For this interview I have had the please to speak with someone who is so prevalent in DFIR, is very highly thought of and is a pleasure to have got the chance to chat.
I have been trying to learn Python for what seems like forever, and it was where I first spent any kind of time with Alexis as I watched the class 0 – DFIR Python Study Group.
Anyways, a fantastic interview and I hope you like 😊
How long have you been in the DFIR scene and how did you get there?
I’ve been in federal law enforcement for the last 15 years and focused on digital forensics since 2011. Back in 1996 there were no digital forensics degrees, heck I wasn’t even aware of the existence of the digital forensics field till I started working at my agency in 2007. My undergraduate degree is in Computer Science back in the day when secure coding and penetration testing were not widely discussed topics. One thing that led me into programming was the fact that it enabled me to create actions (programs that did things) just by using literal words (via a programming language.) How amazing was that? Still to this day it is one of the most amazing things for me to realize.
While doing Sysadmin work at my alma mater, I pursued and finished a master’s degree in Management of Information Systems. During the process I came across a job advertisement. There was a need in federal law enforcement for folks with a computer science background. I immediately applied and after a long process I was lucky to be hired.
After doing regular investigative work I was moved to work computer related matters as a Cyber agent as opposed to being the computer guy agent, the way folks on the office colloquially called me. Seeing a local need for properly trained, prompt and efficient management of digital evidence my agency saw fit to train me both internally and externally as computer forensics examiner, a position which has been now correctly renamed as digital forensics examiner.
I believe and know that government work is honorable work. Some of the most positively impactful and rewarding experiences in my life have come through my work as a public servant. If I could go back in time and change it I wouldn’t. I would do it as is all over again.
I first really became aware of you from the DFIR Python Study Group on YouTube and i would love to attend one when I catch up a bit as i am learning currently but how important do you think a programming language is like Python nowadays?
I believe there are two skills that digital forensic examiners should seek to develop proactively: coding/scripting & reverse engineering. These are skills that are key for information security practitioners. It is good to have mastery of information security tools and how to apply them but, what happens when the new attack vector is not made plain by current tooling? What happens when the malicious code is hiding behind encryption and obfuscation? What can we do when the evidence is hidden in terabytes of logs like a unique needle is contained in a haystack made out of needles? Coding, which is another way of saying automation, will be the only solution. Being able to reverse engineer malware, apps, processes, and systems is the only way to find the truth of things that have happened and whose remnants are waiting for us to find them.
I decide use Python as my main scripting language because of how widely it is used in the digital forensics field. The deep and numerous coding libraries available allows practitioners to leverage the work of others in order to build new things quickly and easily. There is nothing wrong with using other, maybe even newer, programming languages. Python is 31 years old, and it is still a solid choice for any programmer. It is one, if not the most, used scripting language in the planet and for good reasons.
One of your posts on your site “Initialization vectors” you go over how putting out free Digital Forensics and Incident Response (DFIR) content, be it blogs or tweets, is a time consuming endeavour (It really Is, trust me), and I wondered how you manage given you teach, work, have a blog, research, write scripts for the community etc, how do you manage to not let it get on top of you?
When I started coding at work it was because I wanted to save time on tasks that third party tooling did not support or were really slow at it. As I started to find more things to automate, I came to the realization that other examiners might find the automation useful as well. It then became a matter of thinking how to make a platform that would manage the most boring and repetitive stuff (like finding files and making reports) for me so I could focus only on the relevant stuff. This is the upfront cost that consumes a lot of time. Thankfully, I have been extremely fortunate to have folks in the community participate in these coding projects. It not a one person show but a true community effort to help and learn from each other. I thought that after all of that I would have more time but if there is one thing the universe hates is a vacuum so new responsibilities and interests rapidly appeared to take up that space.
At the end of the day, I believe it is all about recognizing that we only have one life, and that time is limited. That what we do is important but not more important than ourselves and those that love us. It is not easy to keep that balance, the need is always great, but we still we have to constantly try to make time to take care of our mental and physical health.
Your first post in May 2017 you said “DFIR is a fast-moving field and to be current you have to not only learn from others but also try and humbly give back.” you have definitely given back but how do you keep current, what does Alexis do?
