Running a digital forensics business

[00:00:00] CS: Today on Cyber Work, we have Tyler Hatch of DFI Forensics. Tyler tells us about moving from being a lawyer into the field of digital forensics, the key traits of a great forensics professional and how to prove that incriminating evidence on a defendant's laptop isn't always what it seems. That's all today on Cyber Work.

Also, I want to tell you about a new hands-on training series called Cyber Work Applied. Every week expert Infosec instructors and industry practitioners teach you a new cybersecurity skill and show you how that skill applies to real world scenarios. You'll learn how to carry out different cyber attacks, practice using common cyber security tools and follow along with walkthroughs of how major breaches occurred and more and it's free. Go to Infosecinstitute.com/learn or check out the link in the description and get started with hands on training in a fun environment today. It's a new way to learn crucial cybersecurity skills and keep the skills you have relevant. That's Infosecinstitute.com/learn and now on with the show.

[00:01:00] CS: Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry.

Our guest today, Tyler Hatch, was born and raised in suburban Vancouver, British Columbia, Canada, following a six-year legal career that include representing clients in legal proceedings in small claims, Supreme Court, and a variety of administrative tribunals in British Columbia, Tyler found his way into the fascinating world of digital forensics and never looked back. After spending some time with a Vancouver based digital forensics firm, Tyler formed DFI Forensics in July of 2018. He's also the host of the Digital Forensics Files podcast, a fellow podcaster here, I wanted to get him on for that reason as well.

Tyler is a certified computer forensics examiner, CCFE and a certified mobile forensics examiner, CMFE and is always training and receiving education to further his knowledge and understanding of computer forensics, IT forensics, digital forensics, cyber security and incident response. He is a frequent contributor of written articles to various legal and digital forensics publications, including advocatedaily.com, lawyers daily.ca, eForensics Magazine and Digital Forensics Magazine.

Tyler, thanks for very much for joining us today on Cyber Work.

[00:02:23] TH: It’s my pleasure, Chris, thanks for having me. Looking forward to this.

[00:02:25] CS: Great. Glad to have you on board. Our listeners are always excited about forensics topics. Our forensics episodes are always sort of very well watched. So, we'd like to always start out because a lot of people are interested in forensics and a lot of people here are maybe thinking about it as a career or just getting started. How did you first get interested in tech and specifically in cybersecurity and in forensics?

[00:02:50] TH: Yeah, big question. So, I've always been on a consumer level very interested in technology, whether it be, back when I was younger, like TVs going to DVDs and Blu-rays, and then upgrades and technology through my life. And I was born in the ‘70s, so I grew up not on the internet and these kinds of things. To suddenly have this kind of technology just fascinated me. I always try to embrace it. When I was a practicing lawyer, I always tried to use technology to make written notes, for example, and use an earpiece while I'm talking to somebody to take notes better rather than just handwriting stuff, and keeping things paperless and online and things like that.

And as I did that, and as my career as a lawyer progressed, and I realized how important it was to prove things with a finite degree of probability and certainty. I just naturally started to think about forensics, and I sort of became aware of it a little bit. But, you know, I stopped practicing law in 2010 and this was still very much an emerging field and technology. We were in sort of like the beginnings of the iPhones and Blackberry, but not really terribly advanced. So, to see where it's become now, and just to see the amount that people are using technology, it's amazing to see the digital footprint that gets left everywhere. In our modern world to be able to prove what somebody was doing, what did they know, how did they do something, what did they communicate? It just fascinates me. So, I kind of got sucked in.

To answer your question, how did I get into the field, I actually took a break from law for health reasons for several years and in 2017, I started to see that I want to go back and I was healthy enough to go back into law.

In the meantime, while they're processing my application, I needed a job and I happen to see an opportunity come up for this Vancouver based forensics firm that had been around for a long time and they said their clients were lawyers, and that's what I was going into. And it seemed like a really good opportunity in the field, although, I didn't really know what it was, to the degree that it was just obviously it's very interesting and seems a lot of fun. So, I ended up getting that opportunity and it just captured me in a way that I've never experienced it, maybe so passionate about it. And I just said, “Forget about law. I'm doing this.” Eventually, for a number of reasons I, I started my own company doing it.

