Chris Sienko: Hello, and welcome to another episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought-leader to discuss the latest cybersecurity trends, and how those trends are affecting the work of infosec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. Allan Buxton has worked for almost 20 years in the fields of data recovery, computer forensics, and worked as an educator and course developer in the computer forensic field. We’ll be speaking today about his career journey, and also some key turning points in Allan’s career on the way to his current position as the Director of Forensics at SECUREDATA, Incorporated. Allan Buxton is the Director of Forensics at Secure Forensics, a secure data group, dedicated to exploring and investigating digitally-stored information for clients. Allan also conducts research into new solutions as new challenges and products arise within the technology sector. Having worked primarily in law enforcement, prior to joining SECUREDATA, Allan has been the recipient of numerous awards for his digital forensic casework. He spent 14 years as a computer forensic specialist, with the Ohio Bureau of Criminal Investigation, before sharing his skills nationally, and internationally, as an instructor with Cellebrite. Allan lives in North East Ohio and when not rehabbing his house, or training his puppy, enjoys sports photography. Allan, thanks for joining us today.
Allan Buxton: Thanks for having me, Chris.
Chris: So, how far back does your interest in computers, and security, and forensics go? Was this something that you were always interested in, or did it come along later?
Allan: No, it’s been around for a long time. My Dad brought home an AD86 when I was in fifth grade, so I’m dating myself quite a bit,
Chris: It’s cool.
Allan: but that was a challenge I could not resist learning how to use, so… I have loved tech ever since, and it’s kinda fun to see how much it’s changed.
Chris: So, you’ve been in the industry for a long time. Has the cybersecurity and computer forensics landscape changed, procedurally or directionally, since you first got involved?
Allan: Oh yeah. I mean you think the internet changed everything. We knew about security and all the advances and protocol changes, every new feature, even the cloud, as a forward multilevel platform kinda thing, has… It keeps changing it and redefining it. So, as you much as you feel like you know some days, you also feel like a very big beginner other days.
Chris: Sure. Now, is it just the tools or techniques that have changed, or is it also the, sort of, procedures, and the way people do things?
Allan: A little bit of both. All of the above. Like, the fundamentals, especially in forensics or recovery, don’t really change. But even the details of how you go about them change dramatically. So, I always tell people, if you can master the fundamentals you can always keep learning and doing, but you kinda have to commit to re-evaluating how those fundamentals fit in.
Chris: Yeah. So, today we’re, like I said in the intro, we’re gonna be talking, sort of doing a double path here, we’re going to be talking about your current work in computer forensics, but also, you know, previous positions, and things like that, recovery. You know, these are sort of skill areas that people who are following the Infosec site and Cyber Work in general, are interested in getting involved with. So, how did you become a senior level forensics expert? What were some of the major steps along the way, and what were the progressions of skill sets that you needed, to get where you are now.
Allan: So, when I started, and again it’s been 20 years, so things have changed a little bit, but back then, the only training that was really available was professional certifications. So, that first big entry level was taking some classes through the Police Officer’s Training Academy here in Ohio, and then, ultimately, attaining a nationwide certification from the International Association of Computer Investigative Specialists, a certified forensic computer examiner. And from there, it’s a matter of tacking on new training and certifications as operating systems or platforms roll out.
Chris: Now, it sounds like you started right with law enforcement when you were doing this. Was that always the sort of focus for this kind of thing? ‘Coz, I mean, you know, some people do forensics in the private sector, in the military, and so forth. Was law enforcement an interest of yours, in terms of computers and tech?
Allan: Honestly, no. So, getting into how you get started in the career, I worked my way through college as a tech and doing data recovery. So, network stuff, higher level deployments, and then recovery. And one of the guys I worked with, I told him I was graduating and that I was looking for something a little different, because as much as tech changed then, it never really changed the big things quite as quickly. So I was getting a little bored with what I was doing. And he was a part-timer. He worked for the attorney general’s office, and he said, “Well, if you’re serious about looking “for something different, “I’ll clue you in to the most disgusting job “you’ll ever love.” And I was like, “Well, if it’s disgusting and I’ll love it, “how do I say no?” And it turned out it was… How to be a criminal investigation. The investigative arm in the Ohio attorney general’s office had had spots open for computer forensics practitioners, and were willing to train.
