How to become a computer forensics investigator

Chris Sienko: Hello and welcome to our weekly Infosec Institute video series. Once again we'll be discussing a career path for people either on the existing career path or looking to try something new to change their life or change their career. Today we'll be talking about a career in computer forensics with Amber Schroader who is the CEO and founder of Paraben Corporation. Amber has spent the last two decades as the driving force for innovation in digital forensics. Amber has developed over two dozen software programs designed for the purposes of recovering digital data from mobile phones, computer hard drives, email, and live monitoring services. In addition to designing for digital forensics, she has also spearheaded the process and the procedures for mobile and smartphone devices as well as the emerging field of IOT devices.

Amber is the patent holder on the EMI shielding container otherwise known as Faraday Bank as well as inventor of many other shielding products. Amber has written and taught at numerous classes for this specialized field as well as founded multiple certifications in the field. So please welcome Miss Amber Schroader. Thank you for being here.

Amber Shroader: Hi, thanks.

Chris: Thank you for being here today. So we're going to start, and again this is sort of coming from a newcomer's perspective, but let's start talking at first a little bit about your professional journey. How did you get started in computer forensics, and what triggered your first interests in forensics?

Amber: I'd say the biggest thing that triggered me being interested, it was something that clipped in my brain. So this is the odd side thing is that I'm dyslexic, so I naturally do everything backwards, which is really what computer forensics is about in the first place is just taking all of security and doing it backwards, and kind of putting those pieces together. And so it really clicked for me where some of the other things they're like, "Hey, we really want you to do it always this way." It was very prohibitive, I've also been a big person of imagination, which I know you don't really hear in a technology thing, but I think it makes a huge difference in being in computer forensics and kind of going along that path.

Amber: I started when I was 14, and worked my way kind of through the industry and up until where I am now, but that was really kind of one of the triggers is actually finding that little bit of success to say, "Hey, this clicks in my brain and I can kind of follow it."

Chris: Now do you feel like the sort of path that you followed from age 14 to the present day can be followed similarly now? Has the technology changed? What were some of your jobs along the way that sort of got you interested in this and so forth?

Amber: Well I definitely think technology has changed a lot, and nowadays I look at it, and I talk to my 15 year old kid, and he has no idea what a command line is. So it is probably a little easier than it was when I started where it's a lot more button clicking than it used to be, so it makes it a lot more accessible for a lot of people who might want to switch out jobs as opposed to starting the field from the foundational time until now. I think it is a lot more accessible because it's a lot more use of just technology.

I'm a fundamentalist. I believe you should actually understand how everything works, but we're a dying breed in the digital forensic space. A lot of people have no idea what their examining at the end of the day.

Chris: Yeah. We talked with Keatron Evans who works at Incident Response, and he was saying that one of his big pieces of advice was to know everything. Know the networking aspect, know the security aspect, and you're just going to find things better. So hearing that from two different people, I think there's probably a lot to that.

Amber: Oh yeah.

Chris: So for the benefit of our viewers who are considering computer forensics as a carer for the first time, can you sort of walk us through the day-to-day activities of a forensics professional?

Amber: Okay. So the big thing to have everything debunked, there are no lab coats, there's no one walking around in pig tails, and few unlike they're that edgy like NCIS or CSI. It just doesn't happen. You will wear gloves all the time because computer data is just as digital as other people's data. It's still belongs to someone else, but the day-to-day is pretty simple you spend a lot of time waiting for imaging to happen because that's just a fundamental aspect of it is that you're going to image something, and computers only process so fast.

What I spend the majority of my time doing is I'll image, and then I'll spend a lot of time in analytics, and really trying to understand what my suspect is thinking when they're doing it. I do a lot of smartphones, and so one of the aspects of the smartphone is different than on a computer is you actually learn a vernacular associated with a person, and that can be very hard because there's a lot of times I'm like, "Okay, I totally understand what they're trying to say. Let me figure it out with this." This acronym still means this when you're my age versus the age of my suspect because it is so different, and some of those psychology aspects really become a lot more important when you start looking at digital data because it's very personal and active with that person.

So a lot of it is spent in that, troubleshooting because staff is abused, and so it doesn't process perfectly. They have a TV. I think if my mom calls me one more time and says, "Why don't you do stuff faster? They did the email in like 10 seconds." And I was like, "Mom it's TV. It takes a couple of days."

