Matt, you've recently been appointed Director of Training at BlackBag Technologies. Tell us about your role and what it involves.
The role of Director of Training involves working with many of the teams here at BlackBag. Primarily, I have the pleasure to work on the excellent instruction team developing and delivering solid digital forensic training for MacOS, iOS, and Windows examinations. I have reviewed the current course offerings and am impressed by their depth and quality.Our team also maintains three industry-recognized certifications – Certified BlackLight Examiners, Certified Mobilyze Operator, and the Mac and iOS Certified Forensic Examiner. This role actively engages various groups such as Software Development, Product Management, Marketing, Support, and Sales in many projects.
The teams at Blackbag Technologies have been fantastic to work with. I love how much they care about providing the best software and services to help those working in digital forensic examinations. The demands in this field can be a tough load for examiners to bear. There is so much to learn and much technology to keep up with. BlackBag Technologies leverages their many teams to help you carry this weight.
I enjoy being a working supervisor to know what the work demands. This role allows that. It is great meeting forensic examiners from all over the world. To understand the current challenges they face allows our company to seek a solution. The solutions I’ve seen BlackBag Technologies provide so far and those in planning are inspiring. Of course, I also get to work with our awesome training coordinator who contributes so much service to the examiners learning from our classes.
What courses are currently offered by BlackBag, and what can students expect to gain from attending?
Our current courses consist of Digital Forensic Basics, Essential Forensic Techniques I, Essential Forensic Techniques II, and Mobilyze Tool Training. Watch for more course offerings in 2019.
The Digital Forensic Basics is a two-day course designed for examiners getting started in this field, transitioning to using our tools, and also for those looking to join the over 1,400 Certified BlackLight Examiners by acquiring their CBE. This course works through a triage analysis across MacOS, Windows, and iOS evidence while working with the analysis features of BlackLight and MacQuistion.
The Essential Forensic Techniques (EFT) I and II are 36 hours each and focus on MacOS and iOS acquisition, analysis, and reporting. EFT I details analyzing evidence pertaining to Mac system and MacOS operations, attached devices, iCloud, email, internet, iOS, along with Mac disk, data, and date and time structures. EFT II trains more advanced examinations of Terminal artifacts, HFS+ and APFS, links, backups, snapshots, unallocated data recovery, RAIDs, advanced iOS, log and event files, Spotlight, and the analysis of many other artifacts. The Mobilyze Tool Training course is a self-paced course detailing Mobilyze’s capabilities with acquiring and examining Android and iOS devices.
Examiners attending these can expect to work with knowledgeable instructors to attain a solid understanding of the included subject matter. These courses heavily mix instruction with hands-on analysis while focusing on the forensics and not just the tool. These training courses will allow examiners to apply their acquired knowledge in their next cases immediately.
You spent 17 years working in law enforcement before moving over to the corporate side of digital forensics – how do the two sectors compare?
My comparison would not be entirely valid since I work alongside a substantial amount of retired law enforcement officers. The two leaders I currently report to, my colleague instructors, and many others have all served to protect others as peace officers. Colleagues who have not served in law enforcement all have a strong heart to help others with their work. This element has softened the blow of my transition to the corporate world.
After 17 years of law enforcement service, being a 4th-generation law enforcement officer, and being in a family of six law enforcement officers, I could only work in a field where I am allowed to serve law enforcement. It is all I have known.
I love a life working to help others with a critical mission. Thankfully, I have found a method to continue this mission in digital forensics where examiners in varying assignments seek to expose the truth to make this world a safer place. Blackbag Technologies holds this as a major priority in their mission statement.
So, my corporate sector compares relatively similarly to the law enforcement life I knew – being surrounded by those eager to help. The years of police shift work, graveyard shifts, and callouts are not dearly missed. But, it has been replaced with worldwide travel, time away from family, and segments of strongly focused priority work. All are for an important cause. I’ve also been thankful to be working in a great environment where they understand the importance of family and time off from work.
