Magnet Forensics’ Stephen Boyce on Collaboration, Automation, and Developing DFIR Skills

Christa Miller: As digital technology becomes more embedded into humans’ everyday lives, enhancing our efficiency at work, our social lives, even our health and movements, it likewise facilitates criminal activity. Growing in volume and complexity, technology thus ends up both hindering and helping digital investigators’ efforts to apprehend criminals in both virtual and physical domains.

This week, the Forensic Focus podcast looks at the “help” part of that equation. We’re joined today by Dr. Steven Boyce, Director of the Magnet Digital Investigation Suite, which offers automated evidence processing, collaborative evidence review for non-technical investigators and centralized case data management. I’m your podcast host, Christa Miller, and welcome, Stephen.

Stephen: Christa, thank you.

Christa: So before we jump into talking about the suite itself, I wanted to start with a little bit about you. You’ve worked in a broad range of roles and sectors from the FBI to the private sector to academia. Congratulations by the way, on your newly-minted PhD. How did you first come to digital forensics and how did you decide that this was what you wanted to do?

Stephen: Yeah, Christa, great great question, and very fitting right now as it is winter time. My journey into cyber security, digital forensics, and IT really started when I was a young boy. Growing up I played sports, and in the winter I didn’t play winter sports. And so in the winter I spent time inside, and in the spring I played baseball. And so that’s what I did growing up, I did some other winter activities, but for the most part,  I’m a spring chicken, if you will.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

And so with that, during the winter months growing up, if I wasn’t at my local football game or doing some things, I’d be playing video games. And what had happened early on in the days of online gaming is, I figured out that while I was playing with my friends, that something nefarious was happening and it wasn’t our internet connectivity at the time.

And I’m like, “Hey, you know, everyone, the bill’s paid and everything’s working.” But I kept being kicked out of games and logged off. And our internet kept going out and I’m like, “What’s going on here?” And so some intellectual curiosity, and at the time Ask Jeeves, I think, was around back then, and I did some Ask Jeeving, and figured out what was happening; I was experiencing a distributed denial-of-service attack.

What folks were doing at the time, were using UDP flooding to flood IP addresses of folks that were playing in the video game in order for them to level up. Microsoft had termed this ‘host booting’, and so that’s really where I got my first experience in IT cybersecurity, digital forensics — really understanding what was going on, what was happening to figure out, okay, my home network was under attack by fellow gamers, and I needed to figure out a way to protect myself from that.

And really that’s where I became involved. Obviously, first when I figured out what was happening, as a young guy, we want to take action, right? That’s just kind of like the ‘macho’ thing. And then I realized, “Wait, this is actually a crime to do this. And I would really love to be working with the folks investigating this type of thing.” So really that’s where my introduction to cyber security, digital forensics and IT started.

Christa: Very cool story. I actually just interviewed somebody not long ago that also got into DFIR through gaming. So, is it fair to say that your new role at Magnet bridges all of these experiences?

Stephen: Yeah, absolutely. Certainly it bridges the experiences I had in the public service, if you will. I spent some time at the FBI and the US Department of State working both domestically, internationally, and at Magnet we’re certainly a global organization. And we really started initially supporting the public sector and certainly have grown into supporting what I call the whole society. As it relates to cyber security, it’s a whole society problem. It’s not a public or private sector, it’s both.

And so certainly leaning on my experiences in the public sector as well in the private sector as well, understanding that the challenges are — some of them are the same and many of them are different, and understanding the various different use cases and the different motivations that each of the different stakeholders have on both sides, ultimately with the goal of empowering individuals and organizations to investigate cyber security incidents and ultimately defend and hopefully prevent attacks from happening, as well.

Christa: So given all of that, what appealed to you about growing your career as Director of the MDIS? What are you bringing to Magnet and its customers?

