Stuart, please tell us more about your role as Director of Cybersecurity and Investigation Services at Nuix.
My role covers three main areas: product development, support and training, and advisory to the United Nations’ International Telecommunications Unit (ITU).
Having used Nuix since 2008 as an industry practitioner working on a data breach cases, I knew Nuix had the power, flexibility and potential to do more. I was lucky enough to receive the backing of Nuix to explore this potential and spearhead Nuix’s product development in the incident response and cybersecurity space. I’m focused on everything from our collection technology, to enhancing the Nuix Engine and growing the investigator features. This role is fairly technical; I write scripts and create proof of concepts to initiate a new features in the product roadmap. Working with the Nuix development team is a hugely rewarding experience.The second element of my role is to support Nuix’s investigation, cybersecurity and eDiscovery areas through training, speaking at events and managing a team of solutions consultants.
The third main element of my role, which I am immensely proud of, is advising and partnering with the ITU – a specialist information and communications technology agency within the United Nations. I travel the world to consult with member states and decision makers, and deliver forensic investigation training to individuals tackling cybercrime.
What specific challenges faced by digital forensics professionals is Nuix trying to address?
Our primary focus is tackling large volumes of complex data to find facts fast. This may seem like a difficult undertaking, but it’s very much the message we believe in and was the driver behind our elephant video. The Nuix Engine has a unique combination of load balancing, fault tolerance and intelligent processing technologies, which has been developed and refined over the past 15 years. This combination makes it possible to search, analyze, categorize and manage massive volumes of unstructured data—quickly, thoroughly and reliably. This enables digital forensics professionals to gain a single window into multiple evidence sources, including difficult formats such as archives and legacy applications.
Nuix Web Review & Analytics, launched in July this year, delivers online review capabilities with flexible role-based security from any web browser. This means that anyone, including non-technical reviewers, can use powerful visualizations and reports get to the key facts quickly.
Version 6.0 of the Nuix Engine was launched very recently. What new features are included in this update?
This was a huge release for Nuix and I’m proud to have been heavily involved in the development. While the bulk of the features and enhancements are cyber-related, this release helps Nuix customers address data problems across all parts of the business. The Nuix Workbench now runs on Windows, Mac and Linux. We’ve created powerful filters and file groupings to allow investigators to locate and examine artifacts with a click of the button. For example, data from the registry or data across various different web browsers can be presented using a single filter.
We’ve enhanced our already very powerful named entity extraction capabilities. Investigators can now control the depth of entity extraction (file content, file properties or text stripped data) and they can also declare the file types required for entity extraction allowing you to get to the key evidence faster than ever. And, for the coders, we support python scripting!
Our file type support has grown significantly. Some highlights include web-based logs from IIS and Apache servers, network packet captures (pcaps), Parallels virtual disks, pages, numbers and keynote data from Apple Mac, and structured data including a live connector for ingesting and querying Microsoft SQL databases. We now extract more file system data, including the $UsnJrnl file, enabling investigators to understand the history of a file. We’ve also enhanced our thumbnail viewer to include more metadata and image blurring.
Can you discuss the additional features for cybersecurity incident response investigations in more detail?
Definitely. Log files are typically the primary driver in a data breach investigation, therefore we’ve added extensive support in this area. The release also includes features to support both structured and semi-structured data. This means that Nuix can extract data from sources essential to cybersecurity and incident response investigations, including IIS and Apache web server logs, FTP logs, Windows Event logs, network packet capture PCAP files and live Microsoft SQL Server databases.
The content of these logs are written to searchable Nuix fields, and we go a step further by decoding any query strings encoded with web logs in formats such as hex or Unicode. This means you can comprehensively search for SQL injection, even if the attacker tried to encode and hide it.
Our experience in incident response meant that including support for live data captured off the wire in a network was critical to give investigators a full view of what happened. Much like our web log support, we extract the content of pcap files into Nuix fields. We also text strip the packet binary, allowing investigators to extract entities and search this data.
Understanding the data that was at risk during an incident can be achieved through our live Microsoft SQL server database connector. We can ingest an entire SQL database, selective tables or data responsive to a query into a Nuix case. Using this functionality, it’s also possible for an investigator to replicate a query used by an attacker during a hack and demonstrate to clients the scale of the incident and the data that was at risk.
Some other highlights include near duplicate identification of exe files, which proves very useful to malware investigators looking to identify malware that has morphed across a data set.
The Nuix Workbench interface is now available in nine languages. How challenging is it to meet the needs of such a diverse market?
It is a challenge, but a challenge we are uniquely placed to address. Our first customers were in the Asia Pacific region, so developing a tool capable of handling all languages and different data encoding was fundamental. And, although client needs differ from region to region, they all share the same problem – data. It’s all about the data. No matter who you are or what you’re trying to do, Nuix makes data speak your language.
What's next in terms of the product lineup from Nuix? What new developments can we look forward to?
At Nuix, we never stop developing and we already have features completed for the next release. Some key things to look forward to include fuzzy hashing, more database support, volatility deployment and integration, malware analysis, and template forensic processing and workflows. Our OEM offering continues to open doors to our customers and there’s lots more coming.
Aside from adding to the core Nuix Engine, we’re working on new products for privacy and the detection of sensitive material on an enterprise scale, more visualizations, investigation dashboards and enabling users to use Nuix without the index.
We have a growing number of incident response and other hands-on cybersecurity practitioners who are helping to identify and build more of the features people need in core forensics or incident response. We’re also building a world-class training and certification program to help our customers make the most out of their investment in our products. You can take industry-based Nuix training courses in cybersecurity and investigations in any major city across the world.
Having worked in this field for several years, what would you say has changed most since you first started out as a forensic investigator?
For me, the huge diversity of evidence sources and data types has changed the most. Digital evidence is usually made up of around 80% unstructured data—human generated information found in emails, documents, photos and other formats. Tackling the different evidence sources and data types is very much a moving target; each new technology creates its own format which is often poorly documented and understood.
There’s also more data. My first forensic case was an 8GB image – close to the size of the recent Mac iOS update! The growing volume of data makes it very hard to gain timely insights and sort the valuable from the irrelevant. A typical person generates data on personal computers, tablets, smart phones, web-based email, cloud storage and social media. There is often huge duplication across these devices, which all adds to the problem.
This problem will only grow, especially considering the lack of control around cloud technology, corporate archive systems and the emergence of bring your own device (BOYD). And let’s not mention smart watches or smart homes and cars. Building workflows and guidelines to tackle these challenges is no small task, and it’s critical for investigators and their platforms to keep pace.
Finally, the most difficult question – what do you enjoy doing when you're not working?
When I’m not working, I’m racing my bicycle. While cycling is distinctly different to my day job, both require commitment and hard work. Because the UK doesn’t cater for racing in the high mountains, I’m forced (kicking and screaming, of course) to pursue another passion of mine – travelling. I regularly travel to the Alpine or Pyrenees mountain ranges. Off the bike, I explore the world with my fiancé. We have a scratch-off world map in our home, which continues to provoke me into completing it.
Stuart Clarke is the Director of Cybersecurity and Investigation Services at Nuix. Nuix develops software for indexing, searching, analyzing and extracting knowledge from unstructured data and has customers in over 30 countries, as well as staff and offices in Asia, Australia, Europe, North America and the United Kingdom.