It's such a great feeling just to see the advancements over the last couple of years, it's so fascinating. I'm so glad that I'm a part of it.

[00:05:24] CS: Yeah. Can you talk a little bit about the difference in procedure between being a lawyer and being sort of a forensics person, because you're definitely still in law based things, but you're sort of coming at it from a different point of view, more of a detective side of things, so can you sort of talk about where some of the parallels are? Where some of the divergences are? And also, it sounds like, people in a law background would be especially suited to sort of forensics work. Do you find that to be the case?

[00:05:58] TH: Very much. Law enforcement as well as a legal background is so beneficial. And the reason why is because lawyers, one of their primary roles is to gather facts and put together a case. Your client will come in, and they'll tell you a story and this story results in our lawsuit. So, you have to verify what they're saying, you have to find verifiable information to back up that story, or prove the case. And then you have to advise the client, this is how much we can prove your case. And based on that, I'm going to apply the law. And you go through that in the procedural aspects of going to court or whatever forum that you're in.

My role now, while I understand the overall context of legal proceedings very well, I'm only charged with the task of gathering that evidence and proving or disproving a theory or a factual assumption. And really just telling the story based on a device, and a lot of people again, I say this all the time, but it's so funny people are like, “Wow, digital forensics, that's really cool.” And then the next question almost invariably is, “What the hell does that mean? What is it?”

So, I'll give you an example of a case that I'm working on. But it's kind of tragic, but also very interesting. For years, I've wondered why distracted driving cases, text messaging, while you're driving hasn't come up more and more. Our phone should be ringing off the hook. A lot of accidents that involve distracted driving. We're only now working on the first case and it's actually from an old iPhone from 2013, where there's a suspicion that one of the drivers may have been distracted by his phone. So, we look at the phone, we see what was going on at the time. Was it powered on? Was it unlocked? Were you receiving any information? Were you online? And that fascinates me. And we can tell very clearly down to the second or the 10th of a second what exactly was going on. It's so useful. So, it's a great example of just sort of telling a story.

[00:07:48] CS: Right. And I think that's also a thing worth emphasizing and hope you can talk about a little bit is just the storytelling aspect of forensics in general, because it'd be easy enough to sort of corrupt the idea of forensics and sort of think of it in terms of NCIS or CSI or whatever, where it's all just like high tech, and it might be sort of out of people's range. But like the tech is not necessarily that high. But like you say, the storytelling and the problem-solving aspects are a bigger part of it, is that correct?

[00:08:22] TH: Yeah, 100%. A good point is, anybody who is going in with a particular view. In other words, if you go in assuming that something happened, and then you want to cherry pick evidence, this is not the field for you. You really want to go in with a blank slate and collect everything and understand what the evidence is telling you and there's a very big difference there.

For example, we recently did a case for somebody who's charged of being in possession of material on their computer. And at first blush, if you're sort of like, I'm a cop, and this is a bad guy, and you're looking at the computer, you see material there, you see the same material on a USB drive, you would think that somebody committed a crime, and this gentleman was charged with a crime and he was out on bail, and he wasn't allowed to use the phone for three years or something like that. And finally, the criminal lawyer came to us and we actually examined the evidence that the police examined, and yes, the material was there, but you can't stop there. You have to understand how did they get there? Why is it there? What do we know about it? This was actually somebody who purchased a laptop on Craigslist. So, it was used and, yes, the evidence was there but it was under a profile, like a user profile, that was not him. And the timeframe was way outside of the time that he actually bought the computer. So, that solved that.

Then the next question is, well then, why is it on a USB when your guy made a copy of the drive, now it's on the USB. Great, that looks bad, too. But he just made a backup of the entire computer to a USB drive, which then includes all of the user profiles, including the one that was the issue. And that case got dropped immediately. This gentleman was off these charges and all we did is tell the truth. Just bring that to light, something that look bad at first, there's more to the story. And when you uncover that, it's all about truth and justice and doing the right thing. That's what I felt really good about in that case.