The first and most important way to keep current is to follow and be part of the Infosec/DFIR community. I was made aware of the community through Twitter and continue to be part of it via the infosec.exchange Mastodon instance. I am also part of the DFIR Discord Server, the IACIS mailing list, and try to keep myself updated of the lates DFIR blog happening by reading ThisWeekIn4n6.com. I also try to go to conferences, like BSides, for in-person networking and learning. If there is something we have now that we didn’t back in 1996 is a rich and vibrant Information Security community and culture.
I have found since moving more specifically towards DFIR this last 2 years how nice and helpful everyone is, have you always found this, that everyone is kind of in this together?
I think that for the most part the community is accepting and helpful. I think the community polices itself quite effectively. That being said I do believe there is work still to be done in lifting and recognizing the work of women, minorities, and other disadvantage groups in the field. I believe we all have a tendency to look for partners and associates that look/think like ourselves and that just leads to a limited world view, a limited set of solutions for matters that affect all. Everyone being together necessitates the recognition and expansion of who we consider, in action, to be everyone.
If you could go back to you just starting, what is three skills you would tell yourself to get learning ASAP?
1) Public speaking. I was fortunate in that my upbringing instilled in me the value of public communication and how such is nothing to be afraid of. Public speaking is something that can be mastered through practice and dedication like any other skill. Information security necessitates us to be able to explain complex matters in ways non-technical stakeholders can understand. From executives to juries to the grandma as we teach her how not to fall prey to scammers. Information security professionals are, in my opinion, communicators first and last.
2) Learn a language. Spanish, Japanese, French, any, or multiple ones. Having such skills not only opens doors but it also expands your mind. I believe it makes learning programming languages easier because I feel it hits the same areas of the brain. I will say I’m not a brain scientist, but I did stay at a Holiday Inn last night.
3) Make reading a true habit. Reading teaches you to concentrate for long periods of time without interruption. I am part of the last generation that grew up without computers or the internet which now has full access to all of these. Our devices, websites, and apps pull us into different directions all at the same time for short discrete periods of time. Only by making reading a habit we can reconnect with the feeling of being able to accomplish a lot in a short timespan.
As I grow In my DFIR skill I want to dabble in mobile forensics and app forensics as something different as my day job is more Windows, Windows Server, Linux etc but how easy is it to set up a lab and what would be needed?
The immediate present and future is and will be mobile. If you ask any digital forensics examiner what devices constitute the majority of their workload they will tell you, without exception, that it is mobile devices.
There are many ways to set up a personal mini-lab. For Android the most cost effective way is to use virtualization. There is a plethora of Android virtual machines that can be used for testing and research. As long as the virtual machine has root access enabled one can learn all sorts of things with such a setup.
iOS is a little more difficult. Virtual machines for iOS exist but come at some financial cost. One can get some older, and jailbreakable, iOS devices and use those for testing. There are many online guides that can be used as a template.
How have you seen mobile forensics change over the years, is there much malware in it still and how does Android and Apple differ when researching them and the apps they use?
I take my hat off in honor of reverse-engineers and how they are able to take an APK, for example, and analyze malware with such skill and detail. As a digital forensics examiner I focus more on finding the malware to the pass it on to the reverse engineers. There are multiple behavioral techniques that can be used which are quite similar to how it is done in other non-mobile environments. For example you can look at app permissions, battery usage, storage access, and system log output to find malware in mobile devices. And these are just a few. The field is ripe for continuous growth for sure.
You, along with loads more are now on Mastodon, how can you see it growing next to twitter, do you think they will co-exist in the future, I am interested as still haven’t made the move yet myself and waiting to see how it all pans out?
Mastodon, like Twitter before it, is just one of the places I put content out and receive content in from others. Nothing in life is permanent. Twitter, or any other service, are just platforms. They will come and they will go. The people are the actual community where the community is I will try to be. I am grateful that Infosec community members, tends towards empathy, respect, and understanding. I’m proud to be part of it.
What’s the plans for 2023?
More research, more coding, more innocent people being helped and more perpetrators getting caught. And in between all of that spend time with loved ones making sure that at the end I used my time.
Check him out at the following places.