Chris: I’m gonna stop you for just a sec here. Your video froze here, so I’m not sure if there’s a..
Allan: Oh, that’s not good.
Allan: Let’s see if we can get that fixed.
Allan: Although I don’t think my looks are gonna change that dramatically. Is that any better?
Chris: Yup, that works.
Allan: Oh good. Anyway, they were willing to teach the, they were willing to train for the forensics side of it, but you either had to have a degree in computer science, or functional equivalency. And so I put my hat in the ring. All the experience I had working through college really paid off on that end. And that’s how I got into the industry.
Chris: Okay, so you started out with, basically, a college degree in, what, computer science?
Allan: No, actually I have an English degree. At the time, I was, I started computer science, and I’d been working with it so long, I found those classes to not be too challenging. And I was not mature enough to flourish on classes that I could coast through. So it was “get a degree and get out, “‘coz you already have a career path”, for me, if that makes sense.
Chris: Okay, so you knew the tech stuff by knowing the tech stuff, and you had the degree which they required to get in there, get into the…
Allan: I’d been working freelance since I was in high school, so I had almost a decade’s worth of experience already in the field, by the time I
Chris: In what kind of stuff?
Allan: Networking and data recovery.
Chris: Okay, all right, cool. And so that was enough to get you going in the forensic’s program?
Allan: It was. It was enough to qualify me at entry level, and then, obviously, they trained on the job.
Chris: Okay. Yeah, I think that’s… We’ve had a couple of people who have talked about things like incident response, and also computer forensics, And maybe you can corroborate this, but there’s a real premium on communication skills, even as much, or more so, than the tech background, in terms of being able to convey what you’re actually doing, and so forth.
Allan: So, I learned as a tech that nothing’s really fixed or recovered until a client understands how it’s fixed or recovered.
Chris: Right! Okay.
Allan: And then, even more so now, there’s an emphasis on communication, especially in the forensics fields. Because if you’re gonna go testify in court, you’re being asked to explain what you’ve done to people who don’t have your skills and background. So the communications skills are huge.
Chris: Okay. Now, let’s start with computer forensics here. This is obviously your bread and butter, and your meat and potatoes, and whatever, for, you know, most of your life right now. So, walk me through an average day as a forensics specialist. What time do you start work? Where does your work take you in the course of the day? When are you done? And how much can you turn off at the end of the day? Or are you always on call?
Allan: So, the nice thing is, the job can be fairly flexible. I’ll talk about the civilian role, and then we can go back to the law enforcement role, if you want.
Allan: These days, I start my day when traffic is kind enough to let me get to the office. We gun for nine o’clock, but it’s construction season, and then there’ll be snowy winter season, so… I’m typically at the office ’til six, six-thirty. In between there, it’s review case assignments, look at incoming cases. You know, are there problems or questions that need answered before it becomes an engagement? Occasionally, the sales will reach out with a question as to whether or not something’s possible for us. So I run through all that. I do get my hands dirty with some forensics, still. So, I’ll pick up a couple of cases and work on that, to stay sharp. And then, at the end of the day, it’s not hard to unplug. Every now and then there’s an emergency, but… I would say, most days, when you clear out, you clear out. It’s not bad. The… You go ahead.
Chris: Oh, no. I was gonna say, so that brings up two sort of follow-up questions. One is that, unlike, you know, like an incident response thing, or other sort of security things, like, you’re very project-driven, in the sense that the project isn’t really going anywhere. Obviously, you need to have it by a court date, but there’s not this sense of, like, the breach has just happened, right?
Allan: Right. We do more litigation than investigative support, so we don’t get a lot of instant response. In an incident response team, you’d very much be waiting for the hammer to fall, which is more like the law enforcement side of life.
Chris: Right. Now, the other question was, you said that you still get your hands dirty in forensic cases, to keep sharp even though someone at your position may be… Am I right in thinking that that’s not common?
Allan: It can be. It can be and it can’t be. The problem you have is that the more they expect you to do other things, like go oversee other people’s casework, and review reports, the less time there is, anyway. And, honestly, if you’re properly staffed, the forensics people should be doing forensics and their boss should be bringing in more work for them, or getting their work out the door. So, in that regards, I do my best to stay sharp. When I was teaching for Cellebrite, I still did some cases for my local PD as an auxiliary.