Stephen: Yeah, I’m certainly bringing that diverse skillset, if you will, having been on both sides, really looking at what I would call the ‘examiner lens’ is where I was for many years saying, “Hey, what would have been great, or what would have been some solutions or tools that would have been great to have while I was an examiner in the government and when I was an examiner in the private sector?” And furthermore, as I had moved along in my career into management, what were some things that would have helped us increase our return on investment?

And certainly on the private sector side, it’s a different conversation. And so really bringing that kind of boots-on-the-ground experience to Magnet as well as being able to innovate, really be forward-thinking in terms of the industry as a whole, where I see the industry going and some other opportunities that we have as an organization in order to meet the demands that the market is asking for.

Christa: So we’ll get to that in just another couple of questions here. For right now, do tell us a little bit more about MDIS and its integration of the three products that allow for case management, orchestration and collaboration, all of which rely on the AXIOM processing engine. What is the intended user group for the suite and/or the individual products? It sounds like it’s a mix of law enforcement, incident responders, both. What size agencies? What kinds of cases? Give us a little more background on that.

Stephen: Yeah. The Magnet Digital Investigation Suite, MDIS, certainly a mouthful. I know folks are like, “Hey, what does MDIS stand for?” We love our acronyms in the industry, right? So there it is, MDIS but yes, certainly MDIS includes ATLAS, AUTOMATE, and REVIEW.

And I call it a more whole-of-agency, whole-of-organization approach. Certain tools within the suite, maybe more geared toward forensic examiners. Some tools may be geared towards maybe end users, maybe analysts, maybe investigators, maybe third-party lawyers in the legal realm. And whereas other tools may be specifically geared toward lab managers or management in general, right?

Certainly across the MDIS suite, when we talk about collaboration, automation and case management, the needs vary from public to private sector, but ultimately, both Magnet as a whole, as well as MDIS, is applicable to both the private and public sector.

When you think about case management, I think about it really from the end user because we focus a lot with digital forensics, certainly on empowering examiners. That’s one thing I appreciate that Magnet has done from the IEF days. I call it the ‘Domino’s’ or the ‘pizza delivery effect.’ You order pizza online, say at Pizza Hut, Papa John’s, pick your favorite pizza place, and along the way you see what’s happening to your pizza. They say, “Hey, your pizza’s in the oven, right now they’re taking it out. It’s really hot. It’s on its way to you.”

That type of deal for forensics, really with ATLAS, being able to have someone put in a forensic request and understand, “Hey, where is my request?” like, “Oh, wait, it’s with the malware team, they’re doing some reverse engineering on it right now. Oh, it’s with the mobile team, they’re doing some SQLite magic.” Being able to understand where your evidence is at any given time.

I know from my time in the FBI, a lot of agents which were essentially my end users, my customers and consumers, they’d always want to know what’s happening to their evidence. And so ATLAS really certainly provides that, and it also empowers case and lab managers to be able to manage your workload in your lab — “What’s our utilization?”

These are questions that maybe examiners have necessarily only considered with their own utilization, but for a lab manager and certainly management, they want to know, “Okay, do we need to scale up? Do we need to add additional resources and talent to our lab? Is everybody over or at capacity? Do we have the opportunity to assign certain things to certain subject matter experts automatically?” And so that’s where some of the integration comes with things like AUTOMATE. 

But ATLAS, from a case management standpoint, it really has that ability to do those things and as well as integrate with existing corporate and organizational systems and things of that nature to be able to provide what I consider the new and improved digital forensic incident response experience from a case management standpoint.

When you move on to things like AUTOMATE — I love AUTOMATE, I really wish I had AUTOMATE when I was an examiner, just because there’s been so many times that I have on weekends, late nights, holidays, had to come into the lab in order to literally click “Start” after something was imaging overnight from a processing standpoint and then wait for it to be done processing in Tool X and then kick it off to Tool B.

And so many times where we have various different use cases where you have very, what I call ‘routine tasks’, being able to automate that is extremely helpful, as well as leveraging all the different hardware that you have available to you in your lab.

