Kathy Helenek, Senior Forensic Examiner, Gillware

Kathy, you're a Senior Forensic Examiner and eDiscovery Specialist at Gillware. Tell us more about your role – what does a typical day look like for you?

Each day I’m interacting with clients, whether it be scoping for a new case we’ll be working on together, giving updates on the progress of data processing and analysis, or discussing results. I will perform collections of laptops, cell phones, servers, or anything we can pull data from.I process data and prepare it for either keyword searching or analysis. My favorite part of each day is getting to perform analysis, whether it be reviewing search query results or diving into a laptop or cell phone and putting together a timeline of activity.

How did you start out in digital forensics and eDiscovery?

My start in digital forensics was a complete fluke. I originally wanted to be a Forensic Chemist but when applying for a Graduate Assistantship, I discovered the only job left was in the digital forensics lab. Being a graduate student and needing extra money, I applied and interviewed for the position. By about day three of my work in the lab, I fell in love and realized this was what I wanted to do.

I had wonderful mentors who I am extremely grateful for: Ian Levstein, Joshua Brunty, and Christopher Vance. With their patience and support I researched and studied and learned everything I could about computers, digital forensics, and social media analysis.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

What do you love about what you do?

I love that this field is constantly changing due to technology moving forward – there is always more research to be done and topics to learn about. There are creative ways to investigate and analyze data and some amazing results can be found. You can go as far as you want to and make the most of yourself in this field.

At Techno Security, you presented your research on whether CCleaner was "the end of forensic investigations as we know it." What spurred you to do this research?

I have encountered this tool on computers in a few of my investigations lately. It may be a business environment where all the laptops have this pre-installed or one specific user trying to keep their computer clean or potentially erase evidence.

I wanted to know what effects this tool could have on a system and what type of artifacts could be found. There are certain items investigators keep seeing which pique their interest, but they may not have the time to fully dig in and research them. This presentation gave me a great reason to take a deep dive into what this tool does and the opportunity to share it with the digital forensics community.

CCleaner and other antiforensics measures have been around for long time. From your standpoint, how have antiforensics evolved over time?

I feel I’m still quite a young one in this field even though I have been practicing for about seven years. I hear stories from my colleagues about some very interesting antiforensics measures individuals have taken throughout the years. I’ve learned that users will try to hide their tracks in one way or another, but they usually leave some trail for investigators to find. People trying to cover up their malicious activities has always occurred and will continue to occur. I think it has more to do with the creativity of the examiner to determine a way to figure out what was done and how it was hidden.

During your talk, surprises were a key part of your findings – artifacts that were recoverable even after Secure Delete, for instance. As you said, this underscores the need for research, but time is always at a premium for investigators. What's your advice to other examiners on making, and also maximizing, limited time?

It is always tough to balance casework along with testing and research. I am thankful to my boss, Matthew Stippich, who also loves to dive into unique problems and suggest ideas on how to approach and examine new types of data we’re seeing.

My advice is to just jump in and start testing as opposed to trying to find a place to fit it in. Once you get started and see results, it naturally progresses on. We have a great community of examiners with blogs and podcasts who share their research and testing. Any questions an investigator may have, chances are others in the digital forensics world have them as well.

What other research projects have you done, or contributed to?

I started creating custom carvers for AccessData when I was a student Marshall University. I did my graduate focus work on Facebook Messaging and the artifacts it left behind in different browsers. During my time at Digital Intelligence, I have researched and presented on cloud storage sites and what artifacts are left behind on systems. Most recently I have worked on this CCleaner research and presentation.

What's next for your research?

I don’t have a set project in mind yet next, but I am very interested about the Internet of Things, specifically devices such as Alexa and Apple Watches.

Based on what you've observed in your day-to-day work, what do you think are the top critical issues facing forensics and eDiscovery professionals in 2019, and the top ways to address them?

I am seeing a lot of movement of data into cloud storage sites as opposed to on local servers or computers. I wouldn’t consider it a critical issue, but it is one of the biggest changes we are experiencing. Understanding where these servers are, the protocols of the each of the sites, and how they interact with devices is going to be of the utmost importance moving forward.

Device encryption is another issue we are working with almost every day. Learning about the different types of encryption and how these can be decrypted will absolutely be beneficial to investigators.

Finally, when you’re not working, what do you enjoy doing in your spare time?

In my spare time I’ll be either going for a run on the trail or at the beach playing volleyball. I also enjoy reading true crime books along with trying to get through the classics. And I love to snuggle up on my couch and watch movies or stream TV shows. I’ve recently had the opportunity to travel and I would really love to continue to visit new places and learn about new cultures.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...