Dr. Marziale, you've been with BlackBag for four years as a senior researcher. What does your day-to-day look like in this role?
Well, I work from home in the beautiful French Quarter in New Orleans, so my office has a great view. And I’m a coffee nerd so I have a whole table of toys – scale, temperature-controlled kettle, AeroPress, grinder, freshly roasted beans etc., to make amazing coffee. These are some of the things that make spending days at a time staring at a hex editor trying to “beautiful mind” some sensible structure in a binary mess workable. I spend a lot of time doing that.Outside of that, my day-to-day is not so day-to-day. Sometimes it’s original research into some artifact that has piqued my curiosity or poking at some new OS or app version to see what has changed. Other times it’s seeing work others have published and trying to wrap my head around it to determine if, how, and when we should try to get it into BlackLight.
Or I’m spending time doing more dev-like things: helping where I can with product integration, or squashing bugs I may have introduced. Or hopping around the conference circuit, often speaking, but always listening. I abhor boredom, so I have my hands in many pots.
How did you first become interested in digital forensics, and what led you down the path to BlackBag?
It all started when I got my BS in Finance at UNO around 2000. Then I went looking for a job and was going to be stuck cold-calling folks to build up a customer portfolio. That’s not really my kind of thing. I took a programming class for fun my last semester and decided I’d just go back to school and try out computer science.
Nine year later I had effectively finished a BS, MS, and PhD in Computer Science, with a focus on digital forensics, thanks in large part to my advisor, Dr. Golden Richard III.
After that I worked for a private digital forensics firm for a few years, and then my colleague Dr. Joe Sylve and I decided to branch out on our own and open a boutique digital forensics and general computer security consulting firm, 504ENSICS, with some startup help from the DARPA Cyber Fast Track program. We came up with the company name after several beers – 504 is the area code for New Orleans – and it wound up being a hilariously bad idea. We had the hardest time verbally communicating the URL to people.
Our firm began doing contract R&D work for BlackBag in 2012. After working together for a while we decided to meet up in New Orleans to discuss joining the BlackBag team. Quality of life is of paramount importance to me, so spending some time with their team seeing if it was a good fit seemed wise. It turns out it was a great fit, and I’m happy as can be here four years later.
Your work is wide-ranging: this year you've presented on the Windows 10 Activity Timeline as well as the macOS Spotlight Desktop Search Service. Many researchers would focus on one OS or the other – what are your research interests, such that they enable you to span platforms?
I definitely do not constrain my research even to the main OSes; I’ve also done memory forensics research, and some work on Linux forensics too. My main research interest is, having done forensics investigations for a few years, to make things easier for the investigator. I know that sounds squishy, but my goal is to push us closer to the tool telling the investigator the story of what happened one baby step at a time.
Having spent time digging around in OS internals, algorithms, cryptography, computational complexity theory, and other topics in academia; and having been a digital forensics researcher, developer, and practitioner; gives me a wide range of experiences to draw on. I try to take a step back and see the bigger picture, and try to find new avenues to ease the pain points I’ve experienced.
In your view, what's the benefit of platform-agnostic research – what kinds of connections does it help you to draw, and what's the value of this to BlackBag customers and the broader digital forensics community?
Well it definitely gives you a wider view of the types of artifacts that might be around just waiting to be discovered. If Windows is tracking some bit of data, it’s likely that macOS is tracking it too. Probably buried in a plist and not the registry, but there’s a good chance it’s there somewhere. And since our tools process many OSes, knowing a bit about all of them helps avoid tunnel vision when digging around in some new artifacts on one of them.
What research are you proudest of, or do you feel has had the greatest impact, on BlackBag products or the community at large?
That’s a difficult one to answer, but I feel like presenting research at conferences and other public venues has a pretty big impact. Being able to disseminate new, interesting, and useful information to room full (or virtual room full) of interested parties in the field is a powerful thing. It injects knowledge from a person who understands a topic well directly into the brains of those who can best put it to use.
From the other side, sitting in for talks by others has sparked innumerable ideas in my head, solved problems in my research, allowed me to avoid roadblocks, and just generally added a measure of fertility to the world of research projects I bounce around to.
Though my work these days tends to be mostly around dead box forensics, I listen to talks from all over the DFIR spectrum and other similar fields. There are relations everywhere if you listen carefully enough.
What's the most important thing you want the community to know about BlackBag R&D?
Our focus is to try to solve the hard problems that plague our customers, and the rest of the community.
In addition to your day job, you organize BSides NOLA and serve on the advisory board for the SANS Threat Hunting & Incident Response Summit. How do you juggle all these varied roles and responsibilities?
Oh my, yes, it is a lot to juggle, and that’s not the half of it. I’ve helped organize a monthly computer security and digital forensics meetup in New Orleans for the last 10 or so years – NOLASec; had various roles helping with DFRWS; reviewed papers for a handful of journals in the digital forensics space; blogged about research; written a few FOSS tools; and I am sure there are other things I am forgetting.
I do spend a lot of time and energy giving back to and trying to expand the community. Sharing is caring… and burnout is a real thing. Luckily for me, in my research role, there is some overlap between my interests and responsibilities. For example, I review papers I’d otherwise need to read anyway, or use talks I’ve given at conferences for talks at NOLASec. Also, I find writing blog posts comes as a great first step at documentation writing (or the other way around).
What's exciting you most about your current research, looking into 2020 – what can you tell us?
There is a lot of work going on with timelines and artifact correlation. This is a topic I’ve thought about a great deal for well over a decade – my UNO colleagues and I published a paper on the topic back in 2007 – and my brain wanders back to the subject often. I’ve implemented several proofs of concept over the years, read stacks of academic research on the subject, and taken many tools developed by others for a spin. It’s an extraordinarily difficult problem with no perfect solution. It might just be time for me to give a real production implementation a try and see if I (obviously with a ton of help from our fantastic team at BlackBag) can manage to come up with something cool.