DFIR Digital Transformation

Stephen Boyce: Welcome to the Magnet Virtual Summit 2022. We missed you in Nashville, but we’re glad that you’re here virtually. Today, I’ll be talking about the digital forensic and incident response digital transformation. Many of you in your agencies are likely going through this digital transformation in other areas when it comes to business systems and processes, but it also impacts digital forensics incident response. Given the current events that have happened over the last couple weeks, I’d like to take a moment to pay homage to the people of Ukraine in a moment of silence.

Thank you. I am Dr. Steven Boyce, Director of Magnet Digital Investigation Suite, better known as MDIS. My background: three-time graduate of Marymount University; former DOJ, FBI employee; also worked at the State Department; and then once I left government public service spent some time at a startup consulting firm called Crypsis, who was later acquired by Palo Alto networks; and then spent some time working on cyber diplomacy, specifically related to election systems externally, so working on elections that happen outside of the United States. So, supporting countries like Ukraine and others through their elections from a cybersecurity perspective.

So let’s jump right into the content today, and let’s go back in time. You know, in order to understand where we’re going, we need to know where we came from.

So let’s go back to the early, early days of digital and incident response, starting from 1978, right? 1978, the great state of Florida introduced what is known as, at least here in the United States, the first computer crime that was recognized, in the Florida Computer Crime Act, right? So this is, you know, just thinking back 1978, the great seal of Florida introduced this, right? You know, the great state of Florida.

Moving forward to 1984, the FBI, specifically the FBI laboratory and other law enforcement agencies began developing programs to examine computer evidence, right? They had this issue where they were trying to figure out, “Well, how do we address the growing demands of investigators and prosecutors in some sort of structured and programmatic manner?” And so with that, the FBI established what is now known as the Computer Analysis Response Team, or CART, a team that I had the pleasure of being a part of at my time at the FBI.

Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

And then after that in 1986, one of the things that, or several things that had happened, if you will, was that many different organizations were starting to be formed, right? And so we look at what is known as the High-Technology Crime Investigation Association, better known as HTCIA, was developed, in which 12 representatives from Southern California Law Enforcement and security personnel from the private industry formed this association, which is still standing today, right?

And one of the things, when you looked at why and how they created HTCIA, again, remember this is 1986, these individuals were, and this is straight from HTCIA, they were alarmed that the fledgling high technology industry was suffering significant losses and public law enforcement had limited expertise in training to address the grow problem, right?

Again, thinking back, you know, we had this legislation in Florida, we had the FBI create what is known as the CART team, if you will, in ‘84, and then in ‘86 there, you know, local law enforcement in private industry in California, and also in Canada as well were like, “Hey, this technology thing is certainly going to impact law enforcement and we don’t have expertise. Like, we need to formulate expertise, knowledge sharing, and training to address this growing problem” right?

In 1989, there was another great thing that was formed that is still in use today as it relates to various different tactics that we utilize for training. And so when we think about 1989, we think about the birth of IACIS, right? IACIS, the International Association of Computer Investigative Specialists was created, right?

And so, during this time you had training courses that were developed, but not necessarily developed for law enforcement on how to seize, examine, and extract evidence from computers that had been used in the facilitation or commission of a crime, right? And so this was the birth of IACIS, right?

When we look at HTCIA, right, certainly, you know, some training there, but IACIS was certainly born out of this growth and this need to say, “Hey, how are we going to address this in policing? How are we going to address this in law enforcement? And hey, digital forensics is also going to be vital to investigations in the future.”

Well, also in 1989, we had things like Windows 3.X, right? And so I know many of you guys are probably getting nostalgia, you know, listening to this right now, but, you know, this is, you know, when you think of DOS, right, and you think of a DOS GUI version, right, Windows 3iX also came out in 1989.

And this is where from a technology standpoint, we started to see things like user activity, right? This is where the birth of the registry and shortcuts and what we know in forensics as swap files, right. We also had things like FTP. And so 3iX was, you know, many of you probably have this maybe boxed up somewhere or in the computer museum, but this is the birth right there of the graphical user interface as it related to Microsoft.