Chris: Right. No one is rotating 3D models in front of the-

Amber: No. It just pops up out of nowhere, and you're like, "Oh good." Then you're like, "Yeah great. No, I'm still breaking the exchange server down." She's like, "Exchange? They didn't have that on TV. You made that up." And I was like, "No I didn't." It's amusing because the CSI effect has really changed the digital forensic space. It's made it a lot more attractive to people that are actually interested because it exists, but as far as day-to-day I mean realistically, I'm a tee shirt and jeans. We're actually casual at our lab, but we still treat it like a science. There's a lot of checklists, there's a lot of making sure you're following it and doing the same procedure every time because otherwise I'd be doing more of an art than a science.

Amber: then of course there's validation. We do it once a quarter, so we have to revalidate our tools. It's kind of like calibrating a computer in a way. So we do that as part of our lab procedure, but I don't know if a lot of people do that. There's a lot of writing as well. No one ever talks about that in computers. You got to be a good writer. There's a lot of it.

Chris: Yeah. You're conveying what you found to someone else. You're not just-

Amber: Mm-hmm (affirmative). And you have to make sure they understand it, and it's even harder if you're doing any work with a jury because then you're explaining it to your mom.

Chris: Mm-hmm (affirmative). Or 10 of your moms.

Amber: Yeah. 10 of your moms that are all talking together behind your back, and you're like, "Oh please let them understand what staff check does." It's not pretty.

Chris: So what are some of the big challenges you can expect to face in a standard day? Like what are the things that are really sort of difficult on a day-to-day basis to work through?

Amber: I think part of it is that frustration of just things not going well or not working with mobile more than computers. Normally computers, hey you're going to have a problem pulling a drive, different things like that. Why does it have this weird encryption? But with phones, you have to adjust for every phone because it's clanking around in someone's pocket, and it really changes your acquisition, and then you're having to work in a Faraday Cage on top of it, which makes it so you're like, "Great, I'm wearing these weird metal gloves while I'm working on this." It's kind of that adjustment to it. It's not perfect.

I remember when I was in specs working in anything digital to be perfect, and it's a lot of troubleshooting. It's okay, it works great this time, let me follow the procedure, let me image it with more than one tool, and then it didn't work great with the second tool. And you're like, "Great, now I'm on the third tool." Then when you hit the fourth tool, it's a camera, and you're taking pictures of a screen and everything, and you're like, "This is not what I expected."

Chris: Yeah. So on the other side of that, what are the most interesting parts of the job?

Amber: I think actually, don't laugh, it's the data. Not that reading everyone's little deep dark secrets is that exciting, but it's interesting to see how people actually function with their data. I did a case in the last 12 months, and I use it as an example because it was the first time in my career I ever had my suspect where the only device they used for the internet happened to be a smartphone. And so they had 235,000 text messages, and I looked at that, and it was like, "Holy crap, this is a lot of reading. I don't want to read this."

Yeah. They had 125,000, 130,000 cookies on a phone. On a phone, and you're just like, "This is a massive amount of data for something you wouldn't expect that to come from." And there was a lot of sifting. It actually took two of us to do the analysis because actually of an age difference. We only had an age difference between me and the other examiner of about five years, but she was from a different region in the country because I didn't understand the vernacular.

So I couldn't put everything together on my own. It took that extra kind of explanation, but that data part is very fascinating. If you like doing puzzles and putting things together, digital forensics is the space for you.

Chris: Wow. So what are the certification that you think are crucial to have when considering hiring a forensic professional or being one? And do you think that certifications are a mark of knowledge on the candidates part or is hands on work weighted more heavily? Do you think there's advantages to both? Disadvantages?

Amber: I think there are advantages to both of them. So a lot of certifications in digital forensics actually come from the manufacturers. So for example, Paraben, we our own certifications that are associated with our tools because we're essentially telling you how do you use this drill to the best capacity you can use this drill? And so you have to go through that process for it, you get that from open text, you get that access data, etc., so they'll each teach you that. So that's important because I don't want you to come into the office and not be able to use digital. That gets a little freaky because I have to wait for you to be functional with the tools you're given.

So that's important to get a diverse offering in that. I think that's the other thing is not make sure it's centric to one thing. Overall, certifications I think there's a variety out through from ethical hacking, like a certified ethical hacking, forensic examiner. I can't ever do the acronyms, it's the dyslexia.