Is there anything you miss about working in law enforcement?
Having worked for 17 years in various divisions at a law enforcement agency, I was exposed to a ton of experiences. Throughout this time, I was involved in plenty of police pursuits, foot chases, countless “Code 3” emergency runs, stake-outs, search warrants, and many other “exciting” things that some retired officers may miss.
I’m glad to have had those experiences. I’ll admit they were fun, but I don’t miss that part. During my service, I also responded to and investigated an abundant amount of tragedies that life callously brings. I don’t miss the trauma of those situations, but I do miss being there to help people to cope with them.
There were a lot of cases and many arrests over my years of service. I miss making those arrests that instantly intervened to make a situation better. I can remember my team and I breaking down a door to enter a home during an emergency call. We had to fight to arrest a combative suspect who had severely injured his significant other. This victim, who we found shaking from fear and hiding in a closet, had a calendar documenting continual abuse suffered at the hands of the suspect over a year. Another case involved finding a lead in digital evidence that led to the rescue of a child who had suffered many years of sexual exploitation by her father.
These stories could continue, but that immediate disruption of criminal action brings you a feeling of accomplishment. The accomplishment is not for yourself, it is for bringing accountability to make a situation as right as it can be at that moment. I miss that part – the victim being safe, the suspect going to jail to await trial. These stories, if shared by the officers serving now or who have served would fill books that would overload the libraries of this world. It is an upright line of work where those who serve accept significant personal risk to be there to help in hopes of making a difference. I hold the most profound respect for those out there holding that line between right and wrong. I also hold pride in having served amongst those ranks.
What are some of the challenges associated with setting up and running training programs in digital forensics?
Digital forensic examiners know this field does not let your brain rest. File systems, operating systems, user artifacts, application artifacts, etc. all change on a fairly regular basis. Constant updates are needed to provide examiners with current training.
Setting up a course is relatively easy if it was developed correctly. The curriculum development, to me, is the most challenging part. You have to know what education the examiners are seeking, create realistic evidence to examine, and create your lessons to focus on the essential learning objectives. It is always tempting to include everything you can fit into a course. The problem is if you deviate from the learning objectives and overwhelm the curriculum delivery, the essential learning points will be lost making the course much less effective. The learning points of the class need to be precisely delivered and solidified. BlackBag training excels at this by reinforcing the learning concepts through embedded instructor-led and student-driven practical analyses. You receive daily quiz-based reviews, preliminary and post-exams, and instructor-led reviews during the course. These items coupled with real-world based scenarios make the training experience a nice one.
One common criticism leveled at many digital forensics courses is that students aren't always taught the theory behind what they're doing, leading to a proliferation of 'push-button' forensics. What are your thoughts on this, and how is it addressed in BlackBag's courses?
This is a current issue. Entities supporting digital forensic investigations have limits to their budgets, especially training. In law enforcement and military, trained examiners seem to be regularly promoted or transferred to other assignments. They may also leave to go to the corporate realm seeking another experience or a higher salary.
Corporate entities lose examiners to other job opportunities as well. This results in LE and corporate recruiting new examiners to staff their positions. Many of these examiners are untrained.
Another part of the issue is that software companies naturally want to make the examination process as easy as possible to lessen the burden on the examiner. They work at designing their software to support this.
The big factor that cannot be ignored is digital forensics is not easy. It requires substantial knowledge and tenacity to seek that knowledge throughout your career. A bad mistake an examiner can make is to rely on the accessible features of software exclusively and to excuse themselves from having to understand the evidence they are analyzing. The software tools should never replace your brain. The tools should make your work more efficient, but you should know what the tool is doing. For example, a software tool may nicely parse an artifact for you. But, you should understand where the artifact is stored, in what format it is structured, how it is parsed, and what does the parsed data indicate. This evidence is being submitted to prove or disprove something. Typically, in this field, it may involve incarcerating a criminal for person or property crimes, revealing evidence of a terrorist act, or exposing a civil act of wrong-doing.
