HTCIA, DFRWS-APAC, and the DFIR Events Industry: A Critique

Simon: You see, I was thinking about this preamble, and I’ve been listening, no, no, no, no, you can’t laugh. This is recording, I want this to go live.

Christa: All right.

Desi: This is the preamble.

Christa: I’m going to have Desi or Ellie or somebody can cut out these parts.

Simon: No, no, no. Keep this, this is gold. Because I was listening, have you come across Honest Trailers on YouTube?

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Desi: Yeah.

Simon: Yeah. The Honest Trailers guy, and I was thinking, you know, what we really need is a real intro to this. It’s like, so, “Welcome to the Forensic Focus Podcast. This week, Des, Si and Krista will be talking about…” So, you know, I was thinking of amping it up a bit. So, “Ladies and gentlemen…”

Actually, I’ve heard a better intro. You can’t say “ladies and gentlemen” anymore because it’s not inclusive enough. Okay? It is very simple, it’s not inclusive enough. “Friends and enemies. Welcome to the Forensic Focus Podcast. This week, we will be talking about a couple of conferences that we’ve been to: the HTCIA Conference in the US and the…” Desi, you’re going to have to fill me in on this one.

Desi: DFRWS, which is the Digital Forensics Rodeo Workshop, which is a bit of a mouthful.

Simon: Which was local to Desi in Australia. And we’re going to chat about that for a bit. Welcome on board. You’ll be able to find show notes and associated links on Forensic Focus after all of this is done. And maybe they’ll edit out the ums and ahs that I’m putting into this. But essentially, that’s our preamble done. Oh, I like these episodes.

Desi: Too much effort.

Simon: Too much effort. Good stuff.

Christa: If you had me doing the preamble off the cuff like that, my brain would just freeze. That’s why I have to use the script.

Simon: Anyway, we’re good. So, what I said we were going to talk about, Christa and I variously covered some of the stuff at the HTCIA, which is the High-Tech Crime Investigation…

Christa: Association.

Simon: Conference in the US. And, you know, between us we went and listened to a number of talks. It was held, now, I was really jealous about this because it was held somewhere stunningly amazing in, I don’t know, what was it, Palm Springs or something?

Christa: No, no. Atlantic City. I’ve been there. Parts of it look amazing and parts of it look a lot less amazing. And so I wasn’t all that, you know?

Simon: No, you weren’t.

Christa: I don’t feel like, and I hate Vegas anyway, so I don’t feel like I missed out on anything personally.

Simon: Given my experience of the US is mostly restricted to New Jersey, I feel that, you know, much everything else is more exotic.

Christa: Depends on where in Jersey. I mean, there are some nice places in Jersey and then there’s all the exits, you know? And I have friends in Jersey and they’re going to kill me for saying that, so…

Simon: But anyway, so, it was at this hotel. And one of the things to note is that we both attended virtually and actually half of the conference wasn’t covered. If you had bought a virtual ticket, you weren’t able to attend a significant number of the talks.

And there were actually some comments made online about that. And people were concerned that they hadn’t got their value for money, which I think is an interesting thing that people would want to consider taking forward.

Christa: Well, specifically that they had to pick their courses ahead of time and then even after they did that, they still weren’t able to attend. So yeah, that was a particular quibble.

Desi: So that’s a really interesting point. So when I was preparing my notes to talk about DFRWS, I’ve got a whole bunch of points first, which are all my negatives that I wanted to like, kind of get out of the way, which we could potentially talk about.

And one of them was ticket price and the value you got between a virtual ticket and an in-person ticket. So I guess to start, like, how much was a virtual ticket? Like, if you were going to buy just a standard ticket for an adult to go virtually, do you guys know how much that was?

Simon: I don’t know. Hang on. Let me see. I’ll look it up.

Christa: Yeah, because we got comped for coverage, so, I maybe shouldn’t have said that online.

Desi: DFRWS it was the same, I guess. But like, when I was looking up ticket prices because it, like, I recently attended another conference, CyberCon, this week just gone, which was more of a cybersecurity industry conference. But the ticket price was very similar for an in-person attendance.

So I looked this up before I jumped on, but Early Bird Standard was $500, law enforcement was $400 and the student price was $300, which I thought was way too expensive for a student. Like, thinking back to my student days, no way I would’ve afforded 300 bucks to go to a three-day conference.

Now, the in-person, you also got food every day and they did networking drinks and the rodeo and the venue was a uni, which I’m kind of assuming the uni just like, lets them book out that lecture theater. So kind of like taking away that and maybe they provided support for keynote speakers to come over, but I kind of wondered whether they could make that cheaper, particularly if people want to have food.

Christa: I’m going to say that’s an argument for actually more sponsorship on the commercial end. You know, I don’t know, because I feel like there are a lot of conferences in this space and so the vendors I feel like are stretched a little bit thin in terms of what they’re going to sponsor across the span of the year.

And so, I don’t know value-wise for vendors how much DFRWS is in competition with other conferences in terms of like, who are their prospective customers versus the research that’s going in that, you know, might end up in a product at some point. You know, if the value is more indirect at DFRWS and attending or sponsoring than it is for some of the other conferences, so…

Desi: Yeah, I just wanted, because there was like, for someone who would just be interested in the conference to go, and I mean, even the virtual ticket was like 150 bucks, which was quite a lot, and you would’ve gotten vague to just talk with the people that were there in between sessions kind of thing.

But, like with the catering for food and then the drinks afterwards, which were there, and they also had a banquet as well, which was part of the ticket, which is a three-course meal, would’ve been part of that ticket price, whether it was reduced or not.

But if you could opt to not do that, like, I don’t know whether that could reduce some of your costs. But, I thought the same, like, this is not specific to DFRWS, so this was in CyberCon as well, they were catered for morning tea, lunch and afternoon tea plus networking drinks on two of the nights and it was 600 bucks still.

And it was in the Melbourne Convention Center, which would’ve cost quite a lot of money and they had quite a lot of sponsors. But again, like I kind of wondered whether you had two different kinds of tickets where you could just opt out of food and get it a bit cheaper because someone who is new in the industry, like, 600 bucks is still, and it was 600 Early Bird as well, I think, so…

Simon: I think it’s interesting because I mean I don’t attend conferences. I don’t go to conferences of my accord. Because I mean, I’m freelance, I run my own company. Everything that I would want to go to a conference for, I have to pay for out of my own pocket eventually one way or the other. It’s not a company that’s sponsoring me. It comes out of my own pocket.

I have been to conferences because I have given talks and therefore I have gained free access and they’ve kindly actually paid for those sort of conference dinners, as well, which has been nice. But I still, you know, in England it’s not helpful that nothing is local.

I mean, I was really fortunate that actually, the DFRWS in the UK was actually in Oxford so I was able to drive to it and drive home within half an hour. But everything else in this country, I have to go, I have to stay overnight.