And then in 1993, the FBI hosted what is known as the International Law Enforcement Conference, or ILCE, which was attended by law enforcement, both at the federal state, local, and international level from 26 different countries. And this is where the group got together to say, “Hey, we need to set standards for computer forensic science, because there are none out there at all,” right?

The conference began and convened in Baltimore in 1995 thereafter, and then in Australia in 1996, and then even in the Netherlands in 1997 and ultimately resulted in this formation, right? And so when they got together in ‘93, they weren’t all the ILCE, but ultimately after all these conferences and convenings had happened in 1995, actually, is when the ILCE was officially established as providing international law enforcement agencies some sort of form to exchange information concerning computer crime investigations and other computer related digital forensic issues if you will, right?

And this was also comprised of accredited government agencies involved in computer forensic investigations, right? And then, you know, in 1998 you had things like SWGDE, right, the Scientific Working Group on Digital Evidence. This was established in February of 1998 through a collaborative effort of federal crime laboratory directors.

You know, and so for those of you who aren’t familiar and may not be in the United States, SWGDE is a US-based component of the efforts that were conducted by the IOCE and was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence to include audio imaging and electronic devices.

And so, with SWGDE you had federal crime laboratory directors in the DC area that met twice a year to discuss issues of mutual interests and the concept of finding, you know, at the time what it was was, “Hey, how do we find this information? How do we make standards that people in the industry can follow?”

What you had here with United States Postal Inspection Service is the great part about, you know, here within the Beltway is that a lot of different agencies at the time, again, we’re still in 1998, were starting to see these digital things come about as related to investigations.

And so, one of the things that the FBI in conjunction with the US Postal Inspection Service is that they had met in 1989, in March to be specific, and hosted a meeting at the USPS inspection site out in Dulles, Virginia to say, “Hey, this concept of digital evidence is very important. We needed to do even more about it.”

And then also we had the birth, if you will, of DCFL, so Air Force OSI in 1998 also established DCFL which again, you know, became DC3, many of you who will likely be familiar or may have went to training at DC3, but in ‘98 you had Air Force OSI establish DCFL, but it wasn’t until 2001 I believe that the name actually became DCFL and now DC3, if you will.

Our favorite, right? Windows NT, Windows 95, Windows 98, obviously we’re still talking about the 98 timeframe. This is where the 32-bit operating system came about, FAT32, active desktop, plug and play, right? The ability to plug things in and just play, right? You don’t need to download drivers and things like that. But also on the forensic side, we had things like DD and Autopsy come out, right? These were important and very transformative to our industry, right?

And then moving into you know, the year 2000, if you will, who here remembers the CEIC conference, right? CEIC Conference, the Computer and Enterprise Investigation Conference that was always hosted in Vegas, right? This is where practitioners would go from an information sharing knowledge transfer standpoint, to be able to network with people, you know.

And so, you know, look at it like the Magnet Summit, like, wow, Magnet Forensics has a conference or a summit, if you will, that forensic practitioners and examiners, thought leaders can come together in Nashville and hear virtually thanks to technology. And so we had this, right? And so the importance of information sharing, the importance of collaboration, if you will, was vital then, and still is today.

And then, you know, Windows ME, Windows 2000, and XP. And we’re going to spend some time here talking about just the impact Windows XP had on digital forensics, right? And this timeframe. So, you know, thinking back to the 2000s or early 200os, if you will, you know, PDAs, right, we had, I think in ‘99 to be specific, Blackberries, right.

And so Blackberry was born, you know, PDAs started to be introduced, right? But we also had Y2K compliance, and you may be laughing as I say Y2K compliance, but yeah, the year 2000 was not necessarily easy for people, let’s just say in the technology industry, right? Certainly not for forensics because, you know, from a date and time perspective, you don’t know if the system that you were examining for your forensic examination was compliant, right, was compatible and able to do this, right?

We also had 802.11x, right? So wireless standards. You know, before that, right, you needed Ethernet, and you needed your RJ45, you needed those things, you know, traditional networking with cables running and Cat 5 and 6, and all the nines, you know, here we had, okay, do away with all the networking here, we have wireless networking. So, you know, this certainly came in the year 2000.

