Tell us a bit about your role and what a typical day in your life looks like.
In 2006 Guidance had this new product research team that I was recruited into that was doing forward thinking research, new product launches, and they were just releasing the first incident response products, then they just did security alerts from sims, and then automated forensic response. So I ended up in there, and then I went on to manage and then architect cyber-security and forensic products for about eight years. Now I work with a lot of partners, scouting technology we can license into our product line. And I do a lot of writing. I’m a Dark Reading contributor and I’ve published recently in Security Week. So that’s my deal. That’s my background.When I started in software, I was a strict software developer, and I remember thinking forensics sounds kind of hokey – like what really can you tell about a computer? And then I went to training, and it really freaked me out, to see essentially anything a user or an application does leaves some kind of residue behind, whether it stays for a long time on the disk or it’s a memory. It really changed my perspective on privacy, it really altered the way I use digital devices. And then, to really tap into this community of researchers that do all the reverse-engineering…
I really feel like in the mainstream of IT and cyber-security, they don’t know a whole lot about the power of forensics. I feel like… I’ll talk to people who do incident response. And I’ll maybe talk about some forensic artifacts that are on the SANS Windows chart. And their eyes go wide. They’re like, “Really? Internet Explorer is recording every single thing going back years?
So I think it’s a real shame, because there’s so much great work that the reverse engineers do. The media likes to cover when someone hacks a plane, or once in a while they’ll cover that a new artifact was found, like… Apple had that database of GPS. But that was like seven years ago. And forensic people were the only people not surprised. Everyone else was. And we were like, “Woah, if that’s freaked you, wait till you see all the other stuff we do.” But it never seems to make it out into the mainstream.
And I think part of it is there is a culture of discretion in forensics, where you do investigations where you see crimes, you see bad things, you see all these things, and you may investigate and look at intellectual property or your CEO’s emails. And I think maybe there’s a little bit of a culture where we don’t talk. And I think maybe that has hurt getting the word out about forensics. And that’s why – I don’t know if you know about the Forensic Awards artifact Research Program, that was one thing that a bunch of us at Guidance have wanted to do for years. So we can basically take what the artifact researchers are already doing and just put our promotional capabilities behind it and say, “Hey, media, mainstream IT, look at what these guys are doing!”
Yeah, I saw it on the website and it’s a really interesting initiative. It’s something that is needed in the market, because sharing of information is one of the key points. Because no company can do everything on its own. We need the community to help each other. Otherwise it’s impossible.
What do you think are the new challenges in the digital forensics field?
I think there’s always two big challenges to me. One of them is the amount of data we move around is just incredible. It’s huge. It’s more than anybody, really, is doing. The gigs and gigs of memory and hard drives. Hundreds of gigs, terabytes. And to be able to do forensic investigation on a mass scale, that’s a big thing. I think one of the things that we’ve been doing, I’ve been working on for years, is this enhanced agent, which has a more powerful agent, so instead of sending giant images or lots of data centrally to be processed, we’re allowing the endpoints to do the forensic processing and just send back the answers, the metadata. And it sounds like wow, we’re using a lot of the power at the endpoints, but they rolled that thing out, I haven’t heard a peep of complaint from customers. Everyone’s using it. That’s one of the big, big key points, is to be able to handle that much.
So I think that’s going to be a big game-changer that I think people aren’t talking about… it doesn’t sound too sexy, until suddenly you do memory forensics on a hundred thousand machines because they all do it in parallel and you get the results back – then people are going to talk about it.
That’s one, and the other thing that I think is just… the endless challenge of forensics is how do you deal with all that data? So much data. How’s a human supposed to go through it? I really feel like that’s a big area in terms of algorithms, analytics, whatever, to write certain data up that you can look at. And I think the way that law enforcement works a lot of times, it hinders vendors’ ability to do that, because they don’t want to go to court and have them say, “Well, this vendor told me here’s where the evidence is,” because it looks bad. So those are some challenges I think, and opportunities, going forward.