Chris: Right. Fair.

Amber: Yeah. I'm like, "Oh there's a lot of them." Those have a value to them because you're going to learn those fundamentals as are the college degrees. You can get in cyber and different things like that, but you need to have those fundamentals. Those certifications didn't exist when I started because it was in the very beginning, and so a lot of that you can actually compensate for some of it with really taking time to read some of the fundamental books. There's great books out there that you understand. If I'm going to do a file system work, I'm going to read Bryan Carrier's book on file systems because that would make sense. He's got fundamental information on that.

And being up to date in those areas based on the type of exam you're going to do, because that's the big thing is you get writing. I'm also dyslexia and ADHD. I'm like a combo pack. So with that, it makes it very interesting because you're not doing the same thing every day, but it means I'm constantly having to do a learning. So yes on the certifications, a huge variety out there, but alto of people have started to specialize. I keep myself well rounded so no necessary not specializing in one place, but a lot of people emerging in the field there, I'm only going to be doing computers, I'm only going to do mobiles. IOT almost. There's actually not that many people doing IOT right now, but you're kind of seeing subsets come out just because the knowledge base is so large.

Chris: Do you think that there's a strength and weaknesses to either? You personally, do you recommend still staying well rounded or do you see benefits in a specialty?

Amber: I think it's better to stay well rounded because you see too many trends change with. So we have devices that they talk about Apple right now is how they're changing their firmware, and they're locking computer forensic tools essentially. That's really what it's doing is disabling the port. So you look at that and say, "Well what's the future of doing Apple forensics? That's my specialty." Then you just kind of cut yourself off and you're like, "Great. Now I need a new career path." It's like, "Okay you're going to go open a food truck?" So you got to adjust and say, "Hey, let me see that I have some other skillsets associated with it."

Amber: There is a massive technology merging happening no matter what, where all of our different electronics are kind of coming together, and you're seeing ... I always joke, I said, and they put out an article where it's Cortana, and Alexa, and Siri, how they're the new version of the Heathers, the new best friends of each other that are trying to rule everyone because that's multiple platforms, and that's really where having to look and research. And so people understanding that and understanding things like the cloud I think are really important because that's really where data is ending up going.

Chris: Now, sort of moving on from that to sort of the workforce. What types of companies and organizations can a forensic professional expect to work with? Are you mostly working on sort of contract basis, or do any corporations feature or hire an in-house forensic expert?

Amber: A lot of them hire an in-house forensic expert. They become part of their risk assessment team a lot of times. So you're usually communicating to them, reporting with the legal department, which you wouldn't expect to be. You're like, "Why aren't I part of IT?" But a lot of times you're reporting to the legal. I'm surprised in how many corporations, I never would have guessed it, have internal forensic examiners because you never know when there's going to be a response to an HR issue, a compliance issue, whatever it may be. That might not be a breach where we're used to seeing that kind of on the security side, and on the forensic side you kind of get all the little pieces as well.

So they'll have one to two guys in a company that is a multi-billion dollar company who just do digital forensics. So I think there is always a call for that. There's also lots of people out there that have external hires as far as doing it in contracting as well.

Chris: Okay. Can you tell us a little bit? I know you sort of come to computer forensics from the sort of corporate or private sector. Can you tell us a little bit about the difference in your sort of day-to-day work between corporate private versus law enforcement, how your skills vary, what your activities are and so forth?

Amber: So corporate I have a lot more regulations is really what it comes down to. I have a lot more restrictions, there's extra paperwork associated with it, there's a lot more consent that you have to get from the different parties involved to make sure that you're able to access every layer of the digital data that they have. So you do get bobbed with a little bit of the paperwork in comparison to law enforcement where they kind of get one tier of paperwork, and it gains them access to a lot of different things. The other thing is the type of data that I'm looking at. I prefer looking at the corporate style and civil data than I would want to look at the law enforcement data, and I have a lot of respect for those that do do it because it's very hard to see the digital crimes that are happening on that side.

That is actually an area that I'm sure you're going to have someone talk about that in the law enforcement side, but they actually had to start dealing with the how do you cope with the type of data you see. Digital forensics doesn't uncover unicorns and rainbows all that time. So it's like you have to be prepared for that zombie unicorn that's in there that's like, "Oh this is bad. I didn't expect to see this."

