Nick, can you please tell us a bit about yourself and your background; what does a day in your life look like?
A ‘regular day in the office’ starts early, the alarm goes in my house at 5am so I can get to the gym for an hour before jumping on the train to London. I am relatively new at Nuix and I am still learning the different capabilities of each product, so I tend to use the time on the train to pick up a product I’ve not used before to see what it can do or how to install and configure it. I also use the time to catch up with emails from my colleagues in the Solutions Consultants (SC) Team, or brush up on my programming skills.Most of my day in the office will be spent planning deployments and providing advice to sales staff. I’ve not yet been allocated support tickets but I will monitor those throughout the day, looking for the chance to get involved.
I speak with clients on the phone and, with my background in digital forensics, programming and computer networking, I always try to give hands-on advice: what I would do if I were in the same situation (which wasn’t that long ago). I typically spend one or two days onsite, either demonstrating Nuix or looking at client workflows. (how evidence is processed from start to finish).
What interests you most about the forensics and digital investigations industry?
I’m a geek at heart and I love working with computers. I enjoy programming, configuring networks and conducting research, but what I like most about forensics is the challenge of taking a case to trial. I have done more trials than the majority (although I’ve haven’t kept record of this, nor have I maintained a list I would use to impress potential clients, it’s not my style). I enjoy the process of presenting evidence, breaking down technology and revealing what the evidence means in the context of the case. For me a trial is the most interesting part of digital forensics.
Of course, nothing is more exciting than being part of the action, for instance; taking part in dawn raids with the police. This type of work is unpredictable at the best of times. I used to enjoy the focus the work required.
I can still remember my first raid. Let me set the scene for you, there was myself and a computer geek, sitting inside a police station amongst a group of burly uniformed and plain-clothed police-officers before dawn for a briefing. It reminded me of a scene out of the British television show, The Bill.
The house was based in a suburban estate, next to a busy main road. I went from room to room pointing out the equipment and devices that might contain evidence for the exhibits officer’s to seize. Back to the station a couple of hours later and I was creating a write-protected review of the key computers while the suspects were being interviewed; the material I was looking for could help sway the interview. It really couldn’t get any further away from sitting in a darkened office coding up another widget for another website. But we’ve all got war stories.
The landscape has changed since those early days, and I found that the fraud investigations were those that piqued my interest the most. Having a deep understanding of programming, networks and computers in general, I found that I could drill down deep into the data and find the evidence to understand how it got there and why. I was an early instigator of Windows Log file analysis and building a time-line of user activity from log files is something I’ve had to do on an industrial scale for some of the bigger operations, like Ore.
Do you have any plans for the near future, research-wise? Are you working on anything at the moment?
My doctoral research explored the possibility of using genetic algorithms to generate adaptive network protocols; basically applying artificial intelligence techniques to generate the adaptive behaviour of congestion control and avoidance in TCP. So, I was so delighted that Nuix have given me the opportunity to work on machine learning techniques to improve our forensics software products.
I am currently doing my own review of machine learning frameworks. Right now, I still have my feet firmly in the world of a digital investigator: I know what evidence to look for, where to find it and how to present it. I want to harness that understanding of the investigative process and use the latest advances in machine learning and artificial intelligence to identify relevant material, and do it as quickly as possible. At the same time I understand that domain specific knowledge is key and we need to pass the power of investigation back to those who understand the case.
What was the industry like when you were first starting out your career in comparison to now?
I started in 2002, so there were no smart phones or tablet computers, and laptops were mostly bricks. The social network of choice was MySpace and a search for technical information was limited to “man -k”, Google was starting to become more popular because of its method of scoring web pages based on links, which worked well when looking for information within the field of computers.
I conducted my first real examination using The Sleuth Kit (TSK), a command-line based open-source examination tool. It was a very low level way of seeing things: you had listings of partition tables with sector offsets and I would cut-out a filesystem using dd. Reflecting on that process now it surprises me that I have not used a better time-line tool than that provided by TSK, which I used in those early days of my career. Also, that nuts and bolts view of the world formed that mental-model of hard disk structure I have fallen back to on every examination since. I like solid foundations.
One of my go-to tools then was grep and to be honest it still is today, combined with find of course. Today you’ve got Splunk and LogStash and all sorts of fancy log parsers but find what you want with grep, pipe it through a couple more rounds to narrow in on what you want, then pipe into cut to tidy up the fields, can be a very fast way to get results. I used to use awk more but I don’t find the need so much these days as I do most parsing of data rows with Python and the CSV module. Although I’ve been using those same old tools for years, today I tend combine them with Python and I do workings-out with a Jupiter notebook.
I guess the biggest change has been from dead box, or snap-shot, forensics, where the whole case was on a hard drive, to today where the information your looking for is on the cloud – the suspect’s computer has less and less of any evidential value.
When I started, I worked mostly as a consultant to UK Law Enforcement and the standard procedure was for them to seize the 1 tower-case PC computer from the suspect’s bedroom, along with his collection of CDs and floppy disks. They’d be stored for up to 12 months in a secure lock-up and then brought to us to investigate. So I would need to understand the investigation and I had to understand what was relevant and what wasn’t.
Fast-forward to 2018 and we’re examining enterprise systems with storage spread out across the globe. With absolutely no chance to ‘shut down for a while so we can take a forensic image copy’, our tools now need to be able to make sense of the data from mailboxes containing thousands of emails and file-servers containing millions of documents, not to mention chats and social media posts. Using tools like Nuix workbench and Nuix Web Review we aim to hand back control of the investigation to those with knowledge of it.
What do you hope to accomplish this year?
I was a coder, not a writer. Even though I wrote a thesis it was presenting evidence for trial that made me a writer – well, it is more legible than it was. What I would really like this year is to pick-up some big code base and become a day-to-day developer again, just something to satisfy the builder in me.
What are the most challenging aspects of your work?
The work I do can be tremendously challenging, whether that is the pressure of presenting evidence of such quality that others will feel they are able to make judgments that will impact someone’s life or, from understanding what a client’s trying to achieve and dealing with IT infrastructure to make that happen. To answer the question directly, right now, understanding technologies like Ethereum (how we can use it) and of course, the Cloud.
Nick Sharples is Senior Solutions Consultant at Nuix, a full-service digital forensics company with customers in more than 70 countries.