Mar 12, 2025

The Magical World Of Digital Forensics With Jason Jordaan

TLDR;

Here are a few points which stood out for us:

As the technology moves rapidly, one key skill to success in Digital Forensics is constant learning. Stay up to date with new the tools, technologies like GenAI, Quantum Computing. These bring new challenges and opportunities to Digital Forensic Analysts.
For Digital Forensics, one of the key factors for success is documentation. As detailed as it can get. Because, leaving even a tiny fraction of trace could derail the entire investigation.
In order to help with Digital Forensics, organization can do some basic prep like setting up logging, training employees on basic forensics techniques, partnering with vendors, and have playbooks in place.

Transcript

Host: Hi everyone, this is Purusottam and thanks for tuning into ScaleToZero podcast. Today's episode is with Jason Jodhan.

Jason is a cybersecurity professional with expertise in digital forensics, incident response, e-discovery and cyber crime investigation. He has served for 18 years in law enforcement as a detective and digital forensic examiner before moving into the private sector. So thank you so much, Jason, for joining in the podcast and sharing your knowledge today.

Jason: Thanks Puru, it's really a great pleasure and a great honor to be invited onto the podcast and I'm looking forward to having a discussion.

Host: So let's get into it. So, but before I start, I want to understand like anything you want to add to your journey. I just keep it two-liner in a way, right? Anything you want to add to your journey.

Jason: Well, it's been a long journey and I suppose I'm still on it. you know, they say it's not about the destination, it's about the journey. I think, you know, my journey has been kind of an interesting one growing up as a kid in the 80s, you know, with, you know, you know, the start of the personal computer revolution and, you know, falling in love with computers and then ultimately ending up in law enforcement and being a cop nerd and, you know, just, my career just kind of naturally evolved into the field.

And I suppose, you know, I mean, if you think about when I was a kid, I wanted to be an astronaut. Clearly I ended up going along a completely different path, but still no less and exciting kind of career field to be in. So, yeah, as opposed to anyone, you just sort of follow your dreams and enjoy the journey. Life is worth living.

Host: Yeah, and I guess, like since you have worked in the police department, you might have some discipline and everything built into you, right, compared to any other cybersecurity professional I can imagine.

Jason: Yeah, I mean, yeah, so for me, what I've noticed is, you know, just working with a lot of different cybersecurity professionals around the world, a lot of them do seem to come from either police background or a military background or a law enforcement background. You know, and if I think of the friends that I've made over the years, that's kind of been the thing.

And I think that discipline does play a role, you know. For me, is not just about making money. Obviously, we all want to make money and make a living, but it's about serving a cause greater than yourself and trying to make the world a better and safer place. I think a lot of people that come from those disciplines and backgrounds almost naturally gravitate into that cybersecurity domain. I do think the discipline does play a role. That ability to stay focused, that ability to handle pressure, that ability to effectively deal with bad people doing bad things and not lose your mind while you're doing it, I think is really, really a huge advantage.

But it's not to say, I mean, I've also worked with some amazing people in my career that have never come from the military or the police or from the intelligence services that also have just as much skill and just as much resilience. So… So I think maybe for those of us that came from that background that we were taught discipline, if that makes sense, but I've seen people that didn't come from that background that have their own ways for self-discipline. So people that were maybe martial artists or they were good at sport or they were good at academics, just anybody that had that ability to focus their discipline is really kind of geared for success in this field, I think.

Host: Yeah, that's a great way to start the podcast, obviously, like talking about the role discipline plays in your career, right? It doesn't have to be like, it doesn't matter where, what background you are coming from. If you are disciplined enough, you can excel in any field, right? Not just in cybersecurity, but in any field.

Jason: Exactly. Exactly. think that's almost more a lifeless than a cybersecurity less. And I think, especially for those of us who are parents, we try to kind of install that into our kids at some point. But yeah, think discipline, that self-discipline is the key to success.

Host: Yeah, absolutely. So one question that I ask all of our guests and we get different answers based on different career paths and things like that. What does a day in your life look like?

Jason: Haha! I can tell you one thing, no day is ever exactly the same. I think anybody working in forensics, literally every case is different. So I kind of tell you what a typical day might look like when I work at the lab.

Getting into work, getting into the lab, checking the progress on current cases, because obviously as the head of the lab is the principal forensic analyst. I have a role to play in overseeing the lab operations and quality assurance. But I'm also actively engaged as a forensic analyst. So basically once I've done all my kind of supervisory duties and quality check duties, I will pick up on the cases that I'm working on myself. And then it's really just getting my hands dirty looking at the evidence. So understanding the case that we're investigating, following the clues, following the leads and ultimately building up that case.

And that's… I mean, honestly, that's kind of what a day in my life looks like. You're constantly chasing the bad guys, even if it's in virtual kind of cyberspace, but you're constantly looking for that next clue, that thing that just kind of solves the case. And when you find it, that sense of exhilaration of like, wow, I've got it, is there. And that's why I say no day is literally the same. And then on the other flip side, when I'm not in the lab doing work, and I'm teaching for the Sands Institute, like I'm currently doing in Doha, every day is engaging with my students and sharing my love and my passion and my knowledge for the field that I'm in and having these amazing discussions and sort of hopefully trying to inspire the next generation of practitioners.

