Josh Brunty On Digital Forensics Education

Christa: Hello, and welcome to the Forensic Focus podcast. Monthly, we interview experts from the digital forensics and incident response community on a host of topics ranging from technical aspects to career soft skills. I’m your host, Christa Miller. 

Today, we’re talking with Josh Brunty, an associate professor at Marshall University, where he teaches both foundational and specialized laboratory courses within the digital forensics, information assurance, and forensic science graduate degree programs. A former digital forensics laboratory manager and examiner, Josh has over a decade of experience in the field of digital forensics and high tech crime investigation. He has served on several federal and state level cyber crime task forces and panels, and has participated in both national and international committees and panels focusing on the advancement of digital forensic science and digital evidence in the United States. He has authored books, book chapters, and journal publications in the field of digital forensics, mobile device forensics, and social media investigation. Josh, welcome to the show.

Josh: Well, thanks for having me. I’m really honored and privileged to be here and be able to answer some questions today.

Christa: Thank you for joining us. Today we’ll be talking about collaborations between academia and law enforcement, how research supports the mission, and how the mission informs research. So Josh, to start with, tell us a little about Marshall’s cyber forensics and security programs. How and when did they get started?

Josh: Well, we started in around 2004, back when I was a student here at Marshall University, and we started out of the graduate forensic science program. And one of our goals was to establish a laboratory, and put a laboratory in place that was collaborative with law enforcement. And we specifically looked at teaming up with the West Virginia State Police at that time. 

At that time, we were formulating classes as part of the emphasis in the program, but in that whole mix of things, we were also looking to develop a practical laboratory aspect to it as well. And around about 2005 we received a federal grant and money to develop that laboratory and build that laboratory. So I, as a fresh graduate out of the program that I was in, one of the first digital forensics students that had any interest in this, or even knew what it was, was hired as an examiner in that laboratory.

So we built that laboratory up and actually added civilian staff from the West Virginia State Police in addition to analysts that we had hired on the Marshall end as well. From that, we were able to develop our academics portion of that as well, because a lot of the folks that were working on that [indecipherable] included were taking classes and trying to earn their master’s degree on top of that. From there we had a very, very successful laboratory language right here on campus at Marshall University. So that lab’s still in place. And we still collaborate with the West Virginia State Police. We’ve worked thousands of cases through that laboratory. 

But in 2012, we were also able to launch an undergraduate BS degree and digital forensics information assurance. From there, seven years later, we’ll fast forward to 2020. We started a full master’s program in cyber forensics and security. So we’ve also added partnerships with federal agencies as well, and give[n] our students more opportunities rather than just the laboratory here to kind of go out and expand [indecipherable].

Christa: What’s important about the law enforcement collaboration? Initially when the lab started, what was important about having that collaboration in place?

Josh: I think it’s important to have a hands-on aspect in any program. I see so many academic programs that just kind of splinter out of… let’s say a computer science or computer technology, or whatever it is from old justice. It really doesn’t matter, you know, where they’re trying to attract students and the student graduates, they have a ton of theoretical foundation, but they’re really not ready to work in that laboratory. They don’t have those soft skills that they need. 

This is kind of like a double barrel shotgun. You know, you’re bringing a student in, you’re giving the practical aspect, you’re giving the practical experience, but you’re also kind of pumping them full of the theoretical aspect that college should be giving. So you not only get a more well rounded student, but you get a more realistic student that goes into this field thinking, okay, this is the foundation that I was taught on. This is what I can be of value to this laboratory. Plus we kind of find their way as well. So the students really good at networks, or mobile phones, or multimedia forensics, we find that place for them. And that gives them some direction and career art to go into the right laboratory and be the right kind of analyst, or wherever they end up working.

Christa: You yourself have worked in the field for about 15 years. What are some main stage challenges you’ve seen relative to more rapidly evolving challenges in digital forensics practice?

Josh: Things change so quickly. So quickly things change. When I got in, in 2004 and ultimately started full time in 2005, really we had a couple of digital forensic tools and we were focused primarily on hard drives. And it was hard to keep up on training on that. 