You also had things like Windows Mobile. Windows Mobile, you know, kind of goes hand in hand with PDAs, but Windows Mobile, and, you know, some people had POM pilots and, and those things, really, again, understanding kind of how we’ve evolved, right. We went from, you know, Windows NT, 95 to now we’re able to do things on Windows Mobile, right? And being able to do what you did on the computer, but doing it mobile, right? Definitely sources of evidence for us as forensicators.

And then we also had the EFS, right, the encrypting file system introduced here in Windows, right. And, you know, from a forensic standpoint, right, we talk about this issue and we’re going to talk about it a lot more in depth here when we look at the current state of affairs and kind of where we’re going, but, you know, encryption is not new, right? We’ve been dealing with it from the year 2000, however, obviously the adoption and the wide use, if you will, wasn’t necessarily there.

Then you had things like iLook. So you may remember utilizing iLook for, you know, the early 2000s for your investigations as a tool or a source to help you, you know, acquire that data process data. Norton Ghost may be another one that jumps out, but, you know, the year 2000 really had a huge impact, if you will. Certainly, the years prior in the eighties and nineties, the foundation of these groups coming together, these agencies really understanding digital forensics and certainly organizations, as well.

But then the year 2000, we start getting some tools, we get more sources of evidence. And then, you know, moving on in the year 2000, in 2003 here we had ASCLD, right? So, you know, after examining the feasibility of having digital evidence become a part of existing laboratory accreditation, digital evidence discipline was added to the American Society of Crime Laboratory Directors, better known as, you know, ASCLD.

You know, and so that was kind of the early days, right, of forensics. And we’re going to move into kind of the more current state of affairs, if you will, in what we are witnessing and experiencing today, right? So, when you think about digital evidence and digital investigations, I found this quote here that said, “Over 90% of all crime is recognized as having a digital element.” right?

Now, this was in 2020, right? I would say that this number would be higher now, right? Thinking maybe 95% of all crime is recognized as having a digital element, right? And we think about the digital forensic and incident response, digital transformation, right? Much of that lies on us, right? Lies on us to adapt from when digital forensics started back in, you know, the early days, the, you know, Windows XP, ME, and really, like I said, the crucial years of forensics that we unfortunately are still using today, right?

Back then, 90% of all crime didn’t have a digital element. Maybe, you know, I wasn’t doing forensics back then, but let’s just put a number on it. Let’s just say that 20%, right? We’ve now increased, right, quite a bit since then. And yet we are still doing forensics utilizing the same way that we were in the year 2000, the year 2003, the year 2005, right, the year 2009, right?

We are still, you know, give or take, there’s been changes, a lot of changes, and we’re going to talk about those changes, but this slide here is extremely powerful because having 90% of all crime having a digital element, like, we need to really transform, we really need to do things and think about things differently.

So, the cloud, right? The cloud, you know, I’ll give a joke here, but it has a lot of seriousness to it at the time. When I was in federal law enforcement, if you will, supporting the Bureau, we, I should say the, the legal team that we were working with at the time said, “Hey, when it comes to evidence in the cloud, we don’t touch it.” I said, “Say that again?”

“When it comes to evidence in the cloud, like, you can forget it. If you can’t acquire it locally, you know, as we would on disk, if it’s not there, we’re not touching it.” Right? These are the early days of the cloud as it related to law enforcement.

But now I am sure, actually I know that has quite since changed, right? 83%, right, of a company’s workload or organization’s workload will be stored in the cloud as a growing number of companies continue to move from private to public cloud. And even through the shared model, right, that gives you less control. So you can still enjoy, you know, secure security and ease of access, right?

And so, you know, I remember at one point when the cloud was starting to become an issue in digital forensics, we used to do this trick. It was, if you cut internet connectivity, so whether that’s on the mobile side or, you know, if you’re dealing with a computer, you know, if you cut internet access and internet connectivity, put it in airplane mode to give you an example, and you can’t access the data, or it’s not there, chances are it’s in the cloud, right?