So like I said, no two days are exactly the same in my career, which I absolutely love because I think I would be bored to hell if everyone was same every day. But it's exciting. It's you know, because you never know what to expect. And you know, also just as a practical a practical aside, bad guys don't care about our life plan. So you know, you could have you could have this most amazing day played out. And all of a sudden, you know, the bad guys attack one of your clients, then all of a sudden, all hell breaks loose. And no matter what you've planned for the day, you've got to drop everything and deal with it. So

So literally there's no such thing I suppose as a typical day, which is like I said, that's keeps the profession quite nice. But at the end of the day, like I said, my typical day is doing what I love doing. And I know it sounds weird, but it's waking up in the morning happy to do what I do and going to sleep at night feeling fulfilled that I've done a good job.

And that's… That's kind of my typical day. You know, I wake up happy and I go to bed tired, but usually happy.

Host: That's amazing. That's amazing. I hope we can touch on some of these areas. What makes you happy? Like how do you get to that aha moment, right? That you got a bad guy or something like that.

So today we'll be focusing primarily on digital forensics. And you have been in the field of digital forensics for some time, including your experience at South African Police Service.

So what are some of the most common types of digital evidence that you have encountered in your investigation like is it mobile devices, computers?

Jason: So obviously having been doing this for a long time, I've kind of seen the evolution of the digital landscape. So when I started doing digital forensics, you were generally dealing with computers, desktops and laptops, and occasionally maybe a server. And then obviously as mobile phones became more common, we started to deal with more tablet computers and more mobile phones. So it's… you almost got to a point where it was almost like a 50-50 balance between the two. Now, we started to see more mobile devices.

And to be quite honest these days, a mobile device is basically a computer anyway. that iPhone that you've got in your pocket that's 512 gigs, I mean, that's the same as an SSD hard drive on most laptops these days. So fundamentally, there's no difference in the devices.

But obviously with the change in the digital landscape, we're also seeing a lot of evidence being cloud-based now. So whether it be virtual machines sitting in a cloud service provider, whether it be cloud services that we're collecting data from, but then it's also those less typical devices. So for example, extracting data from drones, where drones have been used in the commissions of crime or anything along those lines.

Host: Okay.

Jason: looking at motor vehicles, you most vehicles have digital systems in them and we're at extracting data from those. know, internet of things devices, smartwatches, like your iWatch, all these things are now starting to be in scope essentially for digital evidence. And if I want to sort of throw my site forward a few years,

Like I'm waiting to do forensics on robots. Like seriously, I'm honestly waiting to have the first case where there's some kind of weird robot thing involved that I've got to do forensics on. And then maybe some AI type forensics, you know, that's how the world is evolving. I think, you know, digital forensics has always got to evolve with those changes.

Host: So how does that impact? So you mentioned about few transitions, right? Computers, servers, mobile devices, cloud, IoT devices, you want to see robots as well. How does that impact the field of digital forensics in general?

Jason: So if you think about it, because the technology is constantly evolving, one of the biggest impacts when it comes to digital forensics is for the practitioners to keep themselves up to date, making sure they stay abreast of the current technologies. And that's sometimes a challenge because we also, we have a lot of people working in the field of digital forensics who may not be formally qualified as computer scientists or computer engineers and things along those lines and their horizon effect to be in terms of what they could do, it sometimes becomes a bit narrow.

So I do see that those people in the field that do have formal qualifications in computer science and computer engineering are kind of, I know this is going to sound kind of weird, but they taught the way of the computer. They taught the way of the machine essentially, and that gives them the ability to constantly adapt to changing technology.

So just to give an example from from my own career. Even though I'm a specialist in digital forensics, I'm a member of several professional bodies that deal with general IT technology issues. So I'm a professional member of the Institute of Electrical and Electronics Engineers. I'm a professional member of the Association of Computing Machinery. I'm keeping myself constantly up to a breast of changing, developing technologies at an engineering and scientific level to anticipate what those next technologies are gonna be for digital forensics. And I think that's probably the biggest impact is that if we not keeping ourselves abreast of the technologies and even preparing for the technologies before they become commercially common technologies, we constantly playing catch up. And I think that's the biggest challenge is you literally constantly learning. This is one of those jobs where...

I can't sit on my butt for six months and say, you know what, I'm just going to not learn anything for six months because I'm tired of learning. Because in six months time, my knowledge may be obsolete. So that's probably the biggest impact when it comes to this field is because it's constantly changing, you've got to adapt.

But also besides the technology stuff, our laws are adapting as well all the time. So you've got to keep up to date with the changes of legislation and the changes of law. And oftentimes not even just changes of law in one country, but because of the multinational nature and the borderless nature of digital technologies.

You've got understand laws in multiple different countries and jurisdictions. So it is a challenge, but it's actually a nice challenge because maybe because I'm kind of weird and I just like learning. So for me, it's quite nice. But I have seen colleagues of mine that sometimes do struggle with it because the level of input that's required to keep yourself up to rest is quite extreme.

