±Forensic Focus Partners
|New Today: 4||Overall: 36595|
|New Yesterday: 5||Visitors: 100|
Forensic Focus PodcastBack to top Back to main Skip to menu Home > Podcast
Joe Walsh On Private Browsing Data And Teaching Digital Forensics Online
Today we're welcoming Joseph Walsh, the director of the Master's of Criminal Justice program and an Assistant Professor of Computer Science and Criminal Justice at DeSales University.
Prior to joining the department of Computer Science and Mathematics at DeSales, Joe earned a Master of Science in Information Systems with a concentration in Cybersecurity; a Master of Arts degree in Criminal Justice with a concentration in Digital Forensics; and a Bachelor of Science degree where he majored in Information Systems with a concentration in Security Administration.
Joe is currently pursuing his PhD in Information Systems with a concentration in Information Assurance and Computer Security. He has more than fifteen years of experience working with computers. A police officer for twelve years, he spent several years working as a detective investigating crimes involving technology and performing forensic examinations of electronic evidence.
He has attended over 1,000 hours of training and holds sevearl interntionally recognised qualifications. He has testified in court numerous times as an expert witness.
Joe's teaching and research interests include digital forensics, cybersecurity, and the Internet of Things, some of which we'll be talking about today. Joe, welcome, happy to have you on the show.
Joe: Thank you for having me.
Christa: Today, as I said, we want to talk about a couple of things. First there is your research that you presented at the Techno Security and Forensics conference in Myrtle Beach a couple of months ago; and then also we'd like to hear more about the Master of Criminal Justice degree program that you run at DeSales.
Christa: Great. So let's start with your background: what initially attracted you to information systems security and digital forensics?
Joe: I was always interested in computers and technology: I started building computers when I was about 10. So I decided to major in computers in college. And then I actually took a kind of interesting side path and got involved with law enforcement as a police officer, which was not my initial plan; and then I had the ability to work on investigating computer crimes and receive training in digital forensics, and that’s how I got into the area.
Christa: Right. So tell us more about your law enforcement digital forensics career: what was your most memorable case that involved digital forensics?
Joe: Yeah, absolutely. So I worked as a county detective, and I was part of the Internet Crimes Against Children task force and was also on the FBI’s child exploitation task force, and a lot of the work that I did focused around crimes against children. But also, I conducted digital forensics for a wide variety of cases — everything from harrassment to homicide — and basically, we worked on anything with an on/off switch: computers, phones, tablets, any type of media.
And I guess the memorable cases… one case we had, we rescued a very young victim who was being abused by her father, so it was really nice to be able to actually save someone from that active abuse, and that was probably one of my most memorable cases, because of the level of horror involved in that particular case.
And kind of just a funny memorable case was a little bit less serious, it was a harrassment case, and the suspect had done a Google search for “Can the police recover my wiped hard drive?” So, as you know, police cannot recover the wiped hard drive; however, this particular suspect had only formatted the hard drive and he did not actually wipe it, so we were able to recover all of the evidence, including his Google search for “Can the police recover my wiped hard drive?” So that was probably one of my most memorable amusing cases.
Christa: [laughs] And that’s actually a good lead-in to my next question, jumping into your research that you presented at Techno. Because you did talk about browser activity, specifically private browser activity. Can you quickly summarise the results and takeaways from that research?
Joe: Yeah, absolutely. So that started with a fraud case that I was working on, and the evidence that I found was all from private browsing. And I thought that was very interesting, because obviously we would generally believe that private browsing activity is private and we’re not going to be able to recover that. So I was kind of surprised by that, and I wanted to do some more research in that area, so I decided to take a look at six of the more popular web browsers that are out there, to try to determine exactly how much evidence I could recover from that browser.
I took a look at Brave, Chrome, Microsoft Edge, Firefox, Microsoft Internet Explorer, and Opera. And basically what I found was that most of the browsers all did a pretty good job of not leaving data on the hard drive or the storage device, with the exception of Internet Explorer. Internet Explorer basically writes everything you do to the disk.
