Steve, can you tell us a bit about yourself and how you got into e-discovery and digital forensics?
Sure. I actually was a banker back in the mid 1980s and there was a financial crash. And from that, there was a quasi-governmental organization called the Resolution Trust Corp that was born, and I became an investigator for them. Our investigations back in those days were all paper-based.But, around the early 90s, we started talking about electronically stored information. Obviously they were mainframe computers and things, but it became more and more normalized to start to deal with computer files instead of paper files.
I’m a private investigator and I’m a lab manager for a private security company in Texas. So I got into forensics really by force, because the data that I had to review and access and investigate moved from being paper-based to electronically-based.
What is your current role, and what responsibilities does it entail?
I’m a partner in the company and the Director of Business Development, and then I’m a private investigator and the lab manager.
What kind of cases do you usually deal with?
Every single day is pretty different. I would say we probably actively begin three to five cases a day, and I would say they tend to be more civil than they are criminal. But we have worked on terrorist cases and ransomware cases, hacking cases, social engineering cases.
But the soup of the day, and the main cases that we deal with, are what’s called exfiltration or migration cases. Those are times when people take things that they are unauthorized to take. About 70 percent of people that leave companies, according to some stats that I’ve read, believe they have the right to take things because they created it. So think, if Adam creates a bunch of content for his company, he’s like, hey, listen, that’s my content. I created it. But the reality is, it really is owned by the corporation.
So people take things sometimes knowingly, sometimes unknowingly. And so we do a lot of investigation to try to track down people’s behaviors and the ways that they exfiltrate or move data from a corporate environment to their own personal environment or to a new company.
What changes have you seen in data exfiltration over the years?
The way they used to do it 20-25 years ago was, you picked up paper and you stole it and you walked out the door. Now there are four major ways to exfiltrate data.
Nowadays, the most famous one is using a USB drive. So pluggin in a USB, a flash drive, and copying data over. Sometimes there’s really good forensics behind that. Sometimes there’s not really good forensics behind that. But that’s probably the major way nowadays.
And with Dropbox and Box.com and iCloud, you can also just sync data to the repositories and then access it from your personal computer at home. That’s another really famous way Adam and I were talking about [at the Enfuse conference] this morning.
Adam identified one really good one, which is using your mobile device to take pictures of things. My wife works at auction.com, and they all the latest phones have scanners on them. So now if I’m in your office and you have proprietary information and then you walk out to get lunch or something, I can literally open up my scanner, and scan the document. It’s as good as the old codex we used back in the day with push-through paper.
And then really the final way to exfiltrate would be to use email or text messaging. So I can send stuff to my wife’s account, or I can text it to Adam. And now he has a document that I’ve attached to it.
So those are the classical ways that exfiltration has changed from just physical robbery or stealing IP to how people use computers. And really nowadays more mobile devices, like tablets and phones, are used in exfiltration.
What do you think are some of the future challenges in this field?
Size of data is a huge one. I always say I did a presentation a few minutes ago and my first computer was 5MB, right? I said that one earlier. And now all my kids have three, four or five terabyte drives on their desk. They backed stuff up, too. So just the the volume of big data.
That has changed the character of collection, because if you’re doing full bit-by-bit collection of data, you get the totality of the space. So you can’t just target 5GB or whatever, because bad people a lot of the time are covering their tracks and we need to get the details about their behavior. And sometimes we need to get to the deleted data. So data, big data is hard.
And also, where data is resident People say, well, nowadays on phones. But, you know, if you sync your phone, it can also be on backups that are on your computer or can be in the cloud. Or if you use Apple, maybe it’s on Time Machine backups or maybe it’s on a flash drive. So residency is one thing – where it’s located – and then redundancy is the other thing.
And redundancy refers to how many places are backed up. For example, Tom Brady is a football player in America, a famous guy. And he had this thing, deflategate. So the judge ruled that he had to produce his phone. He went in there and produced it and had reset it to factory settings. Well, nobody over the age of 17 is ever going to reset their phone to factory settings without a backup, because none of us are going to repopulate all the apps, all our contacts. I mean, I probably have a thousand contacts on my phone and there’s no way I would go through the process of doing that. So it’s a little disingenuous. But I think that we’re shifting to exploration and migration a lot more with mobile technology. And so I think you need to know where things live, and then you need to be sensitive to where they’re backed up to.
And do you see an increasing user awareness of these issues, or not?
It’s a great question. And this is another one we talked about earlier today [at Enfuse].
You know, I’m a little jaundiced because I’m a little older and I’m very sensitive to my surroundings and things that can go wrong. And I’m a little bit of a cup half empty guy; as an investigator, I’ve seen a lot of bad things.
I have three daughters and I coach girls’ soccer. So I’m particularly sensitive about exploitation of young women and things that happen to them. And not just physical behaviors, but also taking advantage monetarily and things like that. And we talk about social media and social messaging and the platforms that are out there, and some of them scare me.