Host: Yeah, I agree. And one of the things that you mentioned, right, that it's not just about your local region. Let's say you're working for a customer or working or your organization is catering to European customers. That means you have to understand GDPR requirements. Like nowadays, every country has their requirements coming up. So you have to be familiar with it. And then your sort of territory of investigation also grows, right? It's not just where you live, but also where you serve your customers.

Jason: Yeah, exactly, exactly. Exactly. know, just to give you an illustration of that, you know, I live in South Africa, but I work worldwide. Yesterday, I was giving presentations on on Qatari and Saudi Arabian cybercrime legislation, because there's times that I do work in these areas that I have to understand the Sharia law system and all these other kind of dynamics. So it really it's fun. It's a fun challenge, but it is a challenge.

Host: Yeah, so you touched on qualification and staying up to date and continuously learning. What are the key skills that you see is needed to succeed in digital forensics?

Jason: So, I've just handed in my PhD thesis on Saturday. So, crossed that I passed. But the topic of my thesis was actually looking at the core skills, the core knowledge areas for digital forensics. And actually identifying and building a consensus-based body of knowledge for digital forensics. And fundamentally, I've kind of broken it down into a number of core areas that you need skill in.

The first core area is computer science and computer engineering. That is an absolute core skill. And unfortunately, don't have that. You're gonna struggle in digital forensics.

The second area of knowledge that's really critical to be competent in is applied law. Now, I'm not saying you need to the same level of knowledge as a lawyer, but you need to understand how to apply the law in different areas and how to testify in court and how to deal with the evidential issues in terms of the law.

The second core area that you have to have competency in is ironically in the field of forensic science, because digital forensics is seen as a subset of forensic science. Just as much as it's a subset of cybersecurity, it's also a forensic science field. So you have to understand those scientific principles and what make good scientific evidence and things like that.

And then there's four fields, if I could put them this way, are not, I mean, one of them is not unique to digital forensics, but they all kind of are part of the core digital forensics process. You need to have skills in the ability to effectively conduct searches and seizures. At some point, the forensic analyst may have to go into a scene, into a building, into a company, and get the data. So you have to understand all of those practical physical processes.

Then you have to understand how to do forensic acquisitions. How do you secure and collect the evidence from those digital devices in a forensically sound manner? So means you've got to understand how to get evidence from a laptop with an NVMe drive in it, all the way to being able to extract data from a drone. So you really have to have this broad level of skill.

And then fundamentally the last two areas that you need to be skilled in, one is in the forensic examination field, which is basically how do we identify potentially relevant digital evidence?

And then the last part is the forensic analysis, which is how do you reconstruct everything? How do you rebuild everything? How do you effectively roll back the evidence to see what happened in the past to know what's going on? And those core knowledge areas are fundamentally what you need to have to succeed in digital forensics.

And then obviously they evolve over time, but you need to have your foot effectively in each one of those areas.

Host: Yeah, so talk about timing, right? You submitted your thesis Saturday and we are talking about the skills today. No, I loved how you put them in bullets in a way, right? There are these six things that a forensic analyst should know. earlier you highlighted some of the challenges as part of the digital forensics, right? I know that you are still hands-on. I was surprised that you are still hands-on even though you lead a team.

As a principal forensic analyst, how do you tackle the challenges that you highlighted, whether it comes to new technology that bringing, let's say, encryption challenges or whether there are jurisdiction challenges, things like that. How do you tackle those challenges?

Jason: So I can tell you how we do it within my practice. So obviously in any organization, you try to manage your team at some level. Part of our KPIs are actually research projects. So we encourage all of our members of our team to actually engage in research projects.

And within the organization, we plan out what kind of research projects different members of the team are gonna do and we support them. So partly it's learning ourselves, but partly it's also doing research, which ultimately we're gonna share back out with the community.

And then also what we do internally as well is we try at least once every two weeks to have a team learning type engagement. Obviously, you know, we do it online and things so everybody can participate, but it'll be one member of the team saying, hey, this is the new thing that I've encountered and we brief on it. So we do a lot of internal knowledge management within the organization to constantly try and level up everybody's skill levels.

But at the same token, we also encourage further studying, you know, so most of the members on our team have at least master's degrees in either forensic science or engineering or computer science or things along those lines. And we do encourage our people to grow as much as possible.

But I think we also just encourage that culture of learning, you know, and also creating this culture of sharing information, not just with our own team, but even with the general community, because I think it's just the right thing to do.

Host: Yeah, I think it goes back to what you said earlier, right? You have to constantly stay up to date. And one of the mediums is like anyone in your team, if they learn something new, there is a forum like show and tell every two weeks happening, and they can share and others can learn from it. Yeah.

Jason: Exactly. And for me, that really works well. And I've seen a number of organizations that do it. And you can actually physically see those organizations grow. when you have that kind of learning culture within an organization, it spills out beyond the organization.

You know, you, again, not just us, but you look at other organizations that do similar things. These are the same people who end up presenting at B-sides and getting involved in community sort of ethical hacker initiatives and security awareness, because when you learn yourself, you kind of give.