Chris: Now, do you need to be on kind of one career track or the other? I mean we talked about specializing before, but do computer forensics professional move freely between sort of law enforcement and private sector?

Amber: Oh absolutely. I think they can. A lot of law enforcement when they retire and they go private sector, they'll make sure they stay a sworn officer with a group that they did work with, and volunteer their time into some of the organizations that are out there's like ICAC, Internet Crimes Against Children. They can volunteer that way. So they'll stay current in both ways. If they decide to start their own shop, obviously doing this type of thing it's all about making sure you have the right letter of engagement, consent agreements, and of course insurance because you're dealing with people's data. So you want to make sure you have all that put into place before you start your own shop up.

Chris: Okay. Excuse me for a moment. What are some of the most common mistakes that computer forensics aspire to make along the way? What is something that you could do that would sort of put you back in your journey that you should watch out for?

Amber: Okay. So like actually pull out a little soap box, and we get a stand on it.

Chris: Please.

Amber: So here's my pet peeve. People forget that it's supposed to be a science, it's not an art. You don't just kind of walk in and be like, "I feel like doing it like this today," and it's going to work out really well for you. And so a lot of organizations that do have forensic people and a lot of people starting into it don't go through and actually do a proper validation of their tools, and they don't revalidate them because it would be nice like, "Oh our systems never change, but we're dealing with digital data." And so it's changing all the time.

So there's a lot of that process and procedure that are missing. And as I deal with different attorneys, I say, "That's the first question you ask the other side." It's like, "What's your validation plan?" Because it's kind of calling them out. It's not necessarily about what my personal certification is, it's how is my lab actually functioning as a lab, and people forget that aspect of it because it's spreading. They're like, "Oh I don't want to do that. It doesn't sound exciting, it's not interesting."

It doesn't take long, but it's maintenance. You have to do it. You wouldn't sit and never update Windows. We all suck it up through Catch Tuesday, and this is kind of your quarterly patches that you have to do to your lab accreditation in a way. Not official accreditation, but just every lab has to have validation, and they're not doing it, and I think it's really going to catch some people, and it's going to make horrible case law because as a digital forensic person, I have the burden of proof. My job is to prove your innocence or your guilt. It's either side, it's not just one side. It's not like, "Oh everyone out there is guilty." No, it's your proving innocence or guilt, and they forget that, and you have an obligation associated with it. That's my old school, "Here's my little soap box. You can put it away."

Chris: Great, great. Yeah and again that sort of speaks to this sort of new generation of people who might have seen NCIS or whatever and think, "I can just kind of come in on my instinct, and puppy my way through it." Yeah, yeah. Exactly.

Amber: Yeah. You're going to sit down like and are going to open this computer, and you're going to start reading this email, and you'll say, "It's right there." And it's like, "Nope, it doesn't work like that."

Chris: Nope, nope. So again because this is a career path and because not everyone is already sort of along the way, but might be watching this and thinking that they want to make a sideways jump into computer forensics, what is one thing that a person could do or make in their current job that would bring them a little closer to a full-time career in computer forensics whether that's reading in the evenings, or asking for initial responsibility at work, or doing something hands on. What do you think?

Amber: I think there's a couple of different endings that they can do. First off, before they decide to explore the field, remember one crucial thing is no one can teach you to be the investigator part of it. They can teach you all the computer stuff. Every single one of us that is a nerd, we can go through, we actually like our computers and probably talk to it on occasion, all those things. That's the easy side of it. The side that's very difficult to teach is really building up that, an understanding approach to the data that says, "Okay, how do I know that Bob is talking to Sally, and they're committing these crimes together?" And that process is really that part you should look to refine a little definitely, and make sure it's something you like to do.

But in the evenings it's the same thing that I do to maintain my career, which is a lot of reading of what emerging technologies are, and how they're going to impact forensics. How can they be used in a crime? I sign up for free training all the time. This is, "Okay, let me sit and watch this and see that experience for someone else." I've actually billed every manufacturer that makes technology for this space because it's heavy RND in this space, and start subscribing to their YouTube channels. I never thought I would say that, I feel like I'm too old to say that I totally spend time watching YouTube, but I spend time watching YouTube because there's good content on there that walks me through it, and teaches it, and then practice.