That’s another hotel fee on top of the thing, especially if I want to go out to the dinner that they’re giving me for free, you know, I’m going to have to stay overnight, because if I’m, you know, trying to get a train at 11 o’clock home is a nightmare in the UK. Everything stops at stupid times in the UK. The rest of the world is way more sensible.

Desi: Don’t even start. I live In Adelaide.

Christa: The US barely has trains and so, you know…

Simon: Yeah, all right, maybe it’s not more sensible. But anyway, the fact is that we are incurring huge costs to be able to attend, let alone actually pay for content. And I think what Christa and I both found was that the content, I won’t speak for you actually, you can put your own thing on it, is that I find that a lot of the content in forensic conferences where they are vendor-heavy are just sales pitches.

DFRWS is a bit different because actually it’s more academics that come along and give their talks. But the other ones, they tend to be very, “This is our greatest new product. Look what it can do.” And you certainly listen for half an hour to somebody telling you about their product. And rarely is there actually something that it can do that’s novel, interesting, applicable, or useful.

Christa: Yeah, I mean, on the flip side of that, like I think that the vendors have gotten better over the years at offering content that’s less overt about the sales pitch. I mean, it’s still there, and there are some vendors I think that do it better than others.

But the thing for me is it starts to sound all the same after a while. You know, after you attend enough conferences, the content itself has a lot of value for new entrants, you know, people that are attending the conference for the first time, they’re getting their feet wet or, you know, they’ve been in forensics for a while or they’ve been in investigation for a while and then they’re making a foray into a new aspect of the profession.

You know, they’re trying to learn more about, I don’t know, OSINT or something like that, or ransomware. I think that it has value from that perspective, but, you know, if you’ve gone and attended several times, the talks really all start to, it’s like, “I heard this last year.” or, “I heard a variation of this two years ago.” or whatever.

Simon: Well, this is it, is that actually you hear a variation of very similar things from vendors in the same space. But also, I’ve heard, and I’m not going to call out the vendor in particular, but I have heard the same talk given at two, three different conferences now on one vendor.

And therefore, you know, why am I paying to go? I’ve heard it once. That’s it. It kind of sells to me, I’m going to one conference a year, and I will therefore pick the largest one that has the most opportunity for me to go and see the people I want, which probably rules out some of those smaller vendors getting their wares seen.

So I think there’s a little bit of a risk of complacency in not coming up with new stuff for each conference.

Desi: I think, like, talking about content, and I don’t know about this particular example that you were talking about, Si, but I feel like content has a shelf life of about 18 months. So within 18 months, if you go to multiple conferences, you will see the same talk, just because it’s trying to hit a different market you just happen to be at.

Like, I’ve seen the same, and I try not to go to that talk again cause I know that it’s going to be exactly the same, but I’ve seen the same talk at three conferences on the agenda throughout Australia, but they’re all in different cities. So just trying to target that different market. I just happened to be at two of those conferences that that talk was being given at.

Simon: Yeah, no, I mean, I understand the vendor pressures to do that. And yes, I mean, and I’m sure it applies to academics as much, in fact, I believe we talked previously about the guy who I’d heard speak and he was incredibly eloquent and beautiful. And then I heard him speak again and it was exactly the same gig.

So I guess, you know, there is as much of this in every industry as any other. And yeah, you know, you’re trying to get your meaning across to as many people as possible. There is a risk of hitting the same people more than one.

Desi: So, the biggest issue that I have with conferences, like, I’m now a working professional, so I can afford this, I can factor it in because I work in the industry. It’s now a tax write-off for me as well because it’s professional development at least within Australia, I can.

Simon: Okay. Sorry, I need to figure out. So are you self-employed? No, you’re employed by a company.

Desi: Employed by a company. But any money that I spend on my own training or professional development, I can write off to tax.

Simon: Okay.

Christa: Oh, instead of getting it expensed? Or in addition to getting it expensed?

Desi: So if my work agreed to pay for the conference, like, they’ll pay for it if they see a benefit themselves. But let’s say it was like, not directly related to my work, but it was something that I wanted to do. They might just go, “Look, we’ll give you the time off and you don’t have to take leave. You have to pay for the conference yourself.”

Which I’m completely fine with. The issue that I have is that conferences where they make the student tickets or you are just starting out in the field where you’re not getting paid that much, and it’s costing someone who’s entry level, getting paid 60K a year, that would benefit probably a lot more than I would going to these conferences, but they’re paying the same amount as me.

I kind of have an issue with that in that they don’t get an option to do like a $50 virtual ticket where they can watch all the content or just forego the food, because they might go, “Look, I’ll just make some sandwiches at home, I get a different tag that says I’m not catered for,” and they don’t get invited. Like maybe they can decide to purchase a different networking drinks ticket for themselves.

I think giving the option for accessibility, like, financial accessibility is really important in this kind of industry because we kind of like, talking again about the universities, like, we paywall it. Like, you can’t access it unless you pay for the privilege to look at academic papers that the universities have just had students write. And I feel like conferences are the same.

Simon: That is one of the most valuable things I have found actually about being a university lecturer is that I have full access to the library. I can therefore go and look up academic papers.

Desi: I miss my access that I had.

Simon: It is such a high-value thing. Just correct me if I’m wrong, but DFRWS at least, aren’t all of the videos available online after the fact on Forensic Focus?

Christa: The papers and the videos, yes. Well, the papers are available on the DFRWS website and they’re available at Forensic Science International: Digital Investigation. And then the videos are at DFRWS YouTube and then we do repost them together with transcriptions so that they’re covered.

Simon: So I think DFRWS is the one that is actually breaking the mold a little bit on this one.

Desi: Yeah, that’s good, then.

Simon: And making it accessible. So that’s definitely a bit like, you know, I mean, this was just off before we cut the recording. I don’t pay to go to conferences. I either talk at them and get free tickets or I get in through Forensic Focus, but I do not find that there is enough value in them for me to go to, to pay to go to them.

And I don’t know whether that’s just my stage of my career, but actually I think it’s got a lot to do with the ticket value. I do not see that the ticket value is equivalent to what I’m getting back from them.

Desi: I agree. Yeah.

Simon: But certainly, the barrier to entry for a new person in the industry who would benefit, like you say from going to these things is distinctly high. Even at the student prices it’s distinctly high.

Desi: ‘Cause my favorite conference is BSides and those tickets are like $124 for a two-and-a-half-day conference. But it’s a practitioner conference. So a lot of the talks are technical, like, there are some GRC and leadership talks, but the focus is definitely more cybersecurity general technical talks.

And there are heaps of like, CTFs, both offensive and like blue team CTFs. There’s like a physical hacking village with like, little microcontroller hardware and locks and everything. I think it might have come out of the UK originally, BSides, maybe?

Simon: Yes, it’s one of the conferences that’s running. But again, they sell out really fast. And again, you know, you have to be in there at the right point in time and have those funds available.

I mean, we forget, okay, you know, economic uncertainty aside, the fact that our economy is completely fucking tanked, you know, students do not have 120 quid to spare. That’s, you know, a month’s worth of food for some of the ones that I’ve been in touch with.