And so certainly with the rise of the Cloud and just being able to leverage processing power of the Cloud, being able to scale, “Hey, you know, if I need to throw all that Microsoft or AWS has available, I can have that ability in utilizing the Cloud.” Whereas on premise, you’re limited to what it’s in your lab. And so AUTOMATE really takes that, what I call the ‘future of digital forensics’ in terms of automating routine for examiners.

And the one thing when I always talk about AUTOMATE, I say, “Hey,  it’s not going to automate us out of a job, right?” We still need to do things like deep level analysis of investigations. We still need to do other things and stay ahead of the newest artifacts that are coming out.

But being able to automate some routine tasks also provides that level of quality assurance as well to say, “Hey, every time in our lab or in our organization, we do these things and we do it this way every time.” Because every examiner does things differently in a lab or an organization, and so there’s also the quality benefit there to the examiner, as well as the agency or organization.

And then REVIEW: you know, my organization was one of the early adopters of REVIEW when Magnet introduced it. And one of the things I really loved about Magnet REVIEW was that my consumers or customers really loved it. I was able to — and again, you said rooted in AXIOM — able to take an AXIOM case, what was at one point a Portable Case, that certainly has its limitations, and be able to throw it into something more enterprise-scalable, if you will, that my agents and analysts could collaborate simultaneously as well as review it in a more user-friendly environment, certainly loving the fact that it’s accessible via a web browser.

And certainly with things like the Cloud, being able to — for some organizations that are able to leverage the Cloud, being able to say, “Hey, from a hardware perspective, we’re not necessarily sharing digital media, spinning a disk or flash memory anymore — or flash disc, I should say — we are, ‘You want to review some evidence, here is our access to our review platform.’”

It limits a lot of things that could go wrong in transit, as we’re very familiar with. And then again, having that integration amongst ATLAS, AUTOMATE, and REVIEW, to be able to say, “Hey, this team, maybe if you’re dealing with a team situation, they’ve completed their review of all the digital evidence in as a part of this investigation. Now let’s bring in another team.” or maybe, “Hey, now let’s go back to AXIOM and automatically create a report of all the great things that they’ve tagged in REVIEW and then have that automatically emailed out to an end user.”

That’s the vision with things like MDIS, and that’s really how I see the future of forensics in enabling examiners, enabling investigators and analysts to be able to keep up with the growing demands and backlogs that organizations have.

Christa: I can’t help thinking, as you’re talking about case management and remote review, in terms of the pandemic, when so many labs shifted to home environments and doing things a different way, and it really sounds like this could help facilitate that sort of thing.

Stephen: Absolutely.

Christa: So I wanted to key in — you talked a little bit about AUTOMATE, and I wanted to key in on that. I think most all of our listeners are familiar with automation, specifically for child sexual abuse material processing. But I wanted to — I mean, you touched on quality assurance and I wanted to find out on what other kinds of cases is automation valuable? How does it help to address not just the data volume as you mentioned, but also the complexity? Put another way, in what ways is modern data complex and complexifying, and how does automation help with that now and into the future?

Stephen: Yeah. So in terms of the case type, so I think a lot of the listeners will be certainly familiar from a CSAM perspective. But it goes beyond CSAM, right?  Certainly when you think of, for my corporate folks — and not corporate — insiders, when it comes to disgruntled employees and insiders, they exist both in the public and private sector.

And so listeners who are in the public sector, they [could] very well be dealing with the party and employee or potential insider, and automation can automatically — when you have, say you have someone who gives their two-week notice, you can certainly have different playbooks for various different things. And so that’s one of the beauties about AUTOMATE.

And so certainly from the insider threat perspective — departed, disgruntled employee perspective — having those automated workflows to say, “Okay, an employee is either terminated or give their two-week notice, let’s grab all of these artifacts every time across our organization” to ensure that if it’s on the government side… trade secrets you’re trying to insure or protect, hasn’t been taken, or if it’s in the private sector, you may be trying to look for intellectual property that may have gone out of the work.

