Warren Kruse, Vice President of Cyber Investigations, Consilio

Warren, tell us about your role.

I am Vice President of Cyber Investigations for Consilio, a global Legal Consulting and Services company.  I assist clients of all sizes dealing with data forensics, electronic discovery and cyber review challenges.

What are some of the most prevalent case types you see come through?

Although I cannot talk about specific cases, I see many employment matters, like potential theft of intellectual property and trade secrets. While those cases occur often when employees leave a company and go to a competitor and may start using trade secrets from the preview company, I was surprised to see an increase on those matters during the pandemic when people were working from home.   

What’s an investigation that has caught you by surprise recently? How did you solve it?

Can’t give specifics but I can say that just when I think I’ve seen it all, something comes around that surprises me even further.  We approach and execute on each case with an inquisitive but detailed eye towards the data and leverage of robust tools and workflows.

Are there any particular tools that you’ve been relying on? 

I use a combination of tools especially for cross validation.  I’m a big fan of Magnet’s tools and I rely on Magnet AXIOM and Magnet AXIOM Cyber for most if not all my investigations, along with other tools to assist in validating my findings. The value we provide clients is by application of the right tool, the right process to achieve a requested result.

Why does Magnet Forensics have your trust?

As the saying goes “trust but verify” when Magnet comes out with an update, I test it against my personal data that I am familiar with. They also have a nice beta program so you get a look before it is released.  They also have very good training so you not only understand the tools but get a better sense of a lot of what’s going on in the entire field of digital forensics.  

What do you find to be the biggest challenge in your role?

Hard drives and data sizes continue to explode in size, but the time people have to get results is shorter than in the past. This requires more leverage of smarter tools to get through more, faster.

There is something else worth mentioning even though it’s really a second item. As a big fan of being prepared, we like to get as much detail in advance of especially mobile devices where we often times find instances of the “smoking gun” evidence. For instance, we like to be aware if there are any 3rd party application data that we should ensure is collected during our acquisition quality control (QC) steps. Many times, the entire store of evidence may not be on the device and is best collected from the cloud repository versus the mobile devices. This is often overlooked and is helpful to allow smooth collections and least inconvenience to the client and counsel.

This is something AXIOM and AXIOM Cyber do really well. I rely on features like Connections and Timeline to help quickly get that data from different sources and organize it to really tell the story of the evidence.

Prediction time: What do you think will be the biggest change that DFIR professionals will see over the next few years?

I think the pandemic changed a large part of the way we used to do data forensics, lab or on-site analysis. I think they will both come back to some degree over time but our ability to work remotely has increased and clients’ comfort with it has also increased.  AXIOM Cyber is a perfect tool for the remote world we are in.  

If you were talking to someone who just started off in the field, what advice would you give them that you would have wanted to hear when you started out?

I’ve actually worked with many people that started off right out of college and I would tell them to listen and never stop learning. I’d suggest that they work alongside more than one more experienced DFIR expert and learn from them. My friend Mike Barba used to say watching some people do DFIR is like watching ice skating, while others is like watching hockey. As long as you “do no harm” everyone does things differently, learn the different ways then make one your own.  

Any other tips you’d like to share with readers?

I love this field because it never stops changing!  Never a dull moment! But it changes fast so you must keep up with it or it will quickly pass you by. There are tons of learning opportunities.  If you see a webinar or some other free of inexpensive training don’t assume that you know it already. Sign up and attend as much as you can. I’ve picked up great tips on topics that I was pretty comfortable with.

I’m actually hosting a webinar on August 25 with Magnet Forensics, called “Digital Forensics and eDiscovery: Where One Stops and the Other Begins”, and I think it can be a great chance for readers to learn a bit about how to better manage workflows between digital forensic and e-discovery teams.

Leave a Comment