Because, and, you know, certainly you can argue because information is cached locally and so you may be able to get certain parts of information, et cetera, however, more and more data that we are coming across as forensicators isn’t necessarily residing on physical devices anymore, right? We may get remnants. There is still a lot of data that is being cached and stored locally, however, more and more, we’re going to get lots of our data from the cloud.

And the question that I ask to us as a community is, are we doing enough to understand the cloud, right? Are we understanding the various sources of evidence that lie within the cloud, right? Are we training our investigators from a, when we think about, you know, what I call the people processes and technology, right?

Do we have the people that are adequate and trained in performing cloud investigations, performing forensics in the cloud, right? Do we have people, you know, that are able to support our investigations in the cloud, right? When we have an infrastructure support team, when we have our IT, is our IT capable of doing this, right? Are they doing that, right?

And then when you think about the processes, right, what is our process for conducting investigations in the cloud or collecting sources of evidence in the cloud, right? Do we have the processes in place, right? From a policy perspective, but even from a legal perspective, right?

That you may want to, you know, go and sit down with your prosecutor, sit down with your general counsel or your legal counsel, sit down with your AUSA and to say, “Hey, we have indications to believe that there’s some data that’s stored in Ashburn, that’s stored in the UK, that’s stored in LA, and what can we do and what can we not do based off of, you know, different laws and privacy considerations?” right? There’s a lot that goes into thinking through the legality, right?

And so one of the most important things that we do here at Magnet, and when you’re using things like Axiom with the Cloud add-on, or you know, for those Legacy or Axiom Cyber and other things, the most important thing when you are acquiring data from the cloud is, I have the legal authority to acquire this information. There’s a little check box, right?

It’s very important, right? Yes, the technology is there, you know, organizations like Magnet Forensics have given forensicators the ability to acquire this data. However, you know, as we’ve all learned, you know, many of you, you know, who have been around for a while, you know, CYA and understanding that in the early days of forensics, right, some of us, you know, had gotten beat up and learned, you know, lessons, but most importantly, you want to ensure you have your legal authority.

And it’s very important as we’re talking about the cloud, because data may not be within your jurisdiction or even your country, right? And it can get very complicated.

And so something to think about as, you know, it’s here, right? It’s no longer “Oh, like, we’ll deal with it.” Like, the cloud is here and it’s very important. Social media, right? I mean, I wish I could make this a little bit more visible, but there’s just so much going on as it relates to social media, right? You know, and a huge shout out to Conversation Prism, if you’ve never heard of it, I highly recommend that you go check it out. You know, I was introduced to it myself last year and really spent some time digging into that.

But, you know, as they say there in the infographic, right. Like, they debuted in 2008 as social media was expanding everywhere. And ultimately, for us as digital forensic examiners investigators, right, these are all sorts of evidence, right? And you never know, you know, whether your investigation will take you down the road where you are examining an application for Eventbrite, right?

Because the person that you, or the subject, or the, you know, maybe your investigation leads you to, hey, events that have happened in the past, you may have an app that was installed, you may want to know, you know, where somebody has been. But certainly on the messaging side, right, we’ve spent a lot of time as a community, really diving deep into various different messaging platforms, right, and understanding the various different sources of evidence, right?

And so, messaging is just one, as you can see there and we’re going to move around the wheel here, or prism, if you will, like, social media and messaging is just one notch here in this prism, right? When we used from crowdfunding, right, that’s certainly one.

Travel and hospitality, right? There’s been many times I know I’ve been asked, “Hey, like, is there anything we can get? You know, certainly we have legal processes that we can subpoena the different, you know, airlines and stuff, but like, is there anything you can get from their travel or hospitality, you know, their Marriott app that they have installed on their phone and things of that nature or on the computer?” And certainly from a browser perspective, we certainly can, but, you know, just think about the various different applications that are there, right?