The other browsers, to give you an example, the number of artifacts I found, all of the other browsers were under 25 artifacts for data found on the hard drive; and Internet Explorer was 898. So it was a significant finding there, that Internet Explorer is basically not secure as it comes to private browsing. And Microsoft Edge was only seven artifacts.
So certainly, they have fixed the issue with Microsoft Edge, but as Internet Explorer is still out there, people need to be aware of that, and examiners need to be aware that they might be able to recover this data that maybe they thought they couldn’t.
The other interesting thing was the amount of artifacts that were found in RAM, or Random Access Memory. A lot of the artifacts were found in RAM, even after the browser was closed, so it’s really important for examiners to consider doing a RAM capture and analyse that RAM, because if they don’t do that, there’s a pretty good chance that they’re going to lose that evidence, because it’s not going to be on the hard drive.
Christa: I remember you saying the potential ramifications of that later on, if that case happened to go to trial.
Joe: Yeah, definitely. I think that a defense attorney — we’ve all heard of pulling the plug, right? — you walk into the crime scene, you pull the plug on the computer, and that was the standard operating procedure; but I think a defense attorney could walk into court and argue that you, as the examiner, by pulling the plug threw away 8GB or 16GB of data, and they could argue that that was exculpatory data that could prove that their client is innocent. Viruses that only exist in RAM, for example; or really, any other information. So we want to think about doing that RAM capture to avoid destroying evidence, and being accused of destroying evidence.
And then, of course, to be able to get all of the data that’s out there.
Christa: Right. So tell us a little more about the research itself: how long did it take to plan, and then to conduct and write up, and were there any challenges that you found you had to overcome?
Joe: Yeah, definitely. It took probably about six to seven months, from start to finish. The planning piece involved determining what type of artifacts I wanted to put into each browser, and then setting up a virtual machine. So I basically set up a virtual machine for each browser, to avoid any type of cross-contamination. Basically, what I did was set up a browser to be tested in each virtual machine: so a VM for Brave, a VM for Chrome, and so on. And then what I did was, I put the exact same evidence on each of those virtual machines. So there was some planning on what type of artifacts I wanted to place there.
And then once that was done, I did the RAM capture and looked at the evidence on the virtual hard drives for those machines. And what I found was, when doing keyword searching, some keywords already were pre-installed with the Windows data, so I had to edit my keyword list to avoid those keywords that were already on the machine, so that we didn’t end up with data that was inaccurate.
So that was one of the challenges. The other challenge was really just time: basically, conducting an examination of six different computers in order to get the results. But other than that, writing it up was not too terrible, and it worked out pretty well.
Christa: And how did you manage that time issue? Because I know research is one of those things you and I have talked about, and I’ve heard from a lot of other examiners, that time is often at a premium, and so trying to figure out how to manage time to be able to conduct research and still get their day-to-day work done is something that I think examiners are always looking for tips on how to deal with.
Joe: Yeah, it’s definitely difficult to manage that time. One recommendation is just to spend, maybe it’s thirty minutes a day, or whatever amount of time you can spare, just to piecemeal it, because that’s always going to be better than trying to find a huge chunk of time.
I have found that moving into academia, there’s a lot more time for research. With law enforcement you’re constantly on deadlines trying to solve a case; every time you close a case, three new cases come in, so there’s very little time for any extraneous activity. But with academia, there’s a lot more room for research and extra activity to be conducted, to try to figure out all the things that we want to know as forensic examiners.
Christa: You talked a little bit at Techno about your future plans for researching private browsing on Mac OS, the Tails browser, and also mobile browsers. How’s all that going?
Joe: I haven’t started working on that yet as I’ve been working with the PhD program, working on my classes, but I do need to figure out what my dissertation topic is going to be. So I definitely would be interested in conducting some additional research. I think the research is useful, not only to forensic examiners who need to know where to find the evidence, but for people who are interested in privacy and security. So they can know what browser to use: are they really going to be able to achieve privacy, or not? So definitely, I would like to look at, how can we recover data from Mac OS and mobile browsers.