And so, certainly from an insider threat perspective, it has its various different use cases certainly from a threat  management side, as well. When you think about business email compromise and when you think about ransomware, being able to — every time you are responding to an incident of a certain case type, whether it be ransomware, whether it be email compromise — to be able to collect the same artifacts and be able to process them and refine them to how your organization is familiar with them.

Because one of the things, as you mentioned with the logs and the data, there’s a lot of data out there, there’s a lot of logs. All of the data that is available to us via APIs or command line may not be necessarily of investigative value to us. And so being able to narrow that down to, what do we actually care about, what answers, the questions that we specifically have for our organization is a really great feature of AUTOMATE.

And  you mentioned the data volumes. The data volumes are certainly increasing. We have both structured and unstructured data. Certainly I think it definitely, on the private side, a lot of organizations are utilizing things like data lakes. And so being able to say, “Hey, we have — and certainly from a privacy standpoint, I think there’s going to be more increased for doing things and caring for how we handle data — and so being able to say, “Hey from a storage perspective, this is of investigative value. We need to store this information for 75 years.” 

That exists in certain places, especially when it comes to CSAM. And especially when you go across the pond, they need to hold certain types of case type data for, like, a hundred years, and you may have typically maybe sitting on a spinning disc in your lab, but now you can leverage automation to be able to say, “Hey, let’s ship this off for long-term storage. We may never need to look at it, but from a compliance standpoint we need to do this.”

And so automation certainly helps with those data volumes from not even just a digital forensics standpoint, but a compliance data governance standpoint, as well.

Christa: Right. Yeah, that actually is a good segue into my next question regarding storing digital evidence in the Cloud. It seems as if it’s definitely gaining more traction and acceptance, not just from that governance standpoint, but just also as a way to deal with those data volumes. Talk to us about more what that might look like, especially in terms of data security and chain of custody issues.

Stephen: Yeah, absolutely. I think the biggest hurdle — and I’ll start with the public sector, certainly for my law enforcement friends listening today — was having both your Cloud service providers be [Criminal Justice Information System] CJIS compliant. Being able to house this type of data — which was very important, especially for my state and locals that abide by these rules that come out of CJIS and do a very good job at doing that and they’ve come a long way — being able to replicate that in the Cloud, it was extremely important, as well as for the .gov and the intelligence folks being able to store various different classifications from unclassed, all the way up to the highest classification, was extremely, extremely important.

And so both — I’d say all the Cloud service providers — have taken the time, from a compliance standpoint, to be able to harden their systems from a storage perspective, to be able to be compliant for storing this information.

And from an access control and a chain of custody standpoint, one of the good things is the auditability of the systems in the Cloud, and also from a disaster recovery standpoint. And so I  when I talk to people about storing digital evidence in the Cloud, I look at, “Hey, how are you storing digital evidence today?” Typically on premise in some spinning disc that’s probably been around for a long time, and it works. They have uninterrupted power supplies, and really great things that make it available and make it confidential, make it stand up in court.

However, there are a lot of things when it comes to scale. What happens when you run out of space? How do you decommission? How do you add more space as you guys grow? What are the long-term implications? What’s the servicing that you have to do on that?

And so when I talk to folks about storing digital evidence in the Cloud, first was certainly getting over the compliance issues that many organizations had, as well as the various different security controls that are available to them in the Cloud. Some, especially when I think about state and locals, may not have their own dedicated, in-house IT and security team, they may be using some sort of third-party managed service provider.

And so being able to have a wide variety of security controls available to you in order to harden this important information is extremely crucial. And the Cloud just allows for that greater flexibility and availability of things that would be almost unattainable for some organizations and organizations on-premise.

Certainly, when you think about corporate and the private sector, they’re leveraging Cloud for a lot of things. When I think about incident response, being able to automatically upload triaged data to the Cloud and then automatically start processing that right away — like, oh my goodness, that is really where the private and corporate sector has been utilizing the Cloud for some time now.

And as well, as being able to say, “Hey, these are the various different controls from an access perspective. We don’t allow any access. This is not available in the public sphere.” And so, a lot of the different ways in which an organization can customize their Cloud storage, and that’s one of the things: there’s public cloud and private Cloud.