Social networking, I mean, goes without saying, right? Depends on, you know, where you’re at in the world. You know, you may be joining us here from other parts of the world that don’t use necessarily Facebook and Twitter, right? So you see things on there, other ones that I’m not necessarily going to name, but you should certainly be able to see them and to say, “Hey, like, yeah, like, here in our region, like, we need to be able to get information from this social networking.” right?

And again goes back to the question, when it comes to forensics, like we need to be able, you know, to find a way, right? Is it on disk? Is it in the cloud? Are there other ways in which we can acquire this data in a forensically sound manner, right?

Certainly blogging and micro blogging, right, goes without saying, we’ve seen a lot of cases of influencers if you will, or I should say, “influencers”, who unfortunately have, you know, become subject of investigations. And so being able to understand and know the various different blogging services out there may be of importance right there, right?

And kind of the list goes on there and I’m not going to go into every single one of them, but certainly I’ll skip down to the business networking, right? Like, you know, business networking, like, things like LinkedIn and things could certainly be sources of evidence for us, right?

And you may have never thought that all of these different applications and all these different platforms may ever pop up in your investigation, but you won’t know until it does, right? And so being able to keep track of all these different things, right, we need to figure out a way that we can support them as well as understand that this is only going to grow.

And just to give you another statistic here, you know, from the Pew Research Center, it said that 84% of US adults from the ages of 18-29 are active social media users, right? So this number falls slightly to 81% for the people between the ages of 30-49. And then again, drops again for those individuals from the ages of 50-64, I think to 73%. And then obviously, US adults who are 65 years and older utilize social media the least, right?

And so, as a society, right, again, we talk about that digital transformation, we also have to look at society, as well, right? To say, okay, we are now inching to where we are going to get like 95% of all people globally eventually, that are active in social media of some form, right?

And you may say, “Oh, well, I don’t have social media cause I don’t use Facebook or Twitter.” Well, guess what? All these other things around here, right, you use Yelp, right, you use OpenCable, you use Dropbox, right? Like, you know, there’s a lot here to think about as relates to social media and a lot of things that we may not necessarily classify or quantify as social media. Again, they become sources of evidence for investigators.

Cryptocurrency, Bitcoin, Dogecoin, all the different coins that are out there. And all the, you know, I could go on about, you know, NFTs and in the nefarious activity that is happening with those. But, you know, we see in last year here in the United States that our Deputy Attorney General Lisa Monaco had announced the creation of the National Cryptocurrency Enforcement Team to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors, right?

There’s a lot to unpack here as it relates to Bitcoin and cryptocurrency, right? Cryptocurrency is here, right? You know, I’d love to see a stat, right? You know, we saw that stat here about 90% of all crime as having a digital element. I’d be curious, maybe for those of you listening here, maybe this is a research topic that you could find even in, you know, at the local level to see, you know, local and state level and certainly at the federal level, you know, from DOJ and other agencies like Treasury, but how often do you come across cryptocurrency, right?

And is this a source of evidence that we’re missing, right? And although we are not necessarily financial, you know, forensic accountants, you know, we however, are the interface, right, in being able to acquire and preserve data, right? We’re very good at that, right?

And so, you know, being able to understand to the ability that we can as investigators, you know, what we need to know and how to handle cryptocurrency investigations, right? You come across, you know, I’ll give you an example, you come across a cryptocurrency or, you know, Bitcoin mining farm, what do you do with that? From an investigative standpoint, do you pull the plug, or are you going to image the mining rig?

You know, how do we preserve this information and this evidence, right? How do we process it? Is there a forensically [sound] way that we process it, right? How do we successfully, when we were talking about cryptocurrency wallets, right? How do we seize a wallet? How do we get the address? You know, there’s a lot that goes into an understanding, right?

And again, I think one of the things that we need, and we did a very good job at this in the early days of forensics, you’re not going to necessarily be an expert at all these things, right? There’s going to be people, a part of our teams that are focused on the cloud, right?

But being able to have a general understanding, just like we did when it comes to operating systems, right, we need to transform to understand, “Okay, what are the basics that I need to know about cryptocurrency?” Because you’re likely going to run into it in investigations, right?