I know this is gonna be like a weird story, but I've done martial arts for most of my years. So I sometimes sound like a fortune cookie. But I always remember the story that I read about this Buddhist monk going to the Buddhist temples and he wants to meet with the master and learn all of these things and the master pours him a cup of tea and then he just carries on pouring the tea into the cup and the tea starts flowing over the rim of the cup and guy says, but you know that's full, you you can't put any more tears in the master says, well, you you like this cup, you're full of your own thoughts and ideas that until you empty your own cup, I can't fill you with new knowledge.

And I think what this this idea of learning, but also giving of your knowledge to other empties your cup. It frees you up to learn more knowledge. But in a purely competitive perspective, if

If we build the community based on the knowledge we gain, it ups the level of skill of everybody doing digital forensics. And it also forces us to innovate. It forces us to constantly get better so we don't rest on our laurels. Because otherwise, for all intents and purposes, we are a business.

Our competitors get to the same level as us. We need to constantly be pushing that level up. But by pushing that level up, everybody else rises as well. And if everybody else rises well, then the quality of digital forensics gets better. We see more justice in the world and more good as done.

Host: Yeah, absolutely. I like the example that you gave of the Buddhist monk and somebody going and trying to learn everything from the master and how that relates to how you connected that to digital forensics and learning. So love that.

One of the things that you highlighted earlier is one of the key skills of a digital forensic analyst is understanding the process of forensic acquisition and keeping the authenticity of digital evidence evidences throughout the investigation process. So how do you ensure that? Like if I'm trying to learn, what steps should I take to ensure that the chain of custody and the authenticity of digital investigation is maintained?

Jason: So I've answered it in a multiple level way. So first things first, anything that you do in digital forensics, you need to document. Document, document, document. And when you think you've documented enough, I can guarantee you haven't and you should document some more. There's that old adage that if you don't write it down, you haven't documented it, it didn't happen. So document!

Written documentation. video recordings of what you're doing, digital camera, you know, with your mobile phone, just document everything, have processes and procedures to document. So effectively when I'm collecting the evidence, I need to be able to show a court or whoever I'm presenting that evidence to from the time that I acquire the device that has the evidence to the time that I ultimately present that evidence in court, I've got that entire process fully documented.

And there can't be gaps. Even for a millisecond, if there's a gap, allows somebody to argue reasonable doubt, or could this have happened, or could that have happened. So that is something that just has to be done. And if you don't do it, it can be bad. So I'll give you an example of something. We got called in to assist one of our law enforcement agencies with some work.

It was a very high profile case. They'd seized multiple items of digital evidence and they wanted us to assist. So we go into the offices in this particular city to do the, you to assist. And the first thing I want to do is like, okay, I want to see the evidence. And what the guys did is they brought out this big plastic bag full with phones and hard drives. And they literally tipped it up on the table and said, here's the evidence. And I'm like, hold on.

Where does this phone come from? Well, it came from this building. Okay, where in the building? Whose desk was it on? Who had it? No, we didn't document any of that. And I literally said, look, I can't touch any of this evidence. All of this evidence is tainted. And the sad thing is some of the data that might have been on those devices may have actually helped with the prosecution. And the case that ended up taking years might have only taken months if they'd done it right. So.

So you have to have to have to get it right. You only get one chance to get it done right. But in addition to all this documentary chain of custody and documenting everything and securing the evidence, there's also the scientific securing of the evidence. So one of the things you'll probably hear people talk about, they talk about digital forensics is hashing the evidence or creating a one way mathematical hash of the data. And again, we use various hashes, MB5, SHA-1, SHA-256, SHA-512. It really doesn't matter which one of the one-way hashes you use. But the reason for doing that mathematical hash is that once I seize a piece of digital evidence, I calculate that mathematical hash to get a digital fingerprint for it.

And that can be used to demonstrate the integrity of the evidence. So I can take that piece of evidence, then ultimately go to court. And if the opposition turns around says, you know, Mr. Jordaan, I put it to you that you altered this evidence physically in court, I could do the exact same hash calculation on that evidence and demonstrate to the court that it generates the same hash fat.

And by understanding the maths behind the hashing process, I can also demonstrate and explain to the court how that process works. And I've actually, I've done it on a few cases where literally, I've done a demonstration for the court saying, here's a simple text file that I'll create that's got the word hello world in it. I'll calculate a hash value. Okay, here's the hash value. I'll change a single character, recalculate the hash value, gets a completely different hash value. And then go back and change it to what it was originally. It gives me the same hash value again. Usually the judge's eyes light up like this because like, oh my word, this is some kind of magic.

But. able to understand the mass, you can prove the integrity of the digital evidence. So if you do the scientific processes correct to preserve the integrity of the data, and you do all of the documentary process correct to preserve your chain of custody and the legal issues, you're not going to have a challenge with digital evidence in court. And that's really critical.

Host: So I have actually a follow up question on this, but before I say that it feels like I'm in a Jason Bourne movie investigating a case and I'm going into the details. So I love it. And you are you are named Jason also.

Jason: Yeah, I'm probably, well, I mean, I've done some things in my career that probably do come into that Jason Bourne, James Bond kind of thing that I can't really talk about because, you know, stuff. But it doesn't feel like that anymore. I'm just playing old Jason that just does what I love. But I do do some cool stuff. But I won't lie about that.

