I could about computers, digital forensics, and social media analysis.
What do you love about what you do?
I love that this field is constantly changing due to technology moving forward – there is always more research to be done and topics to learn about. There are creative ways to investigate and analyze data and some amazing results can be found. You can go as far as you want to and make the most of yourself in this field.
At Techno Security, you presented your research on whether CCleaner was "the end of forensic investigations as we know it." What spurred you to do this research?
I have encountered this tool on computers in a few of my investigations lately. It may be a business environment where all the laptops have this pre-installed or one specific user trying to keep their computer clean or potentially erase evidence.
I wanted to know what effects this tool could have on a system and what type of artifacts could be found. There are certain items investigators keep seeing which pique their interest, but they may not have the time to fully dig in and research them. This presentation gave me a great reason to take a deep dive into what this tool does and the opportunity to share it with the digital forensics community.
CCleaner and other antiforensics measures have been around for long time. From your standpoint, how have antiforensics evolved over time?
I feel I’m still quite a young one in this field even though I have been practicing for about seven years. I hear stories from my colleagues about some very interesting antiforensics measures individuals have taken throughout the years. I’ve learned that users will try to hide their tracks in one way or another, but they usually leave some trail for investigators to find. People trying to cover up their malicious activities has always occurred and will continue to occur. I think it has more to do with the creativity of the examiner to determine a way to figure out what was done and how it was hidden.
During your talk, surprises were a key part of your findings – artifacts that were recoverable even after Secure Delete, for instance. As you said, this underscores the need for research, but time is always at a premium for investigators. What's your advice to other examiners on making, and also maximizing, limited time?
It is always tough to balance casework along with testing and research. I am thankful to my boss, Matthew Stippich, who also loves to dive into unique problems and suggest ideas on how to approach and examine new types of data we’re seeing.
My advice is to just jump in and start testing as opposed to trying to find a place to fit it in. Once you get started and see results, it naturally progresses on. We have a great community of examiners with blogs and podcasts who share their research and testing. Any questions an investigator may have, chances are others in the digital forensics world have them as well.
What other research projects have you done, or contributed to?
I started creating custom carvers for AccessData when I was a student Marshall University. I did my graduate focus work on Facebook Messaging and the artifacts it left behind in different browsers. During my time at Digital Intelligence, I have researched and presented on cloud storage sites and what artifacts are left behind on systems. Most recently I have worked on this CCleaner research and presentation.
What's next for your research?
I don’t have a set project in mind yet next, but I am very interested about the Internet of Things, specifically devices such as Alexa and Apple Watches.
Based on what you've observed in your day-to-day work, what do you think are the top critical issues facing forensics and eDiscovery professionals in 2019, and the top ways to address them?
I am seeing a lot of movement of data into cloud storage sites as opposed to on local servers or computers. I wouldn’t consider it a critical issue, but it is one of the biggest changes we are experiencing. Understanding where these servers are, the protocols of the each of the sites, and how they interact with devices is going to be of the utmost importance moving forward.
Device encryption is another issue we are working with almost every day. Learning about the different types of encryption and how these can be decrypted will absolutely be beneficial to investigators.
Finally, when you’re not working, what do you enjoy doing in your spare time?
In my spare time I’ll be either going for a run on the trail or at the beach playing volleyball. I also enjoy reading true crime books along with trying to get through the classics. And I love to snuggle up on my couch and watch movies or stream TV shows. I’ve recently had the opportunity to travel and I would really love to continue to visit new places and learn about new cultures.