Christa: That’s kind of the rub though, is that like, inflation is impacting everybody. So like, the conferences are just going to keep up. Their logic is that they’re going to keep jacking up rates because, you know, the cost of food and the cost of, you know, just space is going to keep getting jacked up.

But then that’s going to just come back on the people that are trying to attend. You know, there’s less incentive at that point to attend. So there’s got to be a balance in there someplace. I’m thinking virtual, I think Desi made that point, you know, at the same time, like a lot of people don’t like virtual.

I mean, a lot of people are talking about like, “Oh, we miss being together so much.” And I don’t know where the balance is necessarily.

Simon: I think it’s an interesting one because it’s always said that actually the value in going to conferences is not so much the actual things, but it’s the corridor conversations.

Desi: Yeah, I’d agree with that.

Simon: So by having virtual conferences, you don’t get that. At the same time, there is no cost incurred in having a conversation with somebody in a corridor. Therefore, the value added here is I’m paying to attend something so I can go and do the little peripheral bits around the side. Perhaps we should just get a really large room and shove everybody into it for a £5 entry.

Desi: One long corridor.

Christa: The alternative though, like, I feel like virtual events, like some of them were experimenting with like, Discord servers and that’s, you know, you could have those back-channel conversations if you were thinking about it, although, you know, I mean, it can be difficult to be doing that while you’re trying to listen to a talk at the same time.

But I mean, you know, there’s no reason, I think DFRWS actually does a good job of this, having the Birds of the Feather events, I think they offer three or four of them at any given conference.

And then, I don’t see why break time, in fact, I think this is something that virtual HTCIA could do a lot better at, is including more breaks into their virtual. I mean, like, two years now their virtual has been back to back to back to back and with no breaks in between.

And I think offering virtual attendees the opportunity to have the Discord chats, whether it’s in a channel or just, you know, one-to-one in direct messages would be really, really valuable.

Simon: Yeah, yeah.

Christa: Just the time to do that.

Simon: HTCIA was actually an interesting example because when those spinoff courses went on, there was just a blank holding screen. I mean, to be fair, you could’ve used it for advertising, you could have used it for a raft of different things, but it was just a blank holding screen.

And I think both of you and I popped up at one point asking each other like, “When does the next one start?” Because it wasn’t clear in any way, shape or form what the hell was going on. So yeah, I think there’s that. I don’t know, I mean, I’ve been to a number of conferences.

I mean, I’ve had a few chats with a few people, but I’m not sure I’ve ever really done anything other than socialize in the corridors, to be honest. I mean, I appreciate mileage may vary. Everybody has their own thing and I’ve enjoyed them.

But, you know, I don’t think there’s necessarily enough value added in it for me to consider that a worthwhile thing over a virtual one. I’m after the content for me.

Desi: So it sounds like, Si, you are on the virtual side of things for conferences. So you are putting your hand up to organize the Forensic Focus virtual conference? I’ll attend from Amsterdam but I’ll jump online when you get on.

Simon: Oh, I appreciate that. So we’ll fly you to Amsterdam, put you up in something near a decent cafe.

Desi: Look, I’m only going to attend because Forensic Focus is going to comp the ticket, otherwise I wouldn’t go.

Simon: No, that’s fair. That’s fair.  I mean, it is a Forensic Focus conference after all. Oh, brilliant. Good stuff. We are going to have to push Jamie for this again, I think.

Christa: I think so, too. If there’s space to talk about some of these issues that aren’t getting talked about in other conferences, I definitely think we should do it.

Simon: I see no reason that we couldn’t say to vendors, “Look, you know, come online to an hour’s slot.”

Christa: But challenge them not to make it a sales pitch or anything like that, like, do something different.

Simon: We’re going to have this online conference. You’re a sponsor, you’re effectively paying for this one way or another, you know, but, you know, we want to hear something different from you. What’s your latest research? What’s this? You know.

Christa: I was going to say give them, give them a prompt, you know, just one question for all of the vendors. Answer this question, but not in a way that is, you know, going to allow them to make a sales pitch.

Simon: Yeah, yeah.

Desi: But we can just make a, like, for sponsorship, like we’ll just have a criteria that they have to meet as well. And if they don’t meet it, then we can say like, come back with something else.

Simon: Yeah, no, I think it’s a good opportunity to do something a bit more exciting and a bit different to be honest, so…

Desi: I’ll chuck it out because a fair few people in my Discord server have been to like virtual conferences, especially through the pandemic. We went to a lot because SANS ran their international conference virtually, BSides ran it virtually. I think of one the cyber cons ran virtually in like 2021.

So I’ll see what people liked about them and maybe we can collect a few things before we solidify anything and kind of bounce what we think will work the best with a virtual one.

Simon: Yeah. I mean, I think we should be, you know, we’re targeting 2023 now, so…

Desi: Oh yeah. It’s not anytime soon I don’t think.

Simon: But yeah, no, I think it’s a great idea. Absolutely. We should.

Desi: You can run like something like the Apple Health data CTF, like, you’d run that virtually, as well.

Simon: To a certain extent we could make it, you know, what do you call it? Donationware effectively, you know, so it’s free to enter. Sponsors put, I mean, cause the overheads are nothing of its virtual, I mean, apart from my beer to keep me sane and your beer to keep you sane and your beer to keep you sane. So, what do you drink, Christa? I mean, I know Desi drinks beer, that’s fine.

Christa: I don’t drink alcohol anymore.

Simon: Do you not at all?

Christa: It’s so sad. I have weird dietary issues that are autoimmune related, and so I’m on a pretty restricted diet and alcohol just irritates the whole thing and so I just stay off. It’s just a damn shame, but tea is my drink of choice.

Simon: One CBD-infused Christa. So, you know, the overheads are nothing or next to nothing. The sponsors can pick up the rest of that. That’s fine. And we should make it, you know, if people want to donate, that’s great because then, you know, it’ll just mean we get to do it more often.

But it’s free entry for any student or anybody who wants to come along and listen in on what other people are saying. So, you know, it is a platform. So, yeah, no, I think…

Desi: Well yeah, the conference would be a huge advertisement for the podcast in general.

Simon: Yeah.

Christa: Yeah. Well, the whole site, really.

Desi: Yeah, the whole site. Yeah.

Christa: But I mean, I think that would, on the vendor side, help with the issue that I’ve been having lately, which is, I mean, I’m responsible for putting all their content up and it’s the same damn stuff. It’s, you know, I mean, it’s good, but it’s so — and Jamie and I have had this conversation as well — that the site is so vendor-oriented right now, other than the podcast, and it drives me nuts.

I would love to be able to do more journalism. I don’t have the headspace for it right now, and you know, I suspect that, and this may not be fair because Jamie isn’t here to defend himself, but, you know, it’s one of those hard to quantify things that we were talking about in Discord this morning that you can’t put a value journalism that pokes at some of the sort of, I guess, things that we all take for granted about the space. And, I don’t know.