You’re going to have to pay more for things like the private Cloud, but if your organization — especially on the public side, you’re dealing with CSAM — you’re dealing with investigative information, a private Cloud may be more attainable for your organization based on your risk profile. Whereas in the public sector, they may be more comfortable storing evidence on public Cloud and then leveraging the various different controls to harden that system. 

So ultimately, the Cloud offers, from a scalability standpoint, from an availability standpoint, being able to store different data in different places and have that redundancy. And again, I talked about the data governance. Especially for corporate, if you’re an organization that operates in multiple countries, you may not be able to store all of your data the same way. And so the Cloud allows you to meet these different jurisdictional or country-specific requirements for storing digital evidence and assigning the various different, due care to that evidence, as well.

Christa: Okay. I want to kind of bring together a couple of different concepts. You had talked earlier, not just about Cloud storage in general, but about team collaboration. And I’m curious whether you anticipate that the widespread adoption of Cloud and solutions like MDIS could encourage inter-agency collaboration, at least for those who opt in, and if so, how might that work?

Stephen: Yeah. Inter-agency collaboration and coordination through solutions like MDIS is certainly how we at Magnet see the future and the leveraging that, certainly. When we think about core teams that are spread out through geographic areas and we talk about COVID and the pandemic, so many times I talk with investigators who have to drive five hours just to go meet with the prosecutor. When they’re doing some discovery prep, being able to communicate through an encrypted means and share this information and collaborate in real time on investigations is certainly key.

And so really I see tools like MDIS in collaboration and adoption of more agencies and organizations utilizing the Cloud, which will ultimately help them increase productivity. And also ultimately provide that flexibility, as well, of how much are we really spending on removable media when we’re sharing information?

As well as, you talked about some of the concerns that organizations have with the Cloud, the auditability, like what’s happening to the data. When you put it on a removable media, there are a lot of things that can happen, there’s a lot of, I can’t necessarily ensure everyone who has had the access to it. I can only assume based on chain of custody and things like that nature.

But with solutions like MDIS and the Cloud, allowing agencies to do this collaboration in real time from their home office is really a way of the future that we envision at Magnet.

Christa: So, with that in mind, in terms of the future, it sounds to me like all of these issues demand maybe some existing, but also some new skill sets for forensic practitioners. As our podcast this month is focusing on career issues, what do you see as the, maybe three to five skills that will be the most needed?

Stephen: Yeah. Three to five skills. I’ll start with a soft skill first. I’ll start with the ability to collaborate. The ability to go beyond the laboratory is really key with MDIS. MDIS is so much more, certainly has enterprise scale for a lot of organizations. And so understanding that you’re going to need to collaborate with your IT, that’s going to be very key for forensicators. I know myself, we did a lot of things in-house as a part of the lab, but MDIS is so much more than just forensics. And so collaboration would be one huge key skill set.

And the other one would be your knowledge base of Cloud, and this is going to vary. And so, Cloud, there’s organizations like SANS and others [that] are certainly doing a lot to get cybersecurity practitioners and forensicators comfortable with not only finding artifacts that are in the Cloud, because this is the future, but also getting comfortable with cloud infrastructure: performing forensic examinations in the Cloud, leveraging Cloud architecture and resources. And so certainly Cloud would be number two.

If I had to pick a number three in terms of skills for examiners who are thinking about, “Well, what can I do?” Certainly automation relies on things like CLI access, APIs and scripting. And so for those that are well-versed in scripting, I would say that is huge as well, because that also allows for automation and things of that nature.

And then I’ll end on a number four, in terms of skills, is really bringing that diverse skill set to your organization to be able to understand the future of digital forensics. So right now we have a lot of folks coming through the pipeline that are certainly really interested in digital forensics and like, “Hey, well, you know, should I be jumping over to go do ransomware? Should I be jumping over to do business email compromise?”