[00:10:17] CS: Can you can you tell me some more? Do you have any other sort of highlight cases that you've worked on with DFI that you're especially proud of or might be interesting to listeners?

[00:10:28] TH: I think that one was probably the highlight of 2020 for me in terms of last year, just in terms of the result, because it was good. And sometimes people do these bad things and you have to tell that too and that's fair.

[00:10:41] CS: Yeah.

[00:10:41] TH: But the other thing, I think, that we were involved in this year that I found just so interesting, was a ransomware attack, and it actually hit one of our northern Canadian territories. I was one of the power companies actually. And it took down their network. I mean, what people have to understand when the spread of malware starts encrypting backups, you just take systems offline, that's what you do. That's why these large cities in the US get shut down for months at a time and also in their operations aren't online anymore. It's a real problem.

But, providing an essential service, like power is really important, especially in northern Canada, where it's kind of cold. It was very important that we do work quickly and understand how this person got into the network and launch this payload that disrupted this entire area. And it was a very vast spread out network, IT network, there were a lot of locations, and all the credit to my senior forensic examiner, Juseop Lim, he found in literally hundreds and thousands of logs of events, the tiniest most innocuous needle in a haystack where the attacker exploited a known vulnerability, but very obscure, it was actually a print for school, a very small sort of service that allowed them to sort of get some credentials, and then pivot to another area of the network and elevate privileges and do what he did. It's amazing how you can tell something like that and stop it from the smallest little needle and haystack.

[00:12:10] CS: Can you tell me a little bit about your staff? You mentioned your senior researcher, how big of a research staff and how many like facilitators and so forth do you manage? To that end, what is the size and scope of the types of cases you work with? It sounds like you're working with Canadian territories and stuff, so you're apparently getting like pretty, pretty big cases. But can you talk about the size of DFI Forensics as a as a group?

[00:12:34] TH: Yeah, we’re pretty small. So, at this point, we're a new company and a young company, in order to grow, you have to grow smart. We all do a lot. We recognize we're a new company and I have a very committed team of three people, including myself but they're very high level. And what I do is I hire good people, and I let them do their job. Not prepared to do, there's no time to micromanage and do all this kind of stuff. If you're going to hire somebody and bring them on, you need to trust them, and their skill set. I've done that.

So, Juseop is my senior guy. He was educated in Korea. He worked in Korea. He worked in New York, New York, and for the prosecutor's office. He has a Master's Degree in Computer Science. He's an MK certified forensic examiner. He has 10 years of experience and the education side is remarkable. Juseop, what makes him so good is that he's just got that innate desire to do everything that he can to solve your problem. And that's really what probably your students or some of the people who might be listening to this podcast would want to know. Training is great, and we all need it, we have to understand the technology and what we're looking for, but that desire to drive the investigation to the very furthest point that it can go is just so invaluable.

[00:13:53] CS: So, that's always worth repeating and you know, all of our friends and people have said that too. People who are problem solvers, people who aren't willing to let it go until they're absolutely certain that they've done every possible thing. And also, like I say, good storytellers. So, to turn around the other way to the training and the skill side of things, what are some things that people should be learning or studying or getting involved with if they want to prepare for a career in digital forensics or pivot from another cybersecurity job into digital forensics? What project should they work on? What sort of like demonstrations, things like that?

[00:14:30] TH: Yeah, I mean, it all starts with an interest in the field and a passion for the field. I'm going to go off on a bit of a tangent but cybersecurity and digital forensics are two sides to the same coin of cybersecurity and cyber attacks. Similar to how you have courtroom lawyers and solicitors who do the agreements and all those kinds of things, wills and estates, and so solicitors will plan for an event that has not happened yet, and they'll try to formulate agreements and written documents that contemplate all the ways in which that an event can go wrong. When something goes wrong, the litigators come in, we fight about an event and we dissect it, we apply the law to it. That's very similar to this in the sense that once a cyber attack occurs, that's where forensics comes in. That's where you're doing the incident response, all the stuff that leads up to that, in my opinion, in cybersecurity, and the prevention aspects.