Host: So the question that comes to my mind is you said document, document, document, even if you say you have documented, there is more documentation to be done.

As an analyst, does it get overwhelming that you have so many things to go through and present to your finding or get to a finding or finish your analysis?

Jason: I think you're 100 % correct. It can be incredibly overwhelming. And that always brings us back to what we started the discussion with about discipline. You have to be disciplined in this job. Because if you're not disciplined, you will get overwhelmed with the data. The sheer amount of information that you're going to see on an average system these days is astronomical.

It's so easy to get lost in the data. So you have to focus, you have to focus on exactly what it is that you're trying to prove. You shouldn't get distracted by the shiny objects. Again, I I have natural curiosity like anybody else in this field. I see something interesting, like, this is interesting. I should go and look at this. And I'm gonna hold the weight of my face and just slow down. That's not part of the case that you investigate. You just focus on the case that you're investigating.

And again, ironically, your case documentation, your contemporaneous notes that you're doing while you're doing the analysis actually helps in that regard. So when I'm working on a case and I'm physically documenting what I'm finding, I'm making notes and annotations in my notebook as I'm working, saying, okay, this is interesting. I'm gonna flag it to come back to it later. I'm not gonna get distracted by it now because I've got this particular thought process that I'm following through.

But I write it down and document it so I don't forget about it. So I know that once I've completed the tasks that I'm busy with, I can go back to that task, focus on that and do it that way. So the documentation that we do is not just for going to court purposes, it's actually for keeping track of the sheer amount of data you actually have to deal with in a case and kind of constantly keep that picture in your mind of what's going on. You're building linkages between artifacts, you know, what artifact links to what else you building timelines of what's happening chronologically in the case. And, and as the cases become more complex, if you don't write that stuff down, we are human, you will forget stuff.

And that is really, really critical. Because one of them is one of the big challenges I've seen some inexperienced analysts do is they they do all the documentation stuff and the mapping and everything. Aafter they've done everything. By that time, they started to forget things that they've thought about.

So by documenting as you go along and documenting your findings and your thoughts and your investigative decision steps is absolutely critical if you really want to be successful.

Host: Yeah. Yeah, that makes a lot of sense. And the way you connected that to discipline, it's part of the thing. You have to be disciplined to not only collect evidence, but also document and also go through each evidence so that you can build that mapping. And again, document that mapping so that others can learn from it.

Jason: Exactly. Exactly. And the other thing as well, mean, you made the mention of other people could learn from it. Digital forensics, especially if you end up going to court, gets somewhat adversarial. You you might come up against other experts, know, other forensic practitioners, and your notes, your documentation needs to be so comprehensive that they can follow exactly what you've done and come to the same conclusion.

So if I've done my job well, Another analyst is going to look exactly at what I've done. Mac will be saying, yes, I reach exactly the same conclusion as Jason. Perfect. But if I haven't done that, how does he know what my thought processes were and how I got to a conclusion? I need to present that map, not just for myself, but potentially other people that are going to use the evidence that I've generated.

Host: Yeah, that makes a lot of sense. related question that we got from Arun Mishra is, how does digital forensic intersect with incident response? Do you start when there is an incident? How are they related?

Jason: Woo! So I've been doing quite a bit of sort of thought and discussion around this whole difference between digital forensics and incident response. So I kind of think about it this way. Incident response is like the building being on fire and you call in the firefighter to put the fire out. It's a digital forensics is the fire investigator that comes after the building fires we put out to figure out what caused the building to to burn down.

That that for me is the big fundamental difference, and the reason I say that is because the purpose of digital forensics and the purpose of incident response are two very different purposes. The purpose of incident response is mostly to resolve the incident now now.

I do a lot of incident response engagements. Now for me, I want to find out what happened and why it happened and what the root cause of the incident is. But for most of the organizations I get called in to do incident response of, the organization doesn't care on finding out what happened. They just want the business to get up and running again and they want the incident to go away. So the priority in incident response has to be aligned to what the organization wants and what the organization actually wants is business continuity. Incident response is fundamentally a business continuity process. It's investigative in nature, but it's not digital forensics.

Digital forensics is focused fundamentally on taking things to court. So holding somebody liable or accountable for something bad that's happened. And those are two very different processes. Now, can they be related? Yes.

You may have somebody doing an incident response and they find evidence and they preserve that evidence on one side while they resolve the incident and then a digital forensics team could come in and work with the evidence that's being preserved. But a digital forensics practitioner is not an incident response practitioner. If I go in to do an incident in my mind is, you know what? I'm here to catch the bad guy and figure out what happened and all that and the company's saying, but actually, I don't want you to do any of that. I just want you to put the fire out. That's a cause for huge conflict.

So I think if you think about on one hand, you've got digital frenzies, on the other hand, you've got incident response. But what unites them is the investigative techniques that we use in both. So the techniques that I use as an incident responder are very similar to the techniques I would use in digital forensics.

One of the big differences in incident response, I might not be documenting at the same level of detail that I would have to do in digital forensics. Because again, it's fast. The building's burning. don't have the time to... While the ransomware is busy encrypting all your systems, don't have the time to say, hold on, wait a minute, before I do anything, let me just write all this down quickly. I'm probably the plug in stopping the problem. So that's.