But I think Tails is important as well, because if you have a suspect who’s using Tails, typically there’s not going to be a storage device with that machine, so how do we get that data back? How do we find the evidence that we’re going to need for our case? And I think what we’re going to find there is, it’s going to need to be RAM forensics.
Christa: OK. Tails, by the way, came up during at least one session that I recall from the Crimes Against Children Conference which I attended in Dallas last week, so that’s definitely being talked about in the industry, as I’m sure you know.
Christa: I want to backtrack a little bit, because we’re talking about research. And we talked about [how] you went from law enforcement to academia; there’s been a little bit of a transition, it sounds like, in skill set. Can you tell us a little bit more about that progression, and how you were able to manage that transition from one form of work to a very different form of work?
Joe: Yeah, absolutely. So I really never had any intentions of being a teacher, that was never my plan. But I actually got my Master’s degree from DeSales, back in 2013, and I got it in Criminal Justice with a Digital Forensics concentration. And then shortly after that, DeSales had reached out to me and asked if I was interested in teaching, which again I had not really considered, but I said sure, why not? Let’s try it out and see how it goes.
So I started teaching in 2014 as an adjunct, and really enjoyed it. I enjoyed being able to take my knowledge and share it with others. So then in 2016 they had a full-time opportunity available, and asked me if I would be interested in that, and I ended up joining the faculty as a full-time faculty member. So I’m now starting my third year at DeSales.
Joe: Actually, this is my fourth year.
Christa: So, this particular private browsing research was the capstone project for your second Master’s degree. Can we talk a little bit more about DeSales’ Master of Criminal Justice and Digital Forensics program: how long it’s been running, what are some of the milestones it’s reached?
Joe: Yeah, definitely. Our Master of Arts in Criminal Justice program was established about fifteen years ago; and the digital forensics concentration, which is one of the options that students can pick from, was established almost ten years ago. So it was one of the first programs out there that allowed people to learn about digital forensics and get some training in that area.
I think one of the most exciting things that we have is that we allow students hands-on experience with working with digital forensics. So a lot of the programs I’ve heard about, they offer videos and teachers demonstrating; but with our program, we actually provide licenses for popular programs to our students. So things like EnCase and AXIOM and FTK.
And then our students can install the tools and actually get to use them to perform practical exercises that we provide them. And then they type up a written report and submit that as their practical. So it’s nice because they get some hands-on experience.
And we also encourage them to work on their digital forensics certifications, to make it easier for them to find job opportunities.
Christa: I was going to say, that sounds like it makes them much more marketable than going a different way would.
Joe: Yeah, I think it’s a really great opportunity for them because they get to walk into a job interview saying that they have this previous experience and they’ve gotten to use the tools, and it’s not that they’ve just heard about the tools and they know the process: they’ve actually used them.
Christa: Right. So that brings me to my next question, actually, talking about the hands-on experience that the students get. This is a fully online distance-learning Master’s program. I’m wondering: had DeSales already had success with other online distance learning, or was there something about this program that made an online format ideal?
Joe: I think with this program, because it’s involving technology, it’s really ideal for an online environment. I think also because there’s not many programs out there, it provides the opportunity for students who are in other places to be able to get that degree that maybe they don’t have at a school near them.
I always tell the story that the first time I ever stepped foot on the DeSales campus was to pick up my cap and gown for graduation, which is sad because it’s a beautiful campus and it’s really nice, so I was kind of upset that I hadn’t been there before. But I live about an hour and a half from campus, so you can complete the whole program totally online. We have students from all over the country, and there’s no need to come onto campus, which is really great.
But we have some other programs as well: our MBA program is actually the second-largest in Pennsylvania, and they’ve been very successful with their online program as well. So we try to be flexible for working adults, and people who have busy schedules, and allow them the opportunity to get that training that they desire.