Simon: No, I think you’re right. I mean, it is hard to quantify and I think we all agree on that, but I think there is huge value in opinion and, you know, it doesn’t necessarily need to be a controversial opinion, but even, you know, whatever way it goes, you know, something that is more than — picking on Oxygen because I saw the press release recently — you know, “Oxygen has released the new version of XY whatever.”

Christa: I know. Yeah.

Simon: Yay, you know, does it do anything different? No, it does the same old shit, but, you know, it does it with new enhancements. Well, great. Yay.

Desi: Talking about vendors. If we do want to get Heather Mahalik to talk from Cellebrite, I would be very keen for that because she’s one of my favorite lecturers.

Christa: To recap her keynote from HTCIA, yeah.

Desi: Yeah,

Simon: Yeah, yeah, yeah.

Desi: I would be super keen for that.

Christa:  Yeah. Yeah.

Simon: Cool.

Christa: You know, if they recorded it, I wonder if I could get them to send me that recording, because I would love to repost that.

Simon: Well, you know, they were saying that those things were available to people as recordings, so it must be recorded somewhat. Because I asked the question whether they were available, because you remember, I said, “What the hell is that?” And, you know, learning platform or whatever it was.

Christa: Oh, the learning, yeah, yeah, LMS.

Simon: So it should be, Yeah, there you go. LMS.

Desi: LMS.

Simon: Yeah, “All recordings are available on LMS.” Well, who the **** wants that?

Christa: Well, I’m wondering if HTCIA, cause  I’ve worked with HTCIA before and they kind of gatekeep a little bit and I’m wondering if they’re making that content, like if Cellebrite is even able to send us Heather’s talk to use or if it’s completely like, you know, a condition of sponsorship is that they gate it behind the LMS and that you have to be an HTCIA member to get it.

Simon: But I mean, that’s fine. In which case, let’s just get it wrong because she could talk.

Christa: Yeah, true, true.

Simon: And she’s articulate and brilliant and she knew her stuff. So, you know, I think it would make for a fascinating hour.

Christa: Definitely. Yeah. Yeah.

Simon: Cool.

Christa: Okay. Well, I know they have another interview in their package for this year, so I can float that with them.

Simon: Right.

Desi: That would be awesome. Yeah, I’d be super keen, no matter what time that was, I’d get up for it. She did a SANS course back in the day called Advanced Memory Forensics.

Christa: Oh, I knew about her smartphone course, but not about her memory course.

Desi: Yeah. So it didn’t end up getting like renewal because they couldn’t get a GIAC course for it, which pretty much means SANS courses die if you can’t get a cert, because a lot of people won’t do it if it doesn’t have a cert, which is dumb because it was a really good course. Yeah, it was really good.

Christa: Well, why shell out all that money if you’re not going to get a certification?

Desi: Yeah, it’s a shame. I learned so much about Windows and memory forensics from that course.

Christa: That’s cool.

Simon: But the issue is when you’re being sponsored by an organization, isn’t it, is they want to see something for their money. Learning for the sake of learning is not…

Christa: I was thinking that actually when you were talking about your intern where, you know, the aptitude test thing, it’s like, you know, I was thinking as you were talking about the aptitude test that like yeah, of course they’re going to do that. It’s easier for somebody else to measure rather than, you know, assessing her for her actual skills.

Simon: Yeah.

Desi: I thought about that aptitude test, as well. Like, that would actually probably rule out a lot of neurodiverse people if they were bad at taking tests.

Christa: Yeah, yeah, for sure.

Simon: The system is rigged. Let’s just leave it at that. The system’s rigged. Fine. End of podcast, cancel record. It’s neither fit for purpose nor unbiased. You know, the ability. And again, you are just testing like the multiple guess questions.

Desi: Memorization.

Simon: Memorization or your ability to pass an aptitude test. That’s it. That’s all you’ve tested. You haven’t tested actual latent ability. You haven’t tested problem solving. You haven’t tested any of those things. Contrary to whatever the psychologist who sold you the test is telling you, you know, it’s not.

You need to talk to someone face to face and have a conversation with them and throw a problem at them that you’ve faced and see what they deal with it like. And if they’re doing it the same way as you’ve done it, either you are both wrong or they’re a great candidate.

And I’m not going to say which, cause it could go either way. But the thing is that, you know, it’s daft, this, you know, and yeah. There are just too many people applying for too many jobs and not enough people to manage it, I think.

Christa: Yeah, but nobody wants to work anymore, Si.

Simon: No, no, no. That’s the one. It’s going back to triage, isn’t it? It’s like triage is admitting that we can’t bloody cope with the amount of data we have. And aptitude tests are admitting that we can’t bloody cope with the fact that we have more people applying for this job than we could cope with.

And thus it’s a stupid filter at the beginning that may well rule out the best person for the job instantaneously or may discard the critical piece of evidence because it wasn’t discovered in that first triage piece.

You know, it’s that problem, isn’t it? We need to do something different. Innovation, let’s figure it out. Let’s have a conference.

Christa: Absolutely.

Desi: Yeah, that’d be cool.

Christa: The thing I love about DFRWS though, I mean, the first time I ever went to one of their conferences, and it was a virtual one because it was right after the pandemic started, I was blown away by the content because it was so novel. It was just not your typical forensics conference that I had attended in the past.

And, I think maybe, I don’t know if it’s going to be always that way, but it seems to me after having attended a number of them in the last couple of years, that the research is always building on other research.

I mean, there’s always something fresh. I mean, it might be, and I can think of a couple of talks that they’re the same foundational content, but because the researchers are, you know, spending the next year building on it, they always have something new to report it back.

And that’s the really interesting thing about DFRWS that, again, I think some vendors are good at doing that, as well. But it really does come back to that research, you know, that constant newness.

Whereas, I don’t know, with products, especially in this space as tightly packed as it is, I feel like, and I worked in marketing for seven years, I feel like everybody’s so focused almost on competing with each other. I feel like the vendors just focus on this very narrow sort of line of features or needs that they’re seeing in the market. And there, I don’t want to say, there’s not innovation, but…

Simon: Well, you know what, I’m going to call you on that.

Christa: Please. I’m not in this space, right? I’m not, I’m not.

Simon: Is there innovation? There is “We now parse this thing, we can do this a bit quicker.” That’s iteration, not innovation.

Christa: True. And no, I’m thinking in terms though of things like digital evidence management, right? Like, you’re going to be able to store all of your data in the cloud and make it interoperable with other like, you know, things like the CASE Ontology, which is something that I think the vendors are starting to build on. That is innovation.

But I think it’s hard to tell what innovation actually is until you’re a few cycles in and people are starting to pick it up and use it and, you know, then it’s, I mean, I don’t feel like you’re able to tell if something is truly groundbreaking until it gets uptake in the community, so…

Simon: And, you know, I mean on the basis of this and one of the talks that was at, uh, HTCIA was given by Detego. God, I hope it was Detego because I’m about to credit them for it.