Chris: You froze up again here real quick. Your video.
Allan: It’s gonna be that kinda day, isn’t it?
Chris: I guess, yeah!
Allan: All right. Stop, start, there we go!
Chris: Yup, okay, so anyway.
Allan: But you can tell if you’re not doing cases every week, you go from having a really sharp, efficient work flow, to slightly less. I’d say you go from being a surgery scalpel to a butter knife, if you’re not careful,
Allan: in terms of being able to get through the work. And I never wanna be in the spot where I’m out of touch with what changes, so, you know, if I’m asking them to work on one of those 10 machines, or I’m asking questions about what they found, I need to understand the context for that as well.
Chris: Sure. Are there any sorta strategies? I talked to someone, previous guest, who was, you know, in a sort of VP of people, HR position, who was saying that there was some difficulty in getting people who like doing the actual work, apping the bugs, catching the bad guy, that they don’t necessarily wanna move up to management positions, because they lose some of that. Can you explain some of the other, sort of, enjoyments of the job when you’re at that level, or is it really, just, you’re leaving, like, the funnest part behind?
Allan: I don’t think of it as leaving the funnest part behind. Like, I found out real fast that, in terms of experience alone, I aged out of finding opportunities to just do forensics. Somewhere at 10 years or so.
Chris: Video froze again.
Allan: Oh boy! I’m sorry.
Chris: That’s okay.
Allan: You know, this talk how good you are with tech, and then we can’t keep the video running.
Chris: Yeah right!
Allan: So, for me that was a little bit of a bitter pill, ‘coz I really enjoyed forensics. But what you do now, and part of the role now and part of the role as above that, is to see that, foster that growth, understanding, in others. So you kinda have to embrace the change, to make the most of it. And if you can make that shift, if you learn to be a better teacher and mentor, it’s not as hard to give that up. But I’m a big believer in not asking people to do what I can’t, at least, understand or do myself.
Chris: I see.
Allan: So, I try to stay sharp enough. You know, like, my iOS 10 expert can tell me every little change in between all the major releases. I wanna at least be able to look down at his reports, or if I’m asking him to walk me through something the clients had a question about, I wanna be able to understand contextually what that is. So, I do my best to stay sharp, but it gets harder the higher up you go, certainly.
Chris: Sure. And you froze up one time again.
Allan: Dang it! Oh my God, wow! All right, lets… Start. I don’t know if we’ve got a power save thing going on, or if it’s just usb, the fickle nature.
Chris: Yeah, weird. Okay, so, I guess, moving on from that… Oops, now you have nothing going on. Or you have a…
Allan: Oh yeah! Okay, did that change it?
Chris: I guess we’ll see. Okay, so you had previously sort of, teased that there’s a difference between civilian versus law enforcement. So, what’s the difference in that, in terms oF, like, the work day, and job–
Allan: So, in law enforcement, your workday is not always guaranteed to start when you think it’s going to. You’re very, at least at BCI, you know, we assisted sheriff’s offices, police departments and other state agencies with investigations. So, in a sense, you could watch the news the night before and see what was waiting for you the next day, some days. Other days, that hammer drops at two in the morning, and they have something on scene they need a hand with. So, you were more on call, and, in terms of being able to unplug, a lot more difficult. But not impossible. You could rotate between staff, or at least get a heads up, you know, that something’s coming. I’m not gonna tell you it was every day we were getting woken up, but unplugging on the law enforcement side is a little more difficult, especially when you have a skill set that is specialized and could be needed in a variety of locations.
Chris: Are there upsides to the law enforcement side of it? I mean, were there other things that made it enjoyable enough to be, sort of,
Allan: Oh yes!
Chris: On call like that? Yeah?
Allan: Oh yeah, The variety of cases you get have a bit more meaning, shall we say? I’m not gonna sit here and tell you everything’s not important, but you went home every day knowing you were actively doing the best to make your part of the world a little better. So, yeah, a huge upside, as far as that goes.