I find that most students and most people in the field providing services are almost, I would say, 90% or more are in cybersecurity. And there's not a lot of people doing forensics, particularly in Canada. So, I think if I was a student, I would probably go into that field in terms of it's a growing field. The problem is, is that you can do all the training you want, but you need experience, so the biggest bar to entry into the field is getting that experience and I really feel that way.

I don't know where I would be, had I not started my own company. Certainly, in the early days, I was not certified, I was not educated enough to actually do the work. And there's always my goal to have a team that did the work. Out of pure interest, I then got certifications through Infosec Institute and I continue to develop my training and skill. So, I'm currently writing EnCase certification, I'm doing some stuff with Cellebrite, I'm working with Paraben for their E3 Training. So, I'm trying to broaden my skills. You're always trying to learn, and to be honest with you, just the curiosity factor, when I'm using my cell phone, I'm always curious, what is this app? And what is this new feature? And would I know about what I'm doing if I had this phone in investigation? It's really interesting. So, just that kind of curiosity factor.

And so, what can students do? they can they can write articles, they can do research, they can play around with free tools, and extract your own data and see how you would get it. If you understand how to do that with a free tool, I promise you, you'll be better in the field, when you're using a paid tool that does all of that work for you in a much more efficient way. But there are free tools available, but you can just tinkerer around with and you get to do it in not a real-world experience where the consequences of making mistake aren't so dire. And that's how you learn.

[00:17:26] CS: What would, you say, would be a good first certification for aspiring forensics professional to start working toward?

[00:17:34] TH: Yeah, hands down, and one of the reasons why I contacted you, because I'm so proud of going through the Infosec Institute training. So, when I was starting my company a couple years ago, and realizing that I wanted to get certified, it wasn't easy to find the money or the time to do it. And one of the things, I was blown away by the value of Infosec. I was looking at the bootcamp courses and things like that and they tended at that time to be very expensive packages and a large commitment of time. But what you developed was a program, sorry, Flex, I believe it was called back then where you can sign up for a year, and it was such a great price point. And you could do it at your own pace and the skill sets and pathways to learning and certifications were so broad at that time. That's how I got my my intro certifications. And I really got some great training there.

Now, I look at that program, and I'm still a member, because the training is great. And they've added labs and and all these kinds of techniques and skill sets just beyond watching training videos. So, it’s far more interesting to do. Again, the skill set is so broad.

[00:18:45] CS: Cool. I want to sort of have you walk us through aspects of digital forensics in the sort of application aspect. I mean, obviously, not everyone on your team is doing the testifying in court, and not everyone is doing the research and stuff like that. Can you tell me a little bit about the way your team breaks down in terms of who does what and I'm sure a lot of people wear multiple hats and so forth, but what are the different sort of key points to your forensics team?

[00:19:17] TH: So, just by sort of consequences of being my business, I'm the intake person, so I get all the phone calls and emails. And some of them are a good fit for us and some of them are not. And it's very important for me to talk to people have a good, no charge consultation, where a lot of people think their devices have been hacked, for example, there's some very serious conversations that have to happen with that, for them to understand the chance of them being hacked, how the technology works, how we can help, how much it's going to cost, all of these kinds of things. And I'm the first one to say, “This is not a good fit. You're just going to spend a bunch of money and we're not going to be able to tell you anything.”