Christa: Having said that, I know DeSales also host the David M. Petzold digital forensics laboratory of Lehigh County. Does that figure into the program at all, in terms of practical experience, or is that more of a separate thing?
Joe: That’s a really nice partnership that we have with the county. DeSales basically donates classroom space to the county, and the county has put their digital forensics lab in our academic building. It’s a really nice partnership for us to be able to help out the county, and the county actually allows our students to serve as interns in the lab. So our students have the ability to go into the lab and work alongside a county detective, or a forensic analyst, who is working on a real case with actual evidence.
And the experience that they gain there is obviously amazing and really helpful when they go out to look for jobs, because now they can say they’ve worked in a forensic lab, with law enforcement, and it’s definitely a great opportunity for our students. And it’s right across the hallway from our forensic classroom, so our students can walk out of the classroom and walk across the hall. So they’re really a great resource for us.
Christa: Yeah, it sounds like it. What is the breadth of experience generally that you, and the other faculty, bring to this program? Some other research areas or concentrations, whether it’s lab-related or not lab-related?
Joe: Yeah, definitely. All of our faculty members are experts in their field, so these are people who are practitioners, who have worked in the specific areas — so, for example, our digital forensics professors all have experience working in digital forensics.
We have a couple of other concentrations as well. We have an investigative forensics concentration, which is more like your traditional CSI type thing. So things like crime scene investigation, death investigation, forensic psychology: those are some of the things in that program.
We have a criminal justice leadership program, which allows people who want to become chiefs or supervisors to gain some experience in human resources and budgeting and finance and leadership.
And then we are actually working on a homeland security concentration, which we hope to be available by the end of the year, for those who are interested in homeland security.
Christa: So what kinds of things would that involve? Would there be any overlap with digital forensics?
Joe: We’re looking at actually two programs, one of them being general homeland security, and then we’re actually looking at counter-terrorism investigations in digital forensics. So that particular focus would kind of marry together the digital forensics courses, as well as courses that are taught by our terrorism experts, and give students an idea of how they would look for evidence of terrorist activity on computers and other electronic devices. So we’re really excited about that program, because I think that there’s going to be a lot of interest there.
Christa: Yeah, and you’re close enough to DC, I would think; that sounds like something that would make students more marketable to some of the contractors there.
Joe: Definitely. So we’re about an hour and a half from Philly; an hour and a half from New York; and probably around three hours from DC. So definitely a driveable distance, and close to transportation — trains and such — so it works out well.
Christa: Yeah. So I noticed that there’s a 20% tuition discount. Do you want to talk a little bit more about that, and any other promotions that our listeners can take advantage of?
Joe: Yeah, definitely. We actually offer a 20% criminal justice professional discount: so if someone’s working in criminal justice, we offer that 20% off of their tuition. So it’s really a nice benefit, because they can save a lot of money.
We also offer, for people who have tuition reimbursement through their company or through their agency, we actually won’t have them pay their tuition bill until eight weeks after the course ends. So that’s really nice, because by the time they’re getting their reimbursement from work, now the tuition bill is due, so it basically allows them to not pay out of pocket.
And then we have a payment plan option for students who are paying themselves: we have the ability to split the payment into thirds. They can pay one in the beginning of the course, one in the middle, and one at the end.
And then of course, we offer student loans as well. We did a raffle at Techno Security for a free course, so we also will provide that opportunity to your listeners. So if one of your listeners wants to reach out to me, I would be happy to enter them into that drawing to be able to win a free course. And the theory there is, we let them try out the program risk-free, and if they enjoy it they can continue in the program or tell a friend about their experience.
Christa: That’s great, that’s really generous, and thank you. We appreciate that.
Christa: Alright. Well, that wraps it for my questions today. Thank you again, Joe, for your time and for all the great information on the podcast. And thank you all for joining us on the Forensic Focus podcast. You can find more articles, information and forums at www.forensicfocus.com. If there are any topics you think we should cover, or if you’d like to suggest someone for us to interview, please let us know.