And so when we think about like, IACIS, when we think about HTCIA, when we think about all the different bodies and associations, again, we think about people, processes and technology, like, what do we need to do as an industry to get ready for this, right? Because it’s here. And there’s various different means in which we can do this, right?

Let’s take a jump to the future. Now, I mentioned cloud, but I didn’t get into the intricacies about the various different cloud platforms, right? There will be a time that, and again, depending on where you’re at, you know, and where you’re joining us here virtually, you may never touch many of these, right?

However, there will be a time where data may never be stored physically anymore. And all of our data is in the cloud, right? Well, going back to the people, processes and technology, do you have the people that are able to do forensics and understand sources of evidence in all of these platforms, right?

And you may say, “Oh, well, you know, we only use AWS and Google and Azure here in Oracle here in the United States or North America” where you’re joining us, well, what happens if a company, you know, forms here or a user decides, “Hey, I want to use the cloud, Oracle Cloud, right? Or Alibaba Cloud, or Google Cloud, or AWS, or Azure,” right?

Again, when I talked about the people, processes and technology here, have we thought about data that we may not be getting, or we may not understand, right?

And so while a lot of people are putting their eggs in different baskets, are we as an industry ready to transform to have that understanding of, again, like, I use the analogy of operating systems, right? We always needed a Linux guy or girl on our team. We always needed a mobile guy or gal on our team as well, right?

Will we in the future need someone or someones that are familiar or subject matter experts in AWS? Very likely. In Google? Very likely? In Azure? Very likely? In Oracle Cloud? Yeah. In Alibaba? No, no. Steve like, no, you’re like, we’re never going to see Alibaba.

I’m telling you, we need to transform as an industry in understanding what it’s like to perform investigations in these environments, as well as what are the different sources of evidence that we can acquire from these various different cloud platforms.

And then automation. I’m going to spend some time here. When we think about the future of digital forensics and incident response, I always love to say automation is not going to automate us out of the job. It is not, right? There are various different means of automation and various different goals of automation, right? The airline industry evolved from the way in which they flew planes initially to how they fly planes today, right? And a lot of that had to do with automation and computing and technology, right?

However, I think on every flight that we get on, I’m actually certain, we still have pilots, right? And so even with all the technology and automation and innovation, right, you still need pilots to fly a plane. And so that’s something that we can learn as an industry when we hear the word automation, right?

And so my challenge and charge to you and us as an industry is to embrace the future of automation, right? And what does that mean, right? When you think of automation, there’s certainly the machine automation, right? The automation of machines being able to do physical things, right? When you think about like, an assembly line and putting things together, building a computer, right. automation certainly happens when it comes to process, right? There’s a lot of things that we do as investigators.

And we’re going to get back to why process and processes are important from an automation standpoint. On the innovation side of things, right, when we’re looking at, okay, wow, like, how can we continuously innovate, right, automation plays its role.

When it comes to autonomous things, right, it has its role, as well. From a productivity standpoint, I like to think of this from a productivity, from a work-life balance, from an officer wellness perspective, automation plays its role and we’ll touch on that, from a repeatability, I mean, I think we as an industry, we understand the importance of repeatability, right? When we think about, you know, testimony and being able, reproducible, you know, repeatability is very important, and then improvement, right? Being able to constantly refine and improve investigations and processes, right, go to hand in hand.

So let’s talk about process, right? Like, automation as it relates to process. What is the future of automation as it relates to digital forensics and processes takes place, right? Being able to have our routine tasks that are done a certain way in accordance maybe with standards, maybe with policy and, you know, for your organization is very important, right?

And so there are many times that, you know, you will go, let’s just say, organization to organization or agency to a different agency, and their process is different, right? Their way of doing forensics is different. They use different tools, right? Being able to have someone come in and be able to understand and leverage an existing process that has been implemented is certainly key, right?

And we can go even deeper into process, right? We can even say, “Hey, well, with automation, if you see something, or if it’s this type of case, this is the process that we take in our forensic lab in order to conduct this investigation.”

From a productivity standpoint, we spend a lot of time, and we still will, and that’s another thing I should have, another mythbuster, if you will, over time, we’ll still be there, right? From a productivity standpoint however, I’d rather spend my time doing the things that I enjoy in being more productive, whether that’s learning, right?