So, I do that. And then with the legal cases, I take that and once I have a better idea for the circumstances, the surrounding facts, what devices are involved and what evidence we can get off it and how we can sort of help contribute to the problem, then I delegate it to the team. And the way I do that is specifically, is this something that's likely to go to court? So, I probably want somebody senior on that. I want somebody with specific experience and qualifications on that. Is it a really technical issue that’s going to require some very tricky communication and some technical language that needs to be put into plain language for a tribunal or a court? In those situations, I favor myself being involved because I can bridge the two worlds fairly well and I got the chance to go into court a couple weeks ago. I could see the expression on the the judges face where he was just like, “I don't understand any of this.” He was only rubbing his eyes going like, “What are you guys even talking about?” And just knowing that I can slow it down, and I can draw his attention to parts of my report where there were visual representations of what I was talking about and screenshots.

So, yeah, we just delegate the work that way. And to answer your question, not everything goes to court. Often, they do. But we do work for private individuals as well and sometimes those cases have nothing to do with court. So, that contributes to my thought process, when I'm assigning the file to one of our examiners, or researchers, as you alluded to.

[00:21:36] CS: Okay. And do you have anyone on your team whose sole or primary job is just the sort of writing storytelling aspect of it, who maybe doesn't have a lot of tech background, but is able to explain the concepts in a way that as you say, the the eye rubbing judge can easily understand?

[00:21:53] TH: Yeah, it's always best for somebody when they're writing – first of all, everybody gets a written report on what we did and what we found and how it relates to what they hired us for. It's always best if the examiner who worked on that file produces the report.

[00:22:08] CS: So, pretty much everyone has to have the writing skills, as well as whatever other tech skills they have?

[00:22:13] TH: Hundred percent. Communication, verbal communication, writing skills is so important, and just to be able to apply logic., I was asked to do A, I did B, C, and D, I found E, F and G, it means blah, blah, blah, like, there's a very specific way that you have to lay out the information. And not everybody can cut through that in a very efficient way when there's an overall complicated fact. So, it’s not easy. And writing is very difficult when you've done something.

So, I always encourage people to write, get the practice, do that, but I sort of oversee the final product. And I always sort of look at the draft and I revise as necessary, and maybe ask for more detail or more clarification. Sometimes there's follow up work, that kind of thing. So, it's always good to have a second set of eyes on it as well.

[00:23:01] CS: Has there ever been a case where you just weren't able to convey what you found to a judge or a case, within a case where they were just like, “I don't know what you're talking about.” Or do you always eventually kind of get over?

[00:23:16] TH: Yeah, it's always a challenge. So, there's a lot of cases where we can't avoid being technical to some degree. And going back to that power company case, where it was a very complicated scenario, and we're trying to communicate to both the IT team and the executives who are in charge of making the decision, those are two very different audiences. So, we tend to do like an executive summary in plain language, broad stroke, the 30,000-foot view, if you will. And then we actually set up the minutiae in another part of the report that's specifically for the IT people to understand. And we know that on the heels of our investigation, there's going to be a cybersecurity team to avoid it from happening next time, so they want that information in a very technical way, so that they can work with it. So, it's always about communicating what you did to your audience and the person that hired you.

[00:24:10] CS: I want to talk about your podcast, The Digital Forensics Files, can you walk me through an average episode and like what types of guests do you get and what levels of forensics professionals the podcast is aimed at?

[00:24:21] TH: Yeah, certainly. Obviously, I'm very passionate about what I do. I just wanted to start creating some content around our field. I noticed that a couple years ago, there wasn't anything like it. There's now a few which is great. The more information we can get out there, the better. Just in terms of getting some ideas together for content and guest and formats, and all that kind of stuff, I actually made a post on our Facebook group for digital forensics. And all of a sudden this really nice lady named Amber started messaging me saying, “Hey, great idea. I've got some people you might want to talk to.” And I just communicated with her, “Tell me about what you do.” She’s like, “I'm the owner of Paraben.” My eyes went – you know.

[00:25:05] CS: Yeah. I've had Amber on the show twice, she's amazing.

[00:25:08] TH: Yeah. She’s so great and one of the things that I love about her is just that she's so passionate. And after all, the time that she spent in the field and everything that she'd been able to do, she's still hanging out in these little Facebook groups, just because she loves it. I'm awe struck by Amber and everything that she's done. Even on a case the other day, I thought I had done everything that I could, and I hit a roadblock due to technology and encryption that really just can't get around. But I wanted to ask somebody outside of the organization just to get a second set of eyes, and I was able to just get some ideas from her. She's so available and willing to help blows me away. Like I really, really look up to her as a professional and somebody, a business person, frankly, and just a great human being.