Desi: Hey, listeners, how’s it going? I just wanted to jump in here quickly. Si did get it wrong. It wasn’t Detego, it was a company called Cyacomb. The speaker was Alan McConnell, who is the head of customer success, talking on prioritizing time-sensitive investigations with rapid digital triage. Enjoy the rest of the show.

Simon: And they were talking about doing block level hashing, okay? So, normally we look at a hash for a file for identifying whether that file is complete and we have a set library of hashes for certain things like IIOC, so I’m pretty sure everybody in the industry knows what IIOC is, but indecent images of children.

Desi: I didn’t know that.

Christa: That’s more a UK term than it is a US.

Simon: Is it? Yeah. Oh, okay. Indecent images, okay? But we have a set known of hashes for files that have been seen before. And mercifully, I’m glad to say there’s quite a lot of re-sharing of existing images. So it’s quite easy to pick them up, which is great because you’ve got the hashes for them.

But that hash is an entire file. So if you have something like a partial download, it won’t match, okay? So you’ve got this issue.

What Detego are suggesting is that we hash, and they’ve got a product that does this, is that we hash on a block basis. So every block has a hash, and they’ve got some funky algorithms in the background that they didn’t want to talk about, which is fair because, you know, commercial interests and all that.

But essentially, they’re going to look at the entirety of the disc and look at the hashes on a per block basis. And therefore we can get fragments of files much better and we can deal with this.

And they were doing it in a very clever way, which was actually not starting at the beginning and going to the end, which if you’re doing on a block-by-block basis and attempting to do a comparison over a 1TB disc is a nightmare, would just take bloody ages.

They’re doing a dip sample, they have a way of doing a statistical sample across the disc that has a high probability of detecting known hashes, which is great. And then when they find one, they’ll look around it and find other things and match it out.

And as I’ve previously discussed, this is a triage tool because if you run it two times in a row, you’re not necessarily going to get the same results. But if you come across a disc, you can identify that that disc does contain some of the material that you want to deal with.

And this is a novel approach. This is nice. This is something that is new and I think would be of interest to roll out more and talk about more. And in fact, I think we have a Detego interview coming up, in which case I will be pinned in.

Christa: We just did it.

Simon: Did we do it?

Christa: That was Andy, yeah.

Simon: Please cut that. Anyway.

Christa: No, it’s all good.

Simon: The joys of editing.

Desi: None of this is getting cut.

Simon: Oh dear God. These weeks are flying by at the moment. Right. So anyway, but this is a new, whilst it’s not using new technology, it’s actually applying it in a different way, which is nice. And it’s nice to see that somebody in the industry is actually doing something new. And, you know, I’m excited to see where that goes.

But, you know, some of the other talks were distinctly, yes, and I’m sorry, I apologize, hopefully this won’t be clear who I’m picking on, but, you know, “These are the artifacts that we’ve found, these are the things that we’ve done with them, these are the things and this is what our product can do.”

It was nice again to hear, and apologies, link will be in the notes as to which talk it was about, but there was a lady who was talking, who was saying, “We must verify our stuff properly. We can’t rely on a single tool to check our results.”

Christa: I think that was Heather from Cellebrite. That sounds like her.

Simon: That was a very, very good talk and very interesting. Actually, you and I were chatting during that one ‘cause we were both listening to it simultaneously. I was listening to that in the car for half of it. My daughter was alongside me and she found it fascinating as well, which just goes to show, you know, if you can get a 16 year old onboard with a talk, even if it’s technical content, you are delivering a great talk. So well done.

Christa: Yeah. Women in digital forensics.

Simon: Yeah, that was fantastic. But yes, we must verify and yeah, perhaps it’s not novel, but at least it’s not a sales pitch for a given product. In fact, Cellebrite will probably take her aside and reeducate on the basis, the fact that she was suggesting we should be using other tools.

But, you know, the idea that we should be verifying our results in forensics is incredibly important. So no, I thought that was a very good talk as well from the HTCIA.

Christa: So I’m curious, you know, we’re talking about innovation and who’s really truly innovating. Desi, what did you hear at Asia-Pacific DFRWS? I mean, was there anything that stood out to you there?

Desi: Yeah, so, actually one more gripe before we move into what I found was good. One of the presentations done was a standard kind of ransomware, this is what happened to the client kind of thing. They did not sanitize their images correctly and I successfully guessed who their client was who got hit by ransomware and paid the ransom.

So anyone who is listening that’s doing a presentation, please make sure you sanitize your images because it’s not that hard to figure out who your customer is. I figured it out based on their password, which they’d left in the pictures, which had their company name in the password, so….

Simon: Also, really, really bad practice on passwords, people. That’s terrible.

Desi: Yeah. Bad for the IR company to do that though, as well. So, the rest of my notes are all great notes from the conference. Day one was more workshops, then kind of the paper presentation.

So the way it was structured was day one had two streams in different rooms and they were kind of all workshops, all day, kind of three hours a piece. And then day two and day three were blocks with students and even professors and doctors just doing presentations on their research that they submitted papers for.

So day one, Hansken came in and presented on digital forensics as a service, which I thought was really good to see the presentation. They bought a sales representative to do some pitch, but they actually let one of their lead engineers do most of the talk, which kind of makes sense in a more academic conference.

But it also makes sense, and this is a shout out to vendors, if you’re going to sell in a conference, you should take an engineer with you because you will get technical questions. And if you can’t answer it, anyone who’s looking to buy it will just immediately go, “These guys don’t know what they’re doing,” whether your product’s good or not.

Because that happened at the conference that I was at this week, when I was asking what people’s products would do and they couldn’t explain what it does which was just mind blowing that they couldn’t do that.

But Hansken’s was good. If anyone knows Nuix workstation, it’s very similar to that product, but it’s less commercial. It still has commercial backing from what I understand, but it’s funded by the government and academics like universities. And it is, I would call it a semi-open source.

So once you buy into the ecosystem, you have access to the community. You might not know who in the community is who, but you can develop scripts, I think Python-based mostly, which work with platform deposits data in a certain way, if the platform already doesn’t do it, and then you can share that.

And that’s not just like parsing data that could be like correlation rules. If you have certain artifacts that link up for your investigation, you can write a script that will try and pull that out for the digital forensics investigation.

Christa: So I’m curious about something as you’re talking, because I’m familiar with Hansken. I’ve talked to Harm. I think we have an interview with him on here. But it’s always struck me that it’s been more for a law enforcement audience. So as somebody that’s working in the incident response field, like, do you see value for IR?

Desi: Not IR. I would say in things like business email compromise, financial fraud investigations, which often gets lumped with IR companies because that digital forensics piece, most IR companies have grown out of digital forensics, right?

So with the advent of ransomware, that’s how they’ve started making all their money with the work that they’re doing for everyone. So when they say they do DFIR it’s usually business email compromises.

And even in ransomware jobs when you’re trying to figure out what data’s left the network when you’re processing quite a large amount of information and you need to parse through the files to figure out what’s in it that might be exposed for individuals.