For me, they are related, but they're related by some of the techniques that we use. But the outcomes of the two disciplines are very, very different. And I think if we can, as a community, we can kind of understand the difference between the two and how these two actually should be working together. So if I think about it, if I'm working on a team that's doing incident response, I honestly don't want to be putting out the fire. That's not what interests me. I don't want to become a firefighter. I want to become a police officer.

I know that sounds weird, you it makes sense.

Host: Yeah, like both have distinctive roles, right, in a way in the society.

Jason: No, exactly. So, know, so, so, so, so I, I need to have the police officers in society to put the fires out because I'm not trained to do that kind of work. But at the same time, those firefighters need me to do my job and we actually need to kind of work together. So, so all I'm asking if there are people doing incident response work and I'm gonna be called in to do the forensic work, just preserve the evidence correctly. That's all you need to do. Just give me a preserved piece of evidence that I can work with and you can do the incident response, you can do the remediation, you can rebuild the systems. At least I've got evidence.

But the same token if you have to respond to an incident in such a way that you're gonna destroy the evidence because the delay, in other words, the act of preserving the evidence is actually gonna end up causing more damage and more harm than just sorting out the problem, then destroy the evidence. And again, I usually liken this to a of a paramedic situation. If somebody's been hurt or assaulted and they bleeding and they in pain and the paramedics arrive there. Like if I'm the police officer, I'm not gonna say, hold on, wait a minute paramedics.

You can't go and help this guy because I need to preserve evidence for it. My priority is the safety of that person and making sure that that person gets the life-saving attention that they need. Does that mean that the paramedics might end up destroying evidence? Yes. And I'm okay with that. I could actually live with that. But it's about finding that happy media and realizing that sometimes I'm not gonna get the evidence and sometimes I am gonna get the evidence. And when I don't get the evidence, I shouldn't. I shouldn't be upset about it, especially if the people who've done what they've done have done that with the best interests and the best intentions at heart, and I'm okay with it.

Host: Yeah, it's about that balance between incident collection. Yeah. So now one question that comes to my mind is like you gave some good examples, like building on fire and ransomware.

So as an organization, what can I do so that in future some incident happens, my digital forensic team can come in and do the investigation in a right way?

Like I know that I cannot have sensors every single maybe room in the building and things like that to determine where the fire started. One example that I can think of is like the black box in an airplane, right? When it crashes, like we use that for investigation. Similarly, what can organizations do to prepare in some of these scenarios?

Jason: Exactly, exactly, yeah. Exactly. So one of the things, I know this is kind of interesting, when we talk about preparation, there's an area of research which we call forensic readiness. Now, it's a field that was largely kind of discussed by digital forensics practitioners. In other words, how do we prepare an environment to best have evidence when something bad happens?

But that field actually kind of overlaps with general security as well. So in other words, it's about looking at the environment in organization and how do we optimize it for the collection of evidence? Because not only could I use that in digital forensics, but I could also use that in the incident response. So a classic discussion that I have with a lot of organizations is exactly how do you do your logging? And so many organizations I go into where I expect to see decent logging and there's no logging whatsoever.

And again, that doesn't help the incident responders. It doesn't help the forensic people. It doesn't help the security people. So, it's how do we architect the environment to optimize the data that we may need to use for something else? And I think that is one of the key things I've to recommend to any organization.

The second thing is that if you have internal capacity, make sure that whoever is doing your incident response or your initial engagements has at least some training in preserving the evidence. Because not every organization has the budget or the resources to have full-time digital forensics people on site.

I mean, a lot of them these days will have security operation centers, maybe some incident responders, but having a digital forensics person permanently on site. Only the really, really big organizations have something like that. So what you do then, you make sure that your existing capacity in the organization at least has basic training to not mess up the evidence. Again, think back to, know, organizations must have so many first aid qualified people and so many, you know, people who can do basic firefighting and things along those lines. We need to do the same thing from a security point of view as well.

But then, but then what's really, really, really important is you shouldn't wait for something bad to happen to try and build relationships with digital forensics partners, essentially, because, know, a classic example, we get called in, we need to do an investigation, but it takes us three weeks to go through all the procurement process.

And by that time is probably too late already. So you should actually identify partners that you can work with well in advance of an incident. Hopefully you never need them.

But rather have that in place that if something bad happens, you've at least got somebody that you can least reference or call up and say, hey, I've got a problem. What's your advice? I think, bless you, bless you. I think, for me, I think that's really something quite important because I don't think we do that enough. And as organizations get bigger, procurement processes get crazy. We do a lot of work for government entities and onboarding in a government entity can take months sometimes. And again, by that statement, it's too late to do the investigation. So as part of this forensic readiness process, you should really look at what do you have in your own organization? How do you architect your organization to optimize data storage and data preservation that you could use in an incident or in security or forensics?

And then identify good partnerships. And here's the irony, a good partnership might be actually partnering up with local law enforcement. So you might be in a country where the local law enforcement has got really, really good capacity, partner up with them, build relationships with them. I have a very good friend of mine, used to be a detective in the Metropolitan Police at Scotland Yard in the UK, and he always said to me, investigations are contacts, what is about the contacts that you have. And responding to incidents and responding to the need for forensics, you better have the contacts beforehand, then try to start looking for them after something bad happened. By then it's probably too late.