And then 2007, 2008 came, mobile phones started filtering into our laboratory, and it was just a completely new kind of train that just totally flew in the face of traditional hard drive forensics. And it still does to a certain extent. So I really think that the thing that is a main state challenge for this field is offering the right kind of training to the folks out there that are working, and keep it relevant. Because it’s different than any other academic field in general, because things change so quickly. 

And to get a good quality training product out and train that person, and then the technology changes; how does that training teach them to adapt to that newest mobile phone update that locks them out of that device? It will train them well enough to find a workaround for that, or how to get to water per se, to figure out how to do that. 

And to me over the years, that’s been the thing that gives me anxiety is thinking, okay, how do I stay up to speed on all of this? Let alone teach this in a class, but just for personal growth, how do I… what trainings do I take, and what should the landscape look like for me the next five years, it’s this totally different than it was in 2005, at least from our perspective it is.

Christa: And I think that feeds into my next question, which is: you’re also executive secretary of the digital evidence, subcommittee of NIST’s Organization of Scientific Area Committees, or OSAC. What are some challenges in this rapidly evolving landscape with improving digital forensic science, especially on a practical level, relative to quality assurance and clearing cases?

Josh: Yeah, I think there’s a key term there. ‘Forensic science’, if you look the definition of it is application of science to the law. And science and law don’t always mesh well together, especially when you’re dealing with courts. You have judges and attorneys and officers, and folks in the court that interpret things completely different than scientists and analysts and folks working in DFIR… you know, they put it in a different lens. So the goal of organizations like OSAC and SWGDE and ASTM, for example, there’s just a laundry list of folks who are per se, the steering wheel of our community. 

We’re trying to develop standards, or evolving standards and best practices, that align with ebbs and flows that we’re seeing in the court. Because at the end of the day, most of our evidence, whether it be a civil or criminal court, is going to go into a court of law. And we have to abide by those standards that the court has set, through rules of evidence and prior case, but we also want to keep this a science. And that is sometimes the thing that causes the greatest discussions and the most intense discussionsm because you know, you can’t just throw out a guide and think, okay, that’s going to be good for 10 years for mobile forensics. It’s just not going to happen. 

So are we putting out documentation, are we putting out the standard guides and best practices, that will adapt to what the court says and what the science says? Because science is ever changing. We’re still in that infancy where we’re trying to establish legitimacy, but at the same time, we want to have a field that’s willing and able to change, but stay in the rails that the court wants us to say. That’s an extremely big challenge, but there’s people out there like myself, you know, that really… the passion for me is to try to make the field better, and to bring us into a place where all of our evidence is legit and we’re following best practices and staying within the rails and being recognized as we should.

Christa: So kind of on that note, some people might say in the field that there are significant gaps between practical digital forensics and academic or scientific realms as the field advances and seeks to improve, as you just said. How do programs like Marshall’s helped to address those gaps?

Josh: When I started at Marshall, one of the things I really wanted to make sure that I did right, I wanted to do things different than I received when I was in academia. And nothing against traditional academia as a whole, but sometimes it serves a disservice to the students that they’re trying to train. You know, there’s this what we call ‘authentic learning’ aspect in teaching, where… are the students generally learning something, or are we giving them busy work? 

So one of the things that I looked at is, okay, I have all of this practical experience that a lot of my professors that I had in college just didn’t have. They didn’t have the privilege that I had to work in an actual laboratory. So I wanted to bring that in with me and say, do we have a model that I can keep feeding myself as I continue to teach? Can I still be that practising professional? 

And I feel like I am. It’s important to the students to kind of mix that hands-on education with that theoretical foundation. Students coming through college, they do to learn programming and how to write, and certain aspects of maths to understand the changes in our field, but they really need to know some hands-on things as well. So we want to bring in vendor and open source and commercial software and present that to them. And really, it’s terribly hard for me because I have to keep up with it, but it produces better students in the long run. 

And I’m seeing some of our students that came through in the early days, they’re absolutely phenomenal now because we put that foundation into them that they needed. But on top of that, they came right out of the gate with hands on. And I don’t think every program does that. In fact, I really believe there’s only a handful of programs that are truly doing that. And without naming them, you know, you can probably sit and think of the half dozen that just come to mind. And that’s because they’re doing the same things that I’ve just talked about. They’re producing the right kind of student that’s truly learning and not just widening the gap in this field that I feel that other programs are creating.