So, Hansken’s platform, and this is something that I would’ve used Nuix Workstation for, but Hansken’s platform, we use that as well. So while they do target for policing and that side of digital forensics, I think it’s the fact that it pretty much does the same thing, but it has that community, as well.

And the scripting language is supported, could be quite useful for incident response companies in those kinds of situations. So I think it has a lot of use. It’s not something that I’d seen in Australia before, so it was really good to have them come out and do that talk.

And it might be something that we can do a deep dive in on later on Forensic Focus, because I think it’s a good product for DF and IR. So yeah, it could be really valuable.

Christa: Awesome.

Desi: Yeah, so that was day one. The other stream was a talk on Velociraptor, I think. So they did a session with that. Mike Cohen, who’s the creator of Velociraptor, he’s done work with Google Rapid Response in the past and developed that.

I didn’t go to that, that’s a program that I’ve used in the past for incident response. It’s an incident response tool. And they’ve got some really good training on YouTube and they are now under Rapid7. Rapid7 bought them out. A really good product.

Like, there’s not much like it on the market in terms of incident response and it’s open source, completely free, how he makes his money is he does the training side of things, but if you are savvy enough, you can kind of just get it and run with yourself.

So, less digital forensics. It does have an audit platform, so if you’re running it live in your network and you’re pulling stuff back, it has all the auditing so you can trace what’s happening. But just know that it will run parses on the end points.

So it’s not going to, and I think digital forensics is slightly moving away from that. If it’s auditable, probably not in a policing sense, but definitely in an IR sense, like, as long as you can track what’s happening in the environment, it’s kind of going that way.

Simon: It has been an interesting trend that I’ve seen in the UK courts that actually if you can explain what the hell is going on and it is audited, then yeah, it’s a lot more accessible and a lot more admissible than it has been in the past. Even to the extent that, you know, people can cock stuff up horribly.

Is there a polite way of phrasing that? No. They can monumentally make a mess of it and actually as long as you can decouple what they’ve done wrong, you can still use the rest of it as evidence as opposed to just saying, that’s now corrupt and useless.

You’re at the point of saying that, you know, this stuff here is still untainted and we can run with that because there’s that sort of level of understanding. So yeah, I think it’s probably got, you know, a good auditing platform is a great thing.

Desi: So where Velociraptor really shines as well, I think particularly in the DF sense is if, like, let’s say you were in a corporate environment and for whatever reason, policing was interested in something, one of the papers on day three I think was on Google Meet and the artifacts that it drops into memory, which like, they did a really good job at researching it, but they didn’t kind of define the timeframe that it was still in memory after a certain, cause it would be pushed out eventually.

But with something like Velociraptor, like, if you knew someone was using Google Meet by using an EDR or another platform and you wanted to kind of monitor that, Velociraptor has the ability to parse memory. It’s expensive, so you wouldn’t do it across a fleet, but you could target certain kind of endpoints.

So if you were doing a fraud investigation, you had no other means you had Velociraptor rolled out, that’s like, I guess an example of how you could do some surveillance I guess on an individual that’s been identified within the environment.

Simon: No, that’s cool.

Desi: Yeah, that was really cool. I think, looking at the program, what else was on?

Simon: Well, Matthew was talking, wasn’t he? ‘Cause wasn’t he sponsored?

Christa: Yeah, that was another workshop that was…were you able to attend that one?

Desi: Which, oh, was that the….

Simon: iOS artifacts. Sorry, not iOS, IROS.

Desi:  Yeah, so Matthew and Luke Jennings ran the Apple Health Data workshop. I wasn’t able to make that one. And then the one night that they ran it, and this was already like identified by them, but so they ran it on the Wednesday, I think.

So the conference ran Tuesday, no, sorry, the conference ran Wednesday, Thursday, Friday. Wednesday afternoon was the training, Thursday night was the rodeo. So they started the CTF on the second day and they said that they should have started it on the Wednesday night after the training.

And I couldn’t make the Thursday night, so I missed the CTF, but I did do it on the weekend and it was really good. So if anyone gets a chance to do that, Apple Health Data CTF was a lot of fun. I’d try and do it as a team. It took me like all weekend to get through all the questions, that, or I’m just not very good at SQR queries, which is true.

Simon: So have we got a link to put in the show notes here for that?

Desi: Not the CTF. We can link to, I think the talk that they did for the training. But if you do want to do it, he’s taking it kind of on a road show to a lot of conferences, so if it’s near you, definitely check it out or I think he was happy for people to reach out.

You just kind of have to agree with some of his rules, which was like, don’t publish his address, tell him if he’s got a health condition that you figure out through his data. And there was one other thing that he had, but, there’s like a PDF that you can sign in and stuff. So, I think he was happy with that.

Yeah, that was really good. A lot of fun. There’s a lot of research that they went into because I had a good conversation with him and Luke afterwards, ’cause I provided some feedback on some of the questions.

But some of the ones that I couldn’t get were just, they explained the research that they’d done behind it after I’d finished it. And, yeah, there’s a lot of work that’s gone into it and how much it’s changed over the years like he was saying in our last meeting that we had with him.

The other thing on day one that they spoke about was the Sydney Declaration. Which was kind of, it felt like just they were redefining DFIR again. There’s was kind of just like a lot of academic work that had gone into talking about what exactly digital forensics is and how it sits within, I guess, the ecosystem of the legal system.

So, rather than they were explaining how it’s currently in like pillars, so they don’t really consider digital forensics to be part of forensics, I was sitting there and I was kind of like, “Yeah, sure. Like, that makes perfect sense. Like that’s common sense really.” But I guess anyone who’s in a legal profession might disagree with me and kind of say that’s not how things are and that kind of thing.

Simon: It’s an interesting one. I think the thing is that a number of countries have defined it in a number of ever so slightly different ways. And then, every country’s legal system is ever so slightly different. And therefore, you know, a single source of truth for a given country has value. It would be lovely if we can hit a universal definition at some point in the future, but I think I can see the value in it.

Desi: I think that’s what they’re aiming for. I think that’s what this Sydney Declaration is. So there is a conference because apparently you need a conference for everything. But it’s IAFS, and it’s going to be held in Sydney in 2023.

So we’ll put that in the show notes as well if people are interested to kind of follow that along. But yeah, it was an okay talk, but I was kind of just like, I don’t understand why we need this because it just seems like common sense, but there’s obviously a gap there.

Christa: I know. I’m wondering how much of that shifting definition or those different definitions as the result of, honestly, I’m going to pick on incident response a little bit, but, you know, things like, no really, I mean, it’s because not everything that you do or that a practitioner does is going to end up in a court of law or potentially in a court of law.

And so, you know, I feel like especially with incident response, the techniques evolve very rapidly to respond to threats and that alters the nature of digital forensics so that some of those techniques, it seems to me — a non-practitioner — end up in other quarters.