Host: Yeah. Yeah. Yeah. And I think you touched on a very key aspect, the contacts, right? Like often it's discussed that security is not a tools and technology problem, but it's more of a human's problem, right? Because either you are trying to solve for humans or you are working with humans to solve the problem. yeah, that's a great connection.

Jason: Exactly. Yes, exactly. Yeah. I mean, mean, you we talk about that that human problem. And I have this discussion a lot with a lot of organizations. And even when I teach around the world.

Cybercrime, which is effectively what we're dealing with, is committed by people. You know, we can talk about all the malware and the bots and the AI and whatever there is still a human being with a hands on keyboard somewhere that's doing the stuff. And that for me always makes the people problem. And the only way you deal with the people problem was with better skilled people that could deal with bad guys.

Host: Yeah, and with good intentions, right? Better skilled and with good intentions. Yeah, absolutely.

So now speaking of humans and new technology, so we have a new technology, shiny technology, right? Relatively shiny technology, AI. And with that, there are new ways of bad guy behaviors, like whether it's Deepfakes or AI generated content and things like that.

In that case, how do you, like, how does investigation getting impacted by AI?

Jason: So obviously there's, mean, AI is a very broad field. Now, when we talk about AI these days, it's like when most people talk about AI, they actually talk about a very narrow subset of AI. It's a scientific field that's actually quite broad. But if you look at the potential uses that bad guys could use AI for, like what we commonly seeing these days, let's sort of roll back think to a common attack vector, phishing and vishing and depending on what other issue you decide to call it.

The fact that we have AI now that let's take you build a large language model. And I managed to get a number of emails from the chief executive officer of an organization. So in the past, as the bad guy, I would have to go and read these emails and then I'd have to try and type out as if I was the chief investigating officer to convince somebody to do something or click on a link or something on those lines. But now I don't need to do that anymore.

I just need to get enough of a data set to that model, feed it into a large language model that can then write as that person. Or even better, you know, a voice message called, you know, I said you a WhatsApp voice note or something on those lines, but I've got enough video samples of your voice or not enough audio samples of your voice to actually train a, you know, a rag model effectively to generate and speak as your voice. Now you combine a large language model with rag and now you've got Jason talking to you and it's not Jason at all. That is some of the challenges that AI is bringing to the table.

Now the challenge is it's becoming very difficult to actually detect that level of AI. And there are some organizations, so I know for example, Brian Epstein from MedEx Forensics, it's recently been brought out by Magnet. They've been developing some amazing research looking at the different software models that are used to actually generate deep fake videos and looking for the algorithmic indicators in the generated video to give you almost like a fingerprint that this thing was created with this application.

So I think at some point, yes, AI is kind of introducing these new dynamics, but as the AI develops, and again, the key to this is we need to understand how the AI technology works. And again, this comes back to what I said about computer engineering and computer science. If we understand the technology, we can look for the distinctive fingerprints of things within those technologies. And the reason I say that is because there's actually a principle in forensic science. it's considered to be the main principle of forensic science called the Lacard principle, which basically means that everything leaves a trace. So when I generate a fake video using some kind of algorithm or model, there will be a trace in that thing, whether it be a fingerprint from the algorithm or the mathematical arguments or anything on those lines. So it's that challenge of learning to understand.

Is it easy? No. Are we possibly going to use AI models to help us in identifying these? Probably yes. All I know is it's going to be an interesting dynamic because we again have to now up our skill sets on these systems. Now, if you're doing digital forensics and you start venturing to this realm, you've got to understand machine learning. You've got to understand deep learning. Understand generative adversarial networks, you've got to understand large language models, you've got to really get yourself around the technology. And again, that brings me back to this discussion about you've got to constantly be evolving. And we're talking about AI.

Host: Yeah. I love how you connected it back to the continuous learning part. Yeah, please, why don't you finish?

Jason: So, you know, I think we we talk about AI now, but, you know, if we have the same conversation five years time, we might be talking about a completely different technology that might be an issue.

I mean, we might talk about, you know, all of a sudden quantum computing is now a commercially viable product. And now we're dealing with quantum dynamics. And I'm not just worrying about, you know, binary bits. I'm worried about qubits and how that constantly changes the mathematical algorithms that we're dealing with. It's so cool. It's so exciting, actually.

Host: Yeah, yeah. So with keeping that in mind, let's say if I want to get into the field of digital financing, what advice would you give to a beginner?

Jason: So again, usually this comes down to what's your background before getting into digital forensics. I think one of the core things is you have to have a love for technology and you have to have a real, real, real curiosity. And you also have to be self-directed and self-driven because again, this is one of these fields where if you wait for somebody to train you and give you all the training you think you need, you're never gonna get all the training you need because you just never gonna have it.

So I think you have to have the right attitude and the right passion and the mindset to get into it. If I was giving advice to somebody that was at school, for example, and wanted to get into digital forensics, the first thing I would advise them to do is don't waste your time going and doing your two day, three day digital forensics courses. Go and get a degree in computer science. Go and get a degree in computer engineering. You understand the technology, really understand the technology because that'll give your career longevity because it will allow you to grow as technology grows. You know, if I go and do a course on how to use Forensic Tool X and suddenly everything changes, I'm obsolete and I've got to train from scratch again.

