October 6, 2020
2020 Key Influencers in DFIR
Like many industries, there are influencers – those who contribute to the profession in ways that go far above-and-beyond typical members of the community, whether it be by sheer volume of notable work, publications, time & effort put forth, etc. In digital forensics, those influencers may stand out even more because of the exclusive and specialized nature of the work we do and the relatively small community in which we work. Some are daily contributors while some share their knowledge and experience with a measure of humility or quiet dignity. I’ve chosen to highlight five such personalities in our industry for this article. They have not paid me, I don’t know all of them personally and I may never have even spoken to one or more of them, but their contributions to our field are valuable and deserve recognition. In compiling this list, I attempted to run the DFIR gambit of key computer forensic influencers, mobile device forensic influencers, incident response influencers and those who may influence all of the above and/or a different specialty that is more on the periphery of our industry. So, at the risk of spawning much heated debate, let’s go!
Key Influencer #1: Eric Zimmerman
As an X-Ways Forensics user for the past several years, I’ve also found the book X-Ways Forensics Practitioner’s Guide -- which Zimmerman co-wrote with another awesome influencer, Brett Shavers -- to be an invaluable resource. Sure, I’ve been through the XWF Level 1 & 2 training, but sometimes I don’t remember every single tidbit of the 56 hours or so of those courses, so this book is a super helpful reference guide for both new and experienced XWF users. I think both Zimmerman and Shavers would tell you that if you’re not using X-Ways Forensics in your PC analysis, you’re wrong :).
I’d also be remiss if I didn’t mention Eric’s participation in the IACIS list serve. If anyone has a question, Eric frequently chimes in with a pointed, yet helpful response. Heck, sometimes he even makes me laugh! We are truly a better community for Eric being a part of it and sharing his vast knowledge, skills & abilities with us all.
Key Influencer #2: Heather Mahalik
As far as helpfulness, willingness to share their knowledge, ability to test theories and publish the findings we need to know in the ever-changing landscape of mobile forensics -- and just plain giving back to the community -- I’m not sure any influencer in our industry is as generous as Heather. Heather’s ongoing blog, Smarter Forensics frequently jumps on the most current issues with testing of new operating systems and/or applications, validating the findings and putting the initial impressions and impact on our industry in a simple, concise, easy-to-understand format (example, see her blog on iOS 14 here).
Also very active on the IACIS list serve, Heather always seems willing to answer any questions members may pose, particularly with regard to the functionality of Cellebrite and the tool’s ability (or lack thereof) in decoding, parsing, searching, etc. Anyone who does mobile device analysis can see why Cellebrite hired her – In addition to being a virtual walking encyclopedia of mobile forensic knowledge, she’s a terrific ambassador for the company and vocal proponent of all the great things we can analyze, report and testify upon with regard to mobile device evidence. She also hosts a regular webinar, discussing current trends in forensics. She truly gives of herself, her time and her knowledge to help us all out consistently and is clearly passionate about our field.
Key Influencer #3: Harlan Carvey
Harlan has also contributed to our community with his free, open source toll, RegRipper, which does exactly that – rips through your (exported) suspect system registry files to present a clear, concise view of the artifacts contained therein. While many of us don’t, it’s true that you can perform forensic analysis on PC (and Mac) systems with mainly open-source tools and if you’re going to do that, I suggest that RegRipper be one of your main, go-to tools in the toolbox. It’s a fantastic contribution to our community. Also on Harlan’s Github are presentations that he’s given and other tools/tips that he has shared for the benefit of everyone.
Keeping in line with the “giving of self” theme that is a large component of a contributor to our community, I recall reading a proverbial “tip of the hat” about Harlan, which I believe was written by the aforementioned Brett Shavers. He stated that Harlan never hesitated to answer his questions and give him guidance. He was always open, willing and gracious (paraphrased). I have also seen a bit of this from Harlan myself. He frequently contributes substantively to conversations on LinkedIn and provided some welcomed guidance to me personally with regard to launching into the incident response realm. Many of our colleagues simply ignore requests or don’t have the desire to take the time. Harlan is not one of them. He is thoughtful and generous… And he’s forgotten more about incident response than I’ll probably ever know. Harlan also wants you to contribute. He truly recognizes DFIR as a collaborative community, so if you can pitch in to make RegRipper a better tool, Harlan wants to hear from you!
Ok, I recognize that a for-profit company may come with a bit of an asterisk on this list, but stick with me…
I’ve been acquainted with the folks at Hawk Analytics for several years and have attended their training. In case you’re not familiar, Hawk Analytics makes a tool for cellular records analysis called CellHawk, which helps analysts map and display cellular and other location records. The tool also helps identify known associates by phone number, frequent locations, patterns of usage, incorporates an animated timeline of usage and more. If you are involved in the analysis and mapping of any records with date, time and GPS coordinates – like records for ankle monitors for sex offenders or those out on bail or parole – CellHawk is a must-have tool. It’s robust, flexible and keeps improving.
But what separates the Hawk Analytics team from others in the industry is their passion and dedication to getting to the facts. They do not speculate about things which they are either not trained in or the tool isn’t equipped to handle. Many analysts who are involved in these types of cases erroneously attempt to estimate radio frequency range of cell sites. This is bad practice without specialized equipment and the team at Hawk Analytics knows this. Founded by former cellular engineer Mike Melson, Hawk Analytics and their team genuinely have a desire to do good. Many times behind the scenes, Mike and his team will assist agencies with search & rescue to help find missing and/or endangered persons, despite having families of their own and the obligations of running a company. Even if you’re not a CellHawk user, their team will be more than willing to discuss quirks or anomalies in your record returns or assist with interpretation based upon their vast experience. Even though I may do independent CDR analysis for criminal defendants, they’re always willing to help because they are guided by the truth and don’t engage in conjecture or speculation.
In the spirit of giving to the community, Hawk Analytics also has a free toolbox, which will help you identify the cellular carrier for phone numbers in your case and even compile a preservation letter or search warrant template for you at the click of a button. Did I mention it’s all free? Mike and his team truly epitomize professionalism and seek to make a positive difference in their own little corner of the world (i.e., their expertise). If you value integrity in your vendors, Hawk Analytics is definitely the way to go.
Key Influencer #5: Larry Daniel
Lastly, in a departure (and perhaps surprise to some), I’d like to give recognition to Larry Daniel of Envista Forensics as being a key influencer in our field. Having transitioned from law enforcement to the private sector, I have known Larry both in my former life and my current one. Some of you may not know Larry while some of you may have gone up against him in court. To be clear, Larry and his company are essentially business competitors of ours, but that’s sort of like saying your local corner convenience store is a competitor with WalMart, as Envista is a much larger operation than Pro Digital and they conduct all manner of forensic analysis, not just digital forensics. Regardless, I’ve come to know Larry as a savvy businessman and a very knowledgeable and formidable forensic and cellular records analyst. I respect Larry not only for his business acumen, but for his tenacity. Larry didn’t have the advantage of the government or a huge corporation sending him through digital forensic training – he did it all himself and learned it from the ground up. He is, as his son and co-worker described to me once – a “serial entrepreneur”, but one that has had a great deal of success in the private sector side of our industry.
Patrick J. Siewert
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He is a Cellebrite Certified Operator and Physical Analyst and Instructor, as well as certified in cellular call detail analysis and mapping. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Pro Digital LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc
Patrick Siewert LinkedIn: https://www.linkedin.com/in/patrick-siewert-92513445/