And so, automation helps with that productivity. In forensics, we spend a lot of time doing a lot of manual processes, right? And so having automation increase our productivity will allow us to work what I call smarter, not harder, right? And then repeatability, repeatability, being able to have what we’ve done, repeat, be repeatable.

So that maybe say five, 10 years from now in a world where we have data that’s in the cloud, something comes through and says, “Hey, that case that you processed 10 years ago, it’s been brought back up through the court system. We would like this to be conducted and reproduced.”

And so, 10 years from now, you may not be doing forensics, right? The tools that you utilized back then, or even the operating systems may not be accessible. Well, imagine if automation can say, “You know what? They used Axiom on a Windows 10 machine running, you know, this firmware, this version,” and being able to automatically bring up a virtual desktop to show exactly how it looked like, and be able to repeat the process.

It will conduct forensics as it was back in the day, right? Automation can certainly happen with that, right? Imagine a world where we can click a button to say, “Okay, I want you to spin this up, look at it as it did back then, right?” Or being able to show this again in court, you know, utilizing automation again kind of goes hand in hand with process and productivity, but also repeatability, and then also improvement, right? We’re finding lessons learned very important as it relates to digital forensic and incident response.

Well, okay, we found all of these artifacts, right? Well, how can we, as an agency, as an organization, improve our process, our productivity, right? How can the tools and vendors that we utilize do this, right? And so automation can help, because automation can feedback lessons learned, things that were found, back into the process.

Imagine a world where you find a new artifact and you’re able to share that with every forensic examiner in your agency, every forensic examiner in your task force, every forensic examiner maybe in the world, right? Automation has that capability to provide this, right? It’s almost, I call it feed the beast, right? Improving, right? How are we refining, right?

When we think about, you know, CSAM and, you know, know there’s a lot that automation can do here, right, to help us improve, right? When it comes to malware, right, you know, we look at known pieces of malware, as lot of this is being done, right, kind of in a manual way, but being able to utilize automation.

Because just imagine that something happens and being able to automatically notify people across the world, “Hey, we’re seeing this type of thing happen so that everyone can see,” and it’s already refined into someone else’s process, right, you know, and improving again, that collaboration, that communication and ultimately providing that customer service that we do.

But again, when we look at automation, right, from a people process and technology standpoint, automation can help us in all of those three categories.

Well, all good things must come to an end. And this presentation here was certainly one that was very, very near and dear to my heart. Because as an industry, one of the things, like I talked about was the people, processes and technology, right?

And so, as an industry, we need to start to think and strategize on how we’ve done things in the past from a people, processes and technology standpoint, and really think about a lot of the slides and stuff that I shared about the current state of affairs, right? You know, could have added things in there like encryption, right? And we could probably go for another 50 minutes, if you will, talking about encryption and the issues of going dark, but really thinking about where we’re at today and what we can do to evolve, to meet the needs of today and also tomorrow, right?

Like I said, automation may be part of that answer. It’s not going to necessarily answer everything, right? There are other things that we can do, right? And certainly here at Magnet, we’re doing a lot on the innovation side, on the technology side, in being that trusted advisor to organizations thinking about, “Okay, let’s think strategically.”

Okay, we may not be able to help you from a people standpoint, but we may be able to help you from a process and technology standpoint, which helps those inefficiencies that you may get when we think about the workforce shortage, right? When you think about the cloud, right, you also want to think about, “Are we doing enough? Are we missing evidence, right? And what can we do to shore up those defenses?” right?

From a people, process and technology standpoint, Magnet has, you know, really done a great job in investing certainly in its people, but certainly from giving back to the community in terms of helping the community think through these processes and think through the technology in better ways that it can serve the community.

And so, you know, as a Director of the Magnet Digital Investigation Suite, I want to thank you for joining us here virtually. Again, I hope to see you wherever we are at in 2023. And be sure to, again, check out the Magnet Digital Investigation Suite, and hope you have a great day. Thank you.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...