Chris: Okay. Another thing you mentioned in passing I just wanna, sorta, get a sense of. You said that you aged out of pure forensics role. So, is that common across the industry? That, after a certain age, if you’re still doing just pure forensics, you’re sort of falling behind? You should really be looking for management or leadership roles?
Allan: I don’t it’s aged as much as experience, time in. But certainly, once you hit double digits…
Chris: Yeah, people are wondering why you’re still only doing that.
Allan: I don’t know if they’re wondering, but you’re gonna find that the jobs you look… If you’re looking to make a career change, you’re gonna find that you’re gonna be offered management spots. And you’re gonna get some odd looks if you tell them you’re just interested in doing forensics. At that point, you’re probably looking more to freelance or consulting fields. Because the band is there for experienced professionals. They want that experience available to others, not just you at your desk.
Chris: I see. Are there any especially interesting, shocking or unusual forensics cases you worked on that you can share with us?
Allan: Ah man! Where do you want to start!
Chris: Right at the beginning, man!
Allan: So, computer crimes, you know, as an investigative field, it started with white collar crime. Mainframes, the computer, is expensive. That would be your first gen, really, of forensics practitioners. I’m probably second generation, where the advent of the PC opened it up to the internet. And a lotta small business crime. Obviously, sex crimes and the internet go hand-in-hand anymore. And then it became… Somewhere in the mid 2000s, when we hit that generation where you put a computer in everything. Shifting into homicides, which… Yeah, no-one’s getting bludgeoned with a laptop, but if you think about it, the internet, as a research tool, opened everything up. So, most of the disturbing stories I have, or the interesting ones, tie in to people dying. So I’ll give you that disclaimer, and you can decide if you wanna go forward from there.
Chris: Okay, sure. We have trusty editors, so we’ll get to that later.
Allan: One of the more memorable cases was a case here in Ohio, got known as the Craigslist Killer. He and an accomplice were posting Craigslist ads for a caretaker position down in rural Ohio. And, you know, preying on people who had nothing. Telling them, look, if all you want’s a roof over your head, I have a farm that needs someone to keep an eye on it. Pack everything you own and we’ll go interview for it. And then they were killing them and pawning off all their stuff. I did the principal forensics on that case, which was memorable for the number of victims. I wanna say four dead, five attempted, that we know of. And not good.
Chris: Were there any particular things that they did wrong, that allowed you to, sort of, crack the case, or was it…
Allan: Well, they would’ve gotten caught anyway. You know, when you have four people dead, you have four missing persons cases, and the national and the federal clearing houses were starting to put the trail together. They were all looking at things. But at the end of the day, yeah, I mean, he met all these guys on video. You know, one of them, I wanna say one of them they met at a waffle house. And the video is high def. It is crystal clear it’s them. And, in terms of, you know, even the Craigslist stats, the IP addresses all came back to the same geographic region. Some of them came back to a residence. So he did a lot wrong, to get caught, if that makes sense.
Chris: How many years ago was this?
Allan: That would’ve been, I wanna say, 2013-14, somewhere in there.
Chris: Okay, you think that, you know, not to be morbid, but like, if someone were attempting the same thing now, that, you know, with VPNs or whatever, that people would find it easier to cover their trails, tech-wise. Are they more savvy in that regard now, do you think?
Allan: Some people are, for sure. I think, you know, a lot of people are like, “Well, I’ll just go to Starbucks, and do my thing there.” ‘Coz there’s ninety people connected. And there are. But, you know, at the end of the day, there’s only so many people there in that time-frame. And then, if one of them… Yeah, VPN, or even things like bittorrent Networks, the Core stuff, there are a lot of ways to obscure your IP, but when you get into the nitty-gritty of committing that kind of crime, you create evidence in a lotta places. It’s very hard to pull it off without leaving something behind to get caught by.
Chris: Yeah, wow. Yeah, so, do you have any particular interesting cases in your, sort of, non-crime forensics wave? I know you work in other areas as well.
Allan: Yeah, so, in the civil side of life, with the litigation support we do now, I can’t get into too many details, but we do a lot of intellectual property theft. And some of the stuff out there, you know, people work on, or some of the things people envision that become a very lucrative industry, it blows my mind every day. Things I never would have considered.