So that would be my first advice. But that being said, you also have those people who are, shall we say, they get into the career later. So it might be… people that are in the police or you know, there'd be good investigators and they have a knack for computers. Those people also bring something to the table And oftentimes with people like that that are late in their careers I won't tell them go and get a degree in computer science or computer engineering. But but go and study go and learn I mean you don't have to have the piece of paper to get you know to generate the knowledge I mean, there's there's more than enough resources online, you know YouTube videos and know, get up repose with learning material that you could do a complete computer science curriculum through self-study. And if you look from the major universities around the world, they actually make their courseware freely available. so there's no excuse not to learn. So that's

Host: Yeah. I think it goes back to that sent drive, right? If you have the drive, then you will find out what to read, where to read, and what are different ways to become a forensic analyst. But yeah, you wanted to add something.

Jason: Yeah, just to give you an idea, when I have people that, I often have lots of people approach me like, how do we get into digital forensics? What should we do? We wanna come and intern with you. Like one of the things I first wanna look for is I wanna see like, are you really interested in this field? I know it's gonna sound kind of weird, but I almost try to discourage people. Because digital forensics is hard, it is a hard field. And not only is it a hard field,

But the work that you do actually impacts on the lives of other human beings. You've got to be able to live with it. If I do my job well and somebody goes to prison for 30 years, I've had a role to play in that person going to prison. I need to have the mental fortitude to kind of be okay with it.

I have to understand that sometimes in this field, you're gonna get threats. Think you're gonna encounter nasty things that you don't want to see and you don't want to hear about. So you have to have that resilience. But if you're the type of person that loves solving problems and you love technology and you love to dig and figure out what happened, then there's a natural home for you in digital forensics.

And oftentimes, like I said, when people come on board or come to us and they want to join us, that's what I'm looking for. Do you have that spark? Do you have that that real desire to learn. And I've taken on people as interns that have had master's degrees with no experience, they had the right stuff. And then I've taken people that are in their 50s that have gotten no degrees or no qualifications, but they've self-studied and self-learned, and they've proved to be incredibly successful. that's really what I'm, if somebody really wants to get into digital forensics, those are some of the attributes that I believe you've got to have if you really want to be successful.

Because at the end of the day, And this is a horrible thing to say, but people need to understand this. I am only as good as my last case. If I mess up when I go to court and I really mess up, that's it. My career is done. I'm finished. I'm going to have to do something else because if I'm shown in court to be an incompetent specialist, no court is going to want to touch me again. I'm never going to be able to go testify in court again.

And that's incredible career pressure. I that's like huge job pressure, you know? So you have to be prepared for that. You've got to understand that this job is hard. And that's cool. At the same time, it might be hard, but it's one of the most rewarding professions. I mean, I could never imagine doing anything else.

Host: Yeah, so this goes back to how we started the podcast, right? Like, how does your day look like? And you said that I wake up happy, curious to solve what is in front of me and go to bed fulfilled. And that's what you touched on, right? That if you have that drive in you and if you are passionate about some of these areas, then you should definitely consider digital forensics.

Jason: And the same applies to any field to be quite honest.

Host: Yeah, yeah. No, you are spot on. it doesn't have to be just digital forensics or security or engineering, like any field. You should be happy to work on the challenges of the day and also you should feel fulfilled at the end of the day. Yeah.

So that's a great way to end the podcast. But before I let you go, I have one last question.

Jason: Exactly.

Host: Do you have any recommendation? Like it could be a blog or a book or a podcast or anything.

Jason: Okay, so for those who are really, really, really interested in digital forensics, there is a really, really good podcast called DF Now. It's by Alexis Brignoli and Heather Charpentier based out of the US. They're both fellow colleagues, members of our ACES as well.

They do a brilliant podcast. You can find it on LinkedIn. You can find it on, you know, just about Spotify, just about every other other channel out there. They do some amazing work. It's a podcast, always humorous, but you're going to learn a lot. And the interesting thing is if you go and listen to that podcast, you'll actually end up realizing there's a whole community behind it. And you'll end up seeing other podcasts and other speakers and other events.

Like my recommendation is, is engage with that community. You know, the digital forensics community actually ironically is quite small. And a lot of us know each other, you know, and you'd be surprised, especially getting into forensics, that you could just reach out to somebody and they will be so willing to help you in your journey because we love what we do and we love to share what we do.

Host: Thank you. Thank you for sharing the podcast. So what we'll do is when we publish the episode, we'll tag the podcast so that our audience can go in and learn from it.

Jason: Perfect.

Host: Thank you so much, Jason, for joining and sharing your knowledge in digital politics. There were quite a few things which even I was trying to get my mind around. So thank you so much for doing this with us.

Jason: Thanks, Puru. It's been a great pleasure. I've had an absolute blast. It's been an amazing conversation and hopefully we get to do this again at some point in the future.

Host: Absolutely. Thank you so much. And to our audience, thank you so much for watching. See you in the next episode.