Christa: What are some examples of this, of research that your lab is either currently helping with, or has recently been involved in, as well as specific problems that students have helped to solve?

Josh: I think one of our major ones that we’ve been putting out the past couple of years has been smartwatch forensics. This is something that researchers put out very early, you know, 2012, 2013, when wearables first hit the market, and then academia just kind of left it alone and the industry has left it alone. So we’ve had students that have went to internships and agencies and looked at cases and said, okay, what based upon this kind of evidence, what could we do? And what could we produce to help make that smartwatch extraction possible? 

So we continually build upon that. Not just wearables, but any IoT devices in general. And we have students that have published in the Journal of Forensic Sciences on that. And we continue to have students that are looking at new methods to unlock these, to get full data abstractions. And on top of that, to develop tools, to allow for the extraction of that as well. 

Another thing that we looked at: we partnered up with VTO Labs out of Colorado to look at their damaged devices. And because we have a really strong traditional forensic science program here, that’s producing really good forensic chemists, we looked at what type of cleaning agents would be best for those damaged devices coming out of water, fuels and oils. What is the protocol for that cleaning? So we brought in forensic chemists to put that through a GC mass spec and say, okay, is this phone truly clean? And which one of these phones is the cleanest? It’s just something that I don’t see anything else in the field, or anyone else in the field, doing that kind of work. So we’re not only focusing on the digital aspects, we’re also focusing on the scientific aspects. 

We have students that are working right now with some partner agencies to try to decrypt certain messages and encrypted applications. So encrypted messaging apps is sometimes an enigma in our field. They kind of fly under the radar. So we’re looking at ways to try to decrypt those messages and decode those, and try to get those to the tool vendors to say, you know, this is the process, include this in your next build of your commercial tools. So we want to get it out to the LE community. 

And then we’ve been working with different agencies on dark web research. So that’s kind of an untouched place in DFIR at the moment. So we’re looking at methodologies and tools to investigate and get relevant evidentiary data from the dark web. 

So it’s a lot of busy stuff. We have a lot of moving parts going on here, but they’re all relevant parts that I think will add to the field. And I want to add on top of that, that the research that we’re doing is very applied in nature. So it’s not something that four or five years from now, it’s going to finally trickle down to digital forensics. It’s something that we want to get into the hands of analysts and LE agencies, so they can use it right out of the gate.

Christa: At the same time, as you’re doing this research, this important work, COVID-19 has changed a lot of lab policies and procedures. How has this affected student research and internships in particular? And how do you anticipate adapting this for the coming academic year?

Josh: Yeah, it has been a very, very interesting year, not only academically, but from a research perspective, because a lot of agencies have just came back… you know, the partner agency who we’ve worked with just said, we can not take onsite interns. It’s too risky. There’s too many factors in bringing a particular student in and exposing them to what we’re already putting our analysts through. 

So the season of onsite internships has pretty much been put on ice. That has forced us to either create remote internships, or try to bring the students on campus here at the university. Of course, following guidelines of staying safe. What we’re trying to do is we’re trying to partner with particular agencies remotely and say, what problem did you have? You know, I have students in this laboratory who’ll solve it for you. So we start that interaction early, but I have students in my laboratory right now, in the research lab that is working away as we speak, trying to solve those problems.

It’s been going on for a while, whether it be encrypted apps or working with IoT devices, smart watches, or dark web research. All of those things are able to be adapted to a remote internship. And it’s different. It’s a lot more back and forth interaction. And through text messages and Skype and Zoom and Teams, you know, all of those things have to be brought into play. But at the end of the day, I think… it’s not as beneficial as sending the student on site and letting them see how the working laboratory is. But I think in the overall career arc, I think they’re going to have enough knowledge under their belt. At least students coming from Marshall will, where they’re going to be a value to that agency. I’m fairly confident that they’re going to come out and they’ll be fine, but it’s been a challenge. It’s been tougher than it has in past years.

Christa: Well, Josh, thank you again for joining us and thanks to our listeners for joining us on the Forensic Focus podcast, you can find more articles, information and forums at www.forensicfocus.com. If there are any topics you think we should cover, or if you’d like to suggest someone for us to interview, please let us know.

Leave a Comment