She's been on my podcast as well. And she's just a really cool person and although she would tell you that she's a dork, but she is not. Just because you like Star Wars and Wonder Woman doesn't make you a dork.

[00:26:10] CS: Yeah. Pretty much everybody at this point. So, what would be some like key episodes if people want to get started with your podcast? Which are some of the guest, I'm guessing amber is one of them, but what episodes would be most exciting for people who are just getting into it?

[00:26:25] TH: Yeah, it depends. It depends what your interest is. So, I have forensics professionals. Brett Shavers is an industry professional and he's just got a cool background. He's very understated and modest. I would encourage people to just sort of check out that one. I mean, this guy like swims with sharks. He just lived a crazy life. But he's the most understated and gentle guy.

So, that was a fun one for me, albeit, it was short. Some people like that. I prefer doing it. I like the ones where I'm talking to lawyers, just because I have that natural bond with them. A lot of employment lawyers that are on or the cybersecurity professionals that sort of spearhead the post cyber attack investigation, when there's a data breach, and we need to do an investigation, we get forensics involve, IT executives, public relations people, it's a really important multifaceted thing. So, I like the ones where we talked about that, as well. And then I just have a bunch of cybersecurity professionals, because I'm always trying to encourage information to get out there that helps people put real practical solutions into their business, to make a difference every day, to minimize your risk and stuff like that. So, the ones where I have cybersecurity professionals on are really my favorites as well.

[00:27:43] CS: Okay. Yeah, so I want to jump back to the employment aspect of things. And you talked a little bit about how you found your team and your researchers and so forth. And we also talked about how difficult it is to kind of get experienced when you're just starting or even to sort of show that experience to people who might potentially be hiring you. So, what are people who are hiring in digital forensics looking for in candidates? And how, if you're trying to apply for these types of positions, do you show yourself to be an above average candidate and sort of float to the top of the pile?

[00:28:20] TH: So, for me, I always encourage people and the people that I've noticed the most are the people who are active on LinkedIn. It's a really great free way for you to get involved in conversations and just liking, posting and commenting on things is a great way to get noticed. And also, you're noticing somebody who's passionate and interested, and you connect with people. We're all on LinkedIn, to be honest with you. I mean, people in the industry.

So, if you want to connect for free, it's a great way to do it. And those are the people that I've tried to work with. So, before COVID shut down, I was looking at a more immediate plan to expand to US and I had a couple of associates that were not full-time employees. But if I needed them in a particular area, I had a contract with them, so I can use them. And so, they're sort of associates of the company. And particularly Felicia Newton, just caught my eye as somebody who was doing so much, just sort of kick down doors and get into the industry. And for me, I thought, if this is somebody who wants this kind of position so badly, I want to be working with her and developer her skills. Unfortunately, we've had to kind of scale back a little bit and move away so she understands that very professionally.

I also tried to expand into Toronto earlier this year, and for the same reason, I had to kind of scale it back. But employee at the time, Rania Raghavan, she connected with somebody that I'm close to in Vancouver, they put me in touch, and just a sort of guide her career, sort of like the advice that I'm giving now. And when I met her, she was so passionate and she was just so willing to learn and just the kind of professional that I wanted to develop that actually put her through the Infosec training, despite her not even being an employee. I just wanted to help her and she sank her teeth into that and really attacked it. And I thought, again, wow, this person is so passionate that I made her an offer for a full-time position in Toronto, which unfortunately had to scale back in. So, she's moved on to another opportunity and I wish her all the best. But that's the kind of thing that I look for. And Rania had an excellent IT background. She worked as sort of an IT person, so she was very aware of the technology that we deal with. She was very good with communicating verbally and in writing and just the passion.