Yeah, I agree. And do you think that the usage of IOT devices will be interesting for the forensic community? Do you think that it will be possible to get some data from them that could be used for investigation?
Yeah, well, first off, the forensic researchers are such crafty people. We saw cracking open X-Boxes and reverse engineering file systems and artifacts. If anyone’s going to get it, it’s going to be done by actual, individual researchers. But in terms of products that get us access to that data, we’ll see, but I can tell you – my bosses have a lot of attention on it. They’re working on things, and I think they’re going to make some announcements tomorrow.
But we’ll see. It’s tricky. I started my career actually writing firmware in routers. And I worked for the company – they own the BSD OS, we saw some of these real-time operating systems. And each environment, each hardware is so different. Just getting the operating system running on there, let alone installing an agent, is tough. But I think with Linux and Windows, we have a good shot at doing it.
Yeah, I agree. One of the questions that have on the forum is a lot of young people asking us, “How can I start my career?” or “I’m interested in this field…” What is a good way for you to start? What kind of background is needed?
I’m not sure I’m the best person to answer that because I mainly worked on R&D and I hired software developers. And if you’re talking about that side, you want to work for a forensic vendor to develop software, most people who do that have a computer science degree or something similar… it doesn’t have to be computer science, but some similar degree. But in terms of an actual forensic practitioner, there are probably a gazillion people here that’d be better to ask than me.
Okay. And how many people do you manage in your team?
Right now, I work with probably four different partners externally. So I don’t have a team of developers in-house, I rely on external people. So that’s the way it works for me. We have all our open APIs, we have Enscript, we have, for our endpoint security product, an open API with a whole partner ecosystem that integrates with us.
Are you part of the project that encourages people to find new forensic artifacts?
I’m one of the judges, I was one of the people that pushed to launch it. I don’t know who would say it’s their idea, because lots of smart people have talked about it. But yeah, I’m going to be one of the judges, and we really want to bring in judges around the community that are well respected and get a good number of them.
So yeah, that’ll be a very interesting thing. I hope we get a lot of submissions and awards that the media wants to talk about, that drive interest in forensics. The bigger the market is, the better for us.
What is the best way for a forensic examiner to keep their knowledge up to date in such a constantly evolving field?
Well, I think I’m biased, but coming to Enfuse and going through the training here, it’s – you come in one place, and you get a variety of different technical sessions. And obviously we have our training department that has options all over the country.
The other thing I wanted to say about the forensic awards is – the fact that we have cash prizes I think is a very important thing, because you’ll see more traditional security researchers that make money off vulnerability bounties, some of them supplement their income – if you’re a consultant, that’s the kind of thing you do, because you can win prizes, awards, you get promoted, you build your brand, your personal brand, the brand of your consulting company. So that’s something we really wanted to do. But we don’t want to own the artifacts. We want them to be open, like they always are. We just want to help supplement income with awards and let it be open for everybody.
Because it could be – from the external point of view it could be seen as, “Oh, they want to pay people to have some secrets.” But that’s not the idea behind this.
Yeah. That’s not the idea. They’re going to be able to release them, just as they always have. But we just ask that you submit it, wait till the big announcement before you release… and maybe we can even change that in the future. Just so we can have a big promotional thing, so we can gather people – “Hey, look at what these researchers did. Here are the award-winners.”
How many years have you been working for Guidance?
Almost 11, full-time.
So you’ve seen a lot of changes in this field, starting from computers and moving to mobile devices and so on. So your experience is really strong.
Yeah, the last two years in particular, with the new leadership, and that whole ship has been… I’ve probably seen the biggest changes in the company.
Paul Shomo is Senior Technical Manager, Strategic Partnerships, at Guidance Software. You can find out more about their forensic security research program here.
Forensic Focus interviewed Paul Shomo at Enfuse in Las Vegas, NV. For more details and to find out about next year's event, visit the official website.