Or at least the definitions end up in other, you know, as more research has contributed from the incident response field into the broader field, kind of morphs, really, the definition, that impacts the legal definition. And so, I don’t know a way around that, because I think it all has value, but obviously, you know, lawyers need something that’s a lot more concrete than what I’m describing, so…

Desi: Yeah, I think one of the examples they used as well was just even just technology increasing so quickly. So, like, all those issues came, I can’t remember the example exactly said, please no one quote me on this, but they were using the example in Queensland. Apparently there was something wrong with the DNA testing lab and that caused a huge problem within the legal system in Australia.

But it was just someone not understanding the definition or something, and that the lab just did what they were meant to do and then people were interpreting the results wrong or something. So they were saying…

Christa: They were back at standardization discussion.

Desi: Yeah, yeah, yeah. Standardization. So then they were talking about like, DNA has been around for 20, 25 years, 30 years now. Like, early nineties I think was DNA testing.

Christa: Sounds about right.

Desi: And that is still, like they’re saying that’s got problems, but digital forensics and technology has advanced even so much in the last decade. And they were saying that digital forensics practitioners and even in the legal side are more open to saying that there are issues and that they try and fix them.

Whereas technologies that have been around for 30 years, they’re like, “Nah, it’s fine. We just patch it and we move on and we don’t really try and fix the problem.” So yeah, something along those lines was kind of like, Sydney Declaration, but yeah. Interesting.

If anyone’s interested in digital forensics and the legal side of things, definitely check out IAFS 2023.

Simon: Yeah, I’ll see if I can fly to Sydney. I’ve always wanted to go, so that’s fine.

Desi: That would be good, yeah.

Simon: Yeah, I’ll meet you there.

Desi: Yeah, I’ll buy you a beer.

Simon: Excellent. Good. It’s the £2000 plane ticket that I now need to worry about now the beers have been paid for. Oh, good stuff.

I think, you know, I can say, legal and digital forensics, you know, being an area that I operate in a lot is getting a common language with people who have spent, you know, their entire lives doing law degrees, then practicing the bar and learning all of the legal side of things, who can barely, the amount of work that I end up doing, which is, “Could you rearrange this Excel spreadsheet for me?” Is quite disturbing in a certain way.

I mean, billable hours, so it’s not that disturbing, but, I mean, I had a query come back from a solicitor that was like, “Why does the data in this spreadsheet not match the data in the jury bundle?” It’s like, well, if you expand the cell to the left, you’ll be able to see that all of that data is actually there.

So, you know, there is definitely a discrepancy between what we term as common language and what they term as common language. Perhaps some documented definitions of certain things would be advantageous. So I’ve definitely got time for that. That would be fun.

Christa: That actually is, I just thought of the question like, as the UK is standardizing on ISO 17025, like, what are they doing for the lawyers? You know, is there training in helping them understand what it means and how to work with the standardized labs?

Simon: No. And the thing is the ISO standards, whether it’s 9001 or 27001 or whatever, they are more or less a standard of documentation, a standard of reproducibility. You know, is your lab in a fit state to handle this? Have you sanitized everything before you do it?

It doesn’t have anything at all to do with interpretation. And actually this is a loophole that I kind of operate under because I personally am not an accredited lab. I do not have an accreditation. I am not ISO anything. I’m an ISO auditor, but I’m not ISO anything.

And the thing is that I am asked to interpret results that have been collected by other people. And that gets me off the hook. They collect them properly, I can interpret them. And there’s a big difference between those two things.

Solicitors are aware of the fact that if a lab isn’t accredited, then you have the right to question, has this been done properly? But you do not have to be accredited to do something properly. You know, people have been doing it properly and continue to do it properly without accreditation. And the fact that you are accredited also doesn’t mean that you have done it properly.

Christa: No, I know, but like, I mean, the point is did the attorneys have the language to ask those questions? You know, is it, you know, do they know what questions to ask? That’s what I’m curious about.

Simon: The honest answer is no, I don’t think so. I don’t think they do. I don’t, and I don’t mean to be disparaging to lawyers in any way, shape, or form…

Christa: Well no, it’s just that they don’t get this training in law schools. Where do they get the training from and where do they get the opportunity to get training also?

Simon: You know, it is a matter of, it comes to an expert and they hire an expert witness, prosecution or defense. Well, ideally it’s the defense that’s getting it and they get to call out whatever’s been done on the prosecution side.

So, you know, I do predominantly defense work, we talked about this previously. I will examine what’s been done and whether I feel that that is fit or not. I personally am not, I’m less bothered about whether they’re ISO-accredited or not than whether they have documented what the hell they’ve done.

And if they can demonstrate that they’ve done it in a fit and standard way, I’m not going to be like, “Well, you haven’t got ISO accreditation, therefore we should throw this evidence out the window.” You know, that’s ridiculous.

So, it is a matter of lawyers being knowledgeable enough to know to ask somebody who knows what they’re talking about I think is the honest answer to that. And that’s the way it should be.

Desi: It should be them building a trusted network to be able to provide law in any situation, really. Similar to how medical professionals, like, they know what they know, but if they find out someone’s got cancer and it’s just like you’re going to see a podiatrist, they’re not going to try and diagnose cancer. They’ll send you to a specialist, the expert who knows exactly what to start looking for and that.

So, yeah, I guess lawyers need to build up their own network for that. Which I guess is that the expert witness or the SME that you would call in during a court case, but you would hope that just generally they would have someone early on to go, “What kind of questions should I start asking in this type of case”

Christa: I think part of the point of accreditation isn’t it, is to have that credibility to make it less of an effort, I guess to find those experts to talk to.

Desi: I still think having your own trusted network built up, cause again, like, accreditation is similar to like ISO accreditation, like all that’s saying is that you’re meeting a minimum standard.

And so there are a lot of issues with accreditation. Even in the cyber industry, there are more uni courses coming out now and, like, Si’s courses, which I like the sound of because it’s built on a computer science background, but a lot of them aren’t. They’re just like general cyber courses.

So you’re coming out with a degree, doesn’t really mean you know anything about cyber. And similar to accreditation, like, I’ve got a whole bunch of accreditation that I got like six years ago that doesn’t expire because the cyber industry’s not really regulated that much. So again, that’s a big issue.

Simon: I mean it’s like, you know, I’m going to say, cyber as a whole is bad at this. Forensics is worse and IR as well, because we don’t really have any industry recognized qualifications for it. I mean, I have a CISSP or, I can’t remember how you pronounced it, Desi. We talked about this the other day. C-S-P, there you go.

You know, I have one of those I sat that, oh my god, how old am I? I sat that about 12 years ago. I’ve had CISSP for 12 years. 12 years ago I sat a 300-question multiple guess thing. And it’s supposed to be a six-hour exam. I finished it in two and I went to check my answers and said, “Sod this. I’m going,” and left because, you know, that was it. That’s fine. I had enough with it.

That accreditation, that certification, apart from my annual, CPD points, which, let’s face it, are not particularly hard to build up by attending conferences and, you know, doing podcasts and various other things that can build up CPD points.