Chris: Okay, so, thinking… I guess we’re gonna, kind of, stick with the forensics thing here for the time-being, but… You mentioned that you started in forensics with an English degree, but are there any particular certifications that you think are crucial, especially since you were doing… Obviously, you were doing other stuff on your own. But are there any certifications that you think are crucial to have when considering hiring a forensics professional?
Allan: I would look at what they have. And I would go check out the organizations that had issued them. What you really wanna see when you’re looking for a forensics professional is someone who understands how to take care of your data, your evidence. Because the preservation, you know… Analysis can change. Quite frankly, you can change the goals of what you’re looking for, but if you didn’t preserve it properly, you have nothing to analyze. So, what you want is things like the CFCE I mentioned before. And there’s a lotta competitors out there. They’re all pretty decent, in that there are rigorous tests of your ability to collect and preserve, as well as analyze. So, I would say you wanna look at one of those. ‘Coz they’re all administered by organizations of people with a vested interests of making sure it gets done properly. More so than maybe just a college degree. There’s a lot of college degrees out there for forensics, which by now is arguably the far more traditional path. But the lab time is limited, so, even if they have a degree, you wanna see if they’ve gone beyond the lab, and worked through a series of tests, as well.
Chris: Okay, so when you’re looking to hire a forensics professional, you are waiting… You know, whether or not they have a certification that’s taught them to, sort of, collect clean evidence, as much as just an experienced list of things that they’ve, you know, found and broken into.
Chris: So, what are some of the most common mistakes that forensics professionals make along the way, in terms of either preparing for a career, or even in their day-to-day work?
Allan: All right, so, in terms of preparing for a career, I can’t emphasize enough, ‘coz you saw us at the State a lot, that the decisions you make in your adult life, so that starts at 18, and does cover college, will haunt you for certain eligibility requirements. When I first hired in, you know, the BDC drug policy was such that you could have tried things once but never have been a habitual user. Fifteen, twenty years later, you know, it’s had to mellow some. The world has changed. But if you think you’re gonna go out and have a big bender to celebrate graduation, and then be still eligible for those kinds of jobs within six months? Probably not happening. More importantly, when people trust you with their data, they’re trusting you with the details of their lives. So, there are still drug test screenings. You know, you wanna have a reputation for credibility and honesty, so don’t be surprised if a polygraph, or a detailed interview doesn’t come up, with questions from your past. So, you know, something you wanna think about the second you start considering that kinda career is, you know, “Do I need to make changes in my life?” So, I would say start there, as far as common mistakes. And then in the performance of your job, the biggest mistake I see is people trust their tools, without ever really putting them to the test. There’s a reason there’s not just one giant computer forensic tool on the planet that does everything. And that’s because every tool has strengths and weaknesses. And if you don’t know those, you may not know what you’re missing, you’re misinterpreting on a case. That it does cover bugs and patches is a reason things get upgraded. But it also includes knowing that, maybe, this isn’t the best tool to show your certain types of data.
Chris: How do you, like, what sort of day-to-day thing can you do to make sure that you’re using your tools properly? I mean, what sort of habits can you get into? Like, check it with this, then check it against another thing, check it against other things, something like that?
Allan: Yeah, two tools is a really good way to test things. Like, if your browser history formats have changed, which Microsoft did with Edge, and now they’re gonna change again ‘coz we’re leaving behind Edge and going to Chrome. By all means, use the tools that say, “Now we support the Edge browser parsing.” But take the ESE database, the extensible database? Take a manual tool.
Chris: You froze up one more time here. We were doing good for a sec there.
Allan: We were doing good. What was that, about a five-minute run?
Chris: Yeah, that was good seven, ten minutes I think, yeah.
Allan: Take a manual tool, go grab a database for your.. Or, get out the hex editor and take the time to manually decode that data and make sure that it matches what the tool’s telling you.
Allan: You don’t have to do it every case, but if something has changed and you haven’t checked it, by all means, take the time to do it. We have a set of standard images I use, that have different data structures on them. I run through upgrades and patches to cases. We will delay patching systems until we’ve had a chance to validate it. But that validation is key in knowing that your tools really work and aren’t setting you up for a bigger headache down the line.