These are critical matters, and our examinations should not be taken lightly. Digital forensic training should be handled in a like manner. Training may involve instruction of the forensic tool, but it should balance that with forensic knowledge. File systems, operating systems, user, and application artifacts are all equally important to understand. It is neglect to train on pushing a button and relying solely on the provided output. What if the tool is not performing correctly? Where do you look if the tool doesn’t provide a result? How do you articulate the results provided? Examiners need to accept it takes time and a concerted effort to learn in this field. Please, seek out courses that provide comprehensive instruction well beyond pushing a button.
Within BlackBag’s Training courses, you receive this in-depth knowledge of what the evidence means along with how the tool recovers it. BlackLight has the power of providing easy processed evidence results, or you can dive right to the hex bytes in the data structure and manually interpret. In our courses, attendees learn by conducting user-type actions on a system; then we forensically examine those changes. This provides a working knowledge so the examiner can validate the tool and the analysis actions taken.
The psychological aspect of investigations is increasingly being viewed as an important element, particularly when dealing with serious crimes such as child exploitation and human trafficking. What can trainers and managers do to help improve the psychological wellbeing of their trainees and team members?
Thank you for bringing up this important matter. Having worked child exploitation cases for 13 years, I understand the potentially damaging impact exposure to media depicting the sexual exploitation of children may have on forensic examiners. The content describes horrifically evil acts committed against children.
Exposure to this graphic content will change you. Some examiners may fare better than others, but it affects us all in some way. One examiner may become very over-protective of their children while another may struggle to sleep at night.
One typical reaction is compassion fatigue. It is where you know the importance of these cases and cannot rest until they are completed. I know I experienced this, needing to regularly work my scheduled days off to ensure these cases did not sit on a backlog. Some symptoms may fall in line with post-traumatic stress, also referenced as secondary traumatic stress, and need to be taken seriously.
Trainers and managers need to support their teams carrying out the vital mission of working these cases. Managers need an official plan in place. This plan should provide methods by which trainers first expose newer examiners to this material and to identify the stress symptoms it may cause.
Trainers and peer examiners need to share how they handle the stress. All examiners working these cases should be encouraged to and have an identified source to share with. Communicating openly is important.
Examiners should have access to psychological debriefs by certified staff on a regular basis and access to them as needed with a “no shame” policy. Some officers feel the need to be tough and to act like they can handle anything. We had some of the toughest SWAT team members not wanting to even step foot in our forensic lab because they didn’t want to accidentally see the graphic content we had to regularly review.
It is okay to admit this type of work is difficult. Limiting your exposure to the material is wise. Some agencies have wisely applied a rotational assignment to varying types of digital forensic examinations removing a consistent exposure to child exploitation cases. Some forensic tools have features that try to help by identifying the material for you. Please use these features but also use caution to ensure your exams are thorough.
If any symptoms of post-traumatic stress surface, seek assistance immediately. It is ok to have a normal reaction to being exposed to abnormal circumstances. Needing help is ok. Managers and trainers need to understand that examiners conducting these case investigations are performing a noble task of protecting, rescuing, and ensuring our children are safe from those who seek to victimize them. None of us sign up to be exposed to this material, but we will “wade into the sewer” and tolerate the unbearable exposure to hold those accountable who harm our children. Managers, please support your staff in any manner possible with this mission.
Finally, when you're not working, what do you enjoy doing in your spare time?
I spend most of my time with my family. We enjoy exploring Virginia and have fallen in love with countryside drives and learning the history of the region. I have shifted from my college volleyball days and now volunteer as a youth league and Special Olympics volleyball coach. My children are following in my footsteps and are developing their volleyball skills in school and league teams. Our family also enjoys time serving at our church and spending time with our church family. I must admit that I enjoy yielding to my weakness for sweet tea and a good pecan pie now and then. My family also spends time tending to and training our service dog who is a stubborn but adorable pocket beagle.
Find out more about BlackBag's products and training courses on their website.