The best data to practice on is your own because you understand what it's like to kind of through it and say, "Oh I did send that text message," or, "Oh, I did send that email." And be able to know that you could find it means that you could find it on someone else that you don't know anything about. A lot of times you're just given a computer and you're like, "I know nothing." Great. Let's see what I can put together and find. It's a practice field. I don't think it's one of those where you can just read all that time, where you can just use certifications. I think it's a practice.

I always encourage people to practice on their kids. They're minors who enjoy it. Look at what they're doing. I know I'm going to get so much crap for that, but at the end of the day that's what I did with my kids. They have an obligation.

Chris: Watch out for the comments section. There's going to be a lot of 15 year olds down there.

Amber: Yeah. They'll be like, "No."

Chris: "No, don't do it!"

Amber: It's true. At the end of the day, one, it's a great way to start a conversation. I said, "Hey, you really shouldn't be going there on the internet. Let's talk about why." But it's a good way to kind of understand home natural digital movement occurs. You can do that from fake data. You get that from real people using it.

Chris: Right. Let's talk a little bit about the career field these days. What's the field like for forensics experts these days? Is it growing? I assume it's probably growing, but what are some ways that you can set yourself apart in a potentially tight job field?

Amber: Statistically it is growing. So that's a positive is usually when economies do better, then there's more crime. More people going to court, and all those things, that's all the signs of a positive economy and everything else. Things that you set yourself aside, again people laugh at me. They're like, "That's not a digital thing." But actually being a good writer is a huge difference because it is a lot about your reports because that's really your work product at the end of the day, is making sure that it's coming across clearly that you can convey those ideas in written language because the other side is if you end up going and giving testimony, you've got to be able to do it verbally. If you can't do it written, you probably can't do it verbally. They kind of coincide with one another, and just kind of putting themselves out there for it.

If people don't feel comfortable with that, then they need to get comfortable with it. Old school joint host masters, things like that. So you can actually start being comfortable about conveying information to other people. It's not like IT where you kind of sit in your zone and you may not share it with others. This one, you're going to share it with somebody. It's probably going to be a lawyer too, which they're not always happy to hear what you have to say.

Chris: Mm-hmm (affirmative). So looking ahead now to the years the come, what is your sort of spot prediction where the field of forensics is going to be gone in the years to come with regards to technology changes, or procedures?

Amber: I think it's going to come down to a lot more cloud and a lot more live. So those people out there that do have network skills, that's really going to become quite handy and a lot easier to kind of cross the bridge over and be able to capture data in a digital forensic manner because that's where the data is missing. It's not sitting on the computer so much anymore. It's out there. It's on someone else's computer now. I mean it's on the cloud. And because of that, I think having that mixed skillset will be a big deal. If I were to pick my area of knowledge is the weakest is actually probably on the network side because I rare do anything with network forensics anymore.

I'm doing either a dead box, I'm doing smartphones, or I'm doing IOT, which means I'm also doing cloud, and I realized, I'm like, "Who had to pull back in those recesses to that other partition?" And say of my brain, "This is okay. Let's review that old information I had in there, and update it, and make sure I'm good to go." But I think it's an easier bridge for putting because that's coming very, very quickly. In the next year probably being able to understand a cloud architecture and where data is stored in the cloud, and how you can potentially capture it will be an entirely unique skillset, and people will love having that on their team.

Chris: That's fantastic. It's a really great place to wind things up. Do you have any final tips or encouragements to our potential computer forensic aspirants?

Amber: I think the very thing is don't give up. It's never an easy transition, and it's not ... Every case isn't one of those, "Yes, I found this smoking gun. It was amazing." A lot of times you're like, "I found nothing. I just looked at 100,000 different things, and I read through all of it, and I found nothing." It's a process, and they're not always going to be interesting, but at the end of the day it's that old school justice side of me. I always grew up wanting to be Wonder Woman, so it was ... I know I'm doing my best to prove an innocence or guilt, and that's why I really love this space, and I stayed with it for as long as I have.

Chris: We're awfully glad that you have stayed with it for this long, and I would like to thank you very much Amber Schroader for talking to us today. Just a reminder for those of you watching this video, Infosec Institute also features classes and online boot camps, and in-person boot camps on computer forensics and many other topics. You can visit us at infosecinstitute.com. If you'd like to read lots more about computer forensics, you can also check out our daily updated blog at resources.infosecinstitute.com. Thank you for watching, and we'll see you again soon.