Desi: I can get CPDs for this?

Simon: Yeah, you can get CPDs for this. It’s published work. There you go. Free for you.

Desi: Here we go.

Simon: Yeah. You know, that sort of thing. Teaching, I mean, you know, I got paid to teach courses at university. That’s so many CPD points. Great. Does it mean I can remember a single question on that? No, I haven’t got a clue. I couldn’t remember my CISSP to save my life.

Yes. I’ve got, you know, a significant amount of experience since then that I’m probably reasonably well qualified, but the actual qualification itself proves nothing now. And we don’t even have that in our DF or IR. No sort of industry-based level of, I mean, the SANS courses are good, but they’re a course. I have passed a course, they’re not, I have continued to develop and go on with the changes in the industry.

Desi: And you could, you could argue as well, like, I think the SANS course themselves are really good, but GIAC, which is a separate organization that runs the certifications for it, like you said, Si, a multiple guest quiz. Like, it’s not proving competency, it’s proving that you can memorize the content that was in the course that you just did. So it comes down to taking that and practicing it.

Simon: Yeah. One of my former students has just applied for an internship and I won’t name her because I haven’t got her permission to do so, but we were talking about it and she was saying that, you know, she’s applying for this internship and she’s feeling that she’s going to get some sort of automated aptitude tests thrown at her.

And I was like, “Well, you know, I think this is ridiculous. This is an aptitude test. It doesn’t show that you know where to find information. It doesn’t show how you know how to process information or construct an experiment or do any of these things. It’s not a reasonable test of your capability to do this job.

“You know, I’ve seen you in the classroom environment, you’re competent, articulate, technically savvy, and you can problem solve.” And interviewing is the only realistic way of determining somebody’s thing.

And actually,  I think that’s where the legal system and the expert witness thing actually comes to fruition is that when you’re standing in court, if you actually make it that far, it becomes immediately obvious when you’re standing on the dock, whether you know what you’re talking about or not.

That is your accreditation. You know, to be recognized as an expert by a court is more valuable than, and also an adversarial examination is more valuable than, you know, having a certificate mounted on your wall from 10 years ago, like my CISSP.

So I think the industry needs a bit of a shake. We talked about this, in fact, I think it’s coming out next week, which will now be several weeks in the past by the time you listen to this. But anyway, you can go back and listen to Desi’s and I’s conversation about certification in the industry. I think it’s a problem. I don’t think that we have adequate certification or adequate standards set. It’s an issue.

Christa: So we’re at the top of the hour, so I’m actually going to bring this back to the events that we attended. I’m sitting here as you’re talking thinking, why don’t we talk about this stuff at these events? Or, you know, have these conversations at these events or bring these issues into the talks at the events that we attend?

Desi: I was just going to say this was really interesting because I did attend CyberCon this week, there was some flavor of digital forensics for some of the talks. So, three days, 21 streams per day. It was massive.

And I managed to get to some of those and it went from kind of like, really technical talks to leadership to what I spoke to you guys about, like neurodiversity. They started talking about that at the conference and they had neurodiverse people up there in a panel talking about it.

Christa: And I just want to point out that all the tangents that I’ve gone on in these conversations and it’s an extremely ADHD thing to do. So, you know, totally with you there, we will have that conversation at a later point. Anyway, please continue.

Desi: But they did a really good job. I thought of covering some of this stuff that we are talking about. And about certifications and about where our industry’s headed and, they had like think tank workshops where people were who, because you had like, CISOs attending these events.

So you’ve got think tanks where they’re able to come together because they’ve managed to get some time to get this conference to all come together and talk about that kind of stuff. And also just the networking in between that you get to talk to all these amazing people that are so much smarter than I am about this stuff.

And I think, bringing it back to DFRWs, and they’ve talked about doing reviews of technical blogs and I think this is the weakness that DFRWS has with the academic world is that it’s not necessarily linked with the industry as well as it could be.

And it’s lacking in the current trends and the current problems that they have. And they’re kind of just like, the research that they do is great, but I think they need to just be aware of the broader, where their research is going, particularly in a field where it is developing so quickly.

Like, they’re not developing DNA testing methods in academia. They’re developing tools that could be used in industry as soon as they’re developed. And they would have a community that would help maintain it and develop it and push that research even further than where they started.

And I think like, shout out to Richard Matthews, who he did two talks on the last day. So he’s, I think one of Matthew’s PhD students who might have his PhD or he’s pretty close to finishing it, but really smart, great presenter.

And his research, and we’ll post the links to the research, but his research seems to be targeted towards current problems in the industry or have real world use cases, which I thought was really good.

So he’s going out and saying, what’s a problem that I can solve that I have time to research that will help people now? And I think that was really valuable. And he was engaging with industry or people who needed his research to use it as soon as he developed it, which I thought was great.

Simon: Yeah. I think there’s an interesting sort of lump in the academic to industry link, which is that the copyright to all academic research belongs to the universities and therefore universities aren’t necessarily, I don’t want to, you know, to say this is an absolute truth, but I don’t think that they’re necessarily being productive with the IP that they own in moving it forward.

There are certain universities that are really, really good at it and there are others that are less so. But yeah, there’s been some fantastic academic research that should be being pushed forward and it’s just basically stagnating, for want of a better word.

I think that’s an interesting problem. I mean, I think, you know, if Jamie’s going to listen to this one, you know, we did a Forensic Focus conference. Were you aware of this? We had a conference.

Christa: I was not aware of this. This must have been before my time.

Simon: Yeah, it was very, very early on in my time with Forensic Focus and it was a conference in Amsterdam and we ran it over, I think it was two days.

Desi: Yes, please. Let’s do that again.

Simon: Yeah. Jamie?

Christa: Don’t make me organize it.

Simon: Well, this unfortunately was what Jamie said was, “I’d love to do it again as long as I don’t have to organize it.” But perhaps, you know, perhaps we can consider that, you know, if we want to see change, maybe this is something that we can do. I don’t know.

Christa: Yeah, yeah, yeah.

Simon: He says, speaking above his pay grade.

Desi: Yeah. Virtual conference, $200 a ticket, you don’t get any food.

Simon: Yeah, that’s it. Absolutely. Anyway, thank you very much, both of you. Christa, you haven’t prepared anything so I will quite happily do the outtro. Please, ladies and gentlemen, boys and girls, friends and enemies, we are now at the end of our time and therefore, you can find further information and other recordings of our podcasts if you haven’t been put off by this one on and on Spotify and on Apple, whatever the Apple Podcast player thingy is.

Please leave comments, we’d love to hear from you. Genuinely would, otherwise we don’t know what it is that you are interested in hearing about. It’s been a pleasure talking to you both. Thank you very much and I look forward to doing this in the near future again.

Christa: Yes, we will talk soon.

Desi: Thanks, Si.

Simon: All right. Cheers.

Christa: Take care.

Leave a Comment

Latest Articles