Chris: Right. Now, if you find yourself in a position or career that you don’t like, and you’re trying to make a switch toward forensics, what’s one thing in your current position you could do today that would move you one step closer to getting on that path?
Allan: If you’re working in tech, take the time to understand data. And I mean the structure of files, right? The headers and footers. The fact that it’s all hexadecimal. Start familiarizing yourself with that. Because when I talk about manual review, or I talk about the cheapest forensic tool on the planet, its a hex editor. So, there’s a lot you can do with even a freeware license text editor down the road. But you have to understand hex and you have to understand how that data is stored. So it’s to really start that process.
Chris: Okay. So, as we wrap up today, where do you see computer forensics changing in the years to come? Are there any new types of tools or techniques that are currently in, like, the beta stage? Or that are coming standard in the years to come? Any sort of procedural changes that you see coming?
Allan: Well, there’s two big changes coming, the first of which will be cloud data, all right? The tools we have now for extracting data from the cloud are probably first gen. And maybe still struggling to find a way. ‘Coz some of them extract data without the service provider’s consent, using user credentials. Others need something from the service provider. And those sorts of cooperation levels can change overnight. So, some tools work one day, some tools work the next. And we really don’t know what a cloud… We know that Google and Facebook and everybody keeps your data longer than what they say they do, even after an account deletion. They may tell you it’s six months, but we also know there’s tons of backup spec in there as well. So we don’t really know what data they keep about your data, that may be useful on a case yet, too. So, I think there’s a lot more coming down the pike on that end. And then, this applies to data recovery as well, but encryption is only getting stronger and more prevalent. Not just on computers, but mobile devices, you know, have been in the news a lot. And then there’s things like car systems, you know, coming under more and more scrutiny. We’re gonna see more and more protection there. So, that’s gonna change a lotta things. Okay, do you guys have a sort of, strategy on… ‘Coz, yeah, we’ve definitely talked to people about heavier and heavier encryption, and DNS or ACPS and stuff like that. Is that something that the forensics field has, you know, contingency plans for?
Allan: I don’t know we have contingency plans. You have to know what you’re up against first. So the first stage is discovering what the changes are. Because obscurity manufacturers love it. And then the next step will be formalizing a process to get around it, or to get the data we need. It would be nice to see vendor cooperation. I don’t know that we will. But we’re getting back to understanding the raw manipulation of data. Getting back into hex and how things are stored. Which systems to target and which ones to not waste your time on. So, lotta research down the pike to come.
Chris: Okay. To wrap up today, tell us a bit about SECUREDATA, Inc. and some of the projects your organization is working on at the moment.
Allan: So, again, we do data recovery. In the same way you can specialize in forensics between computer and mobile or network, we offer disc and flash and tape, and even optical disc, recovery formats. We also… The security side of our life comes in avoiding data breaches, getting your data back to you. We offer a series of drives that are NIST-certified, encrypted as well, and good for federal use. The secure drive line, it’s securedrive.com. We’re the first that offers the ability to remotely wipe with this. So if you walk off and leave your laptop someplace, or your bag somewhere, we can guarantee your external never gets read, even if you’ve put the passcode on a post-it note.
Allan: It’s kinda fun.
Chris: And if people wanna know more about that, and your company, where can they go? Online.
Allan: They can go to securedrive.com, or if you wanna look at the umbrella for the data of covering the forensics services, securedata.com will take you to all those as well.
Chris: Okay. Do you have any sort of Twitter or social networking presence that you want people to know about?
Allan: Twitter me at @securedata and @secureforensics. My personal Twitter is @allan.buxton. It’s nowhere near as entertaining, tech-wise. But you’re welcome to take a look.
Chris: Okay, see what Allan’s had for dinner. All right Allan Buxton! Thank you very much for speaking with us today.
Allan: Thank you so much, Chris. I appreciate the time.
Chris: And thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec, to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher. Finally, to see the current promotional offers available for podcast listeners, and to learn more about our Infosec Pro live boot camps, Infosec Skills on Demand Training Library, and Infosec IQ Security Awareness and Training platform, go to infosecinstitute.com/podcast, or click the link in the description. Thanks once again to Allan Buxton, and thank you all for watching and listening. We’ll speak to you next week.