Adam pointed out earlier today how great some of the things are, like with the Hong Kong protests, it’s opening up the door to information that we otherwise wouldn’t have. That’s really cool around the world. So we’re seeing some things that we probably wouldn’t see otherwise, absent some of these channels.
But then I think it also is allowing some bad actors to prey upon people. And I think they tend to prey upon, unfortunately, people in my age group and older and then people that are pretty young. And I think the millennials are pretty savvy about what they do, how they use it and the techniques and tools they use. So I think in that age group, it’s good, but I see a lot of abuse of youths and the elderly.
One of the questions we see a lot on the Forensic Focus forums is, how can I get started in digital forensics? What advice would you give to a young person who wants to start out in this field?
Forensics has really exploded. It is a kind of a science/art, I don’t think it’s just science; I think there’s a lot of decision-making that goes on.
You asked earlier about challenges, and I think the producers and manufacturers, like Apple, are protecting through encryption and through disabling API in some standard techniques, so it is a moving target to the forensic professional. What that has created is a large educational pool for people that want to get into it.
A lot of schools now have forensic programs. In Dallas, Texas, where I’m from, Richland, which is a junior college, has a two-year program. It’s outstanding, and it gives people some real hands-on experience learning how to do things like bit-by-bit imaging, and how to use mobile device technology imaging, and how to suck things down from the cloud.
And now we’re seeing organizations pitch in as well. Think about where we’re sitting right now: Enfuse is gigantic; Enfuse came from Encase, which is kind of the gold standard in the forensic industry. And Enfuse has been a place where there’s been a great exchange of information. I’ve been sitting in talks that have nothing to do with my livelihood, that will make me no money. But I’ve been listening to them and it’s fascinating learning. So I think there are tons of resources out there.
SANS is another huge one. And the other beauty about all this stuff is you don’t have to go on a plane: a lot of it’s online. The beauty of the online thing is that now you can get accreditation and certifications and learn how to do things. So man, for young people, I think this is a gigantic opportunity.
My way in the back door was very abnormal, because I was an investigator for years and years and I either had to stop being an investigator or I had to learn something about forensics. But nowadays, younger people can jump into forensics and they already are pretty in tune with how to use computers and music. When my kids text, they blow my mind with the way they use their phones.
What personal qualities do you think are the most important for people working in this field?
Great question. I like to think being levelheaded, not being predisposed. I think you need to be desensitised a little bit to some things you’re going to see and be aware of. And I think that’s true of any investigator. You see a lot of really bad things. My day is just unfortunately part of life and somebody’s got to deal with it.
I believe that my role is to uncover the truth. That’s what I believe forensics is about, uncovering the truth, not really making judgments. That’s my big thing that my wife and I talk about: don’t judge. That’s it. That’s like the two-word phrase you should use.
I think you need to be an independent, objective individual. You know, it doesn’t hurt to have some smarts, obviously, and some aptitude as it comes to computers and the like. But you don’t have to be a programmer, or a coder, or anything. I think you can learn a lot of what’s out there because there’s a lot of really smart people that are leading the wave of forensics.
And even at Enfuse, people are going and taking certifications and classes and labs and hands-on trainings. There are lots of resources out there for younger people.
I think you need to not be judgmental, not necessarily take sides. Just be very independent. Let the data speak for itself and be more of a data scientist and less of the gumshoe investigators we were before, where we were looking to find stuff out about people by following or tailgating and things like that. Nowadays, we always say, the data is what it is.
I used to testify all the time and they would try to rake me over the coals and make me look bad, and look at other things I’d said, and try to go into my social media stuff, and all that. Nowadays, the data is the data. If you plug the USB in and you copy 15 documents over, I mean, I didn’t do it. You did it. So, you know, it is what it is. You can answer in a court of law, but it is kind of black or white in terms of the behaviors we’re seeing.
And computers, especially with new operating systems, both Mac OS and Windows 10, are allowing more and more forensic analysis. Now it’s capturing more and more and probably making the forensic investigators’ jobs harder, but giving them a lot more to look at. I mean, ‘jumplist’ and ‘shellbags’ weren’t even words a few years ago.
Finally, when you're not working, what do you enjoy doing in your spare time?
I’ve been a coach and I’m a former player, but I had six knee surgeries, so I don’t do that anymore. Once you can’t do stuff, you tell other people how to do it. So I travel around the nation with a club team, and the kids usually land D1 scholarships or colleges, or I get to follow them. So I do that a lot.
My wife and I have been married a while, and we really enjoy traveling. So Italy, great place to go. We travel a lot in Europe.
We’re foodies, so we like the food scene. We were talking earlier about Sarah Cisco in Chicago and Portland. And nationally, there are so many great places to go. So we like to do a lot of that, a lot of traveling.