Certainly those things are very important, but understanding the core aspects of digital forensics and being in that intellectual investigative curiosity and mindset will be able to allow you to think about, “Well, how can we work more efficiently in our lab?” And I kind of used the word “Work smarter, not harder” and so that that’s certainly a skillset that we need as forensicators.

So those would be my four, if you will, for folks thinking about the future of digital forensics, and certainly thinking about MDIS — that collaboration amongst your organization — it’s so key, we need to break down these barriers. IT needs us, we need IT. And so that’s first and foremost. And then like I said, the others are equally as important, as well.

Christa: So how do you anticipate that, you know, you mentioned some of the more technical skills. How do you anticipate that these — I guess they’re not really new skills, but maybe in some regards — will integrate with existing foundational technical skills. And how should practitioners, especially ones that are more experienced or they’ve been in the business for a long time, plan to build sort of the new skills into the existing foundational skills?

Stephen: Yeah. Yeah. I think the new skills, when they think about how to build them into the foundational is really kind of watch what’s what’s going on in the industry. You know, every time I talk to folks, the first question they ask when they ask about MDIS is, “Hey, do I get CLI access? Do I get API access?”

These may be areas that, you know, certainly engineering and, you know, development we’re well-versed with, with CLI and APIs, but more and more we’re needing and hearing of the need for access and being able to speak about APIs and understand how they work, right?

When you think about automation and we really think about MDIS as a whole, being able to utilize APIs and CLIs from your various different tools, to be able to think about, “Okay, how can we again, use these tools, existing tools, foundational ground tools that we’ve been accustomed to use for tomorrow’s problem?” And automation certainly helps with that.

And so I think that’s one of the biggest things there is getting folks familiar with that, understanding how these things work. It’s a new technology for some, just like Cloud. It’s a new platform. And really just dabbling, understanding from a ground level, just like we did with when we were learning things like hex and carving and all the fun stuff of the foundational of digital forensic instant response. Same as it goes to the future of the new infrastructure and new technology that we’re utilizing in digital forensics, because the data and the cyber attacks and the investigations are just increasing. And we need to, from a skills perspective, stay with the current trend so that we can keep up.

Christa: So really you’re talking about things like automation making room for learning and building some of those new skills.

Stephen: Yeah, absolutely. Absolutely.

Christa: So on that note, another thing that when I was looking at your LinkedIn profile preparing, I noticed you’re on the Board of Advisors for the Cyber Sleuth Science Lab, which we’ve covered in the past. How are organizations like this addressing skills development, especially when the technology is evolving so rapidly, and especially in terms of how they’re helping to overcome privilege barriers in particular access to technology and training and so on?

Stephen: Yeah. You know, huge shout out to Daryl and the team at Cyber Sleuth. Cyber Sleuth, you know, has given opportunities to underserved communities around the country and providing them with the access at a young age, really to say, “Hey, you know, technology, this is how technology can be utilized for good.” I think we’re at a point now where we can almost say it’s safe to assume everyone’s to a certain degree utilizing technology, but how can you also use this technology to do good things, to get involved in your community as well?

And so Cyber Sleuth really provides them with the access to what I consider a longstanding gatekeeping of technology expertise, knowledge, and access to — whether it’s industry-leading practitioners and thought leaders, down to also technology as well to get their hands on and get their exposure — so that they have a fair chance when they are in college or maybe competing for a job after college and early on.

And that’s one of the things that I appreciate with Cyber Sleuth is that they have, certainly in the K through 12 [grades], given the opportunity to these underdeveloped groups, because we certainly need a more diverse population in the industry. And having them, or giving them that opportunity to be able to join our industry and contribute, because we certainly could appreciate new ideas and new faces, as well.

Christa: Yeah, it’s all about the perspective, right?

Stephen: It is, yeah.

Christa: Well, Stephen, thank you again for joining us on the Forensic Focus podcast. It’s [been] a really fascinating discussion here.

Stephen: Thank you so much, Christa.

Christa: Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. Stay safe and well.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...