[00:30:39] CS: So, speaking of difference between your Vancouver office and your Toronto office and so forth, how has COVID and lockdowns and working from home and so forth affected forensics in general and your company, specifically? Do you have multiple teams in different cities? Do you try and stay central? How closely do you meet? I'm sure it's not face-to-face right now, but how tightly knit you have to be in the work right now?

[00:31:07] TH: So, our team, if we have to be in the lab to use the technology and plug drives and switch dongles for various software that we use, that's important, and we're there regularly. But sometimes you can set something up, if you're doing a multi-day investigation, they're just using TeamViewer and remoting in, which is really cool. In terms of collecting the evidence, we’re pretty stationary in Vancouver here now, our team in our office and the lab is set up here in Vancouver. Even when we're hired by people within the city limits, they still send the devices to us by courier. We're very rarely going on site to collect the evidence from lawyers and things like that. We get them sent from their clients or the law office.

So, there's no magic to being on the ground. But sometimes there's an urgency or a particular file that does require somebody to be on site. So, that's why I was trying to expand to Toronto, because occasionally people either required us to be there, or they weren't comfortable carrying an important piece of evidence to us, and I understand that. But in the vast majority of cases, it's perfectly fine. And with couriers, we can keep track of it through the records that they keep chain of custody, which is always important for evidence going to court and things like that.

So, yeah, my plan from day one with this company was to be really efficient and paperless and have a smaller operation so that we can pass that value along to our clients. It's a very expensive field if you're actually somebody who uses the service, it's so specialized, that the market demands that you – I mean, the tools you have to use, the liability that you incur, if you do it wrong, you can't water down your fees. At the same time, we're very focused on providing value. So, before somebody goes down the expensive road of hiring somebody like us, that's why I have these talks up front. So, they know not only all the great things that we can do, but also some of the ways that – there’s a risk here that this might not materialize. And here's the challenges that we might face in your particular case. If you want to take that risk, we're happy to do the work, but you have to understand fully the benefits and the risks of our work.

[00:33:16] CS: Okay. So, as we sort of look down the road a bit, where do you see forensics investigation and related fields like breach mitigation and risk management going in the next 5 or 10 years? I have to imagine they're all sort of growing fields, just like all areas of cybersecurity are, but do you see any procedural or technical or tool-based options coming down the pike that are going to change the game in any way?

[00:33:39] TH: I think it's going to be a growing field in terms of the demand from people who use our services now. I think it's also going to be more challenging from a technical point, because as things move to smart devices, and phones and tablets, and you just see all the increases in security and encryption happening now, that makes our job really difficult. MacBooks, for example, they continually come out with specific chips and processors that make their data really challenging to work with. I mean, super secure. But these aren't developed for us to do what we do. They're developed for consumers to be able to use them easily and securely. And that's great. But it certainly makes our job more difficult. So, we're going to have to get more technical, and we're going to have to keep up to date on the emerging technology. But certainly, cyber attacks and cyber fraud is not going anywhere. It's going to be a booming practice for years and years to come.

Personally, what I think is going to be a couple of things that are going to have to change in order for us to tackle this whole cybersecurity issue. One, I think we're going to have to stop being anonymous on the internet to some degree. I don't think it's doing anyone any favors to be able to hide behind an IP address that doesn't – there has to be some way that there can be an organization who knows both the identity somebody who's related to that IP address, but doesn't allow advertisers and people who are trying to attack those people to get that information easily. There just has to be a better process. I mean, right now, if somebody does a ransomware attack to my business today, at best, we're getting an IP address somewhere else in the world. And we don't even try to catch that person, we don't even try, we just try to remove access, so they can't do any more damage. And it certainly doesn't encourage somebody to then not try again. It doesn't discourage people from doing this.

So, it's only going to get more and more problematic. I also see that things are going to have to be changed by legislation, in terms of businesses just having to become more aware that this is a problem. Right now, we're relying on people to understand that it's a problem and make business decisions to minimize that risk and the message just isn't hitting home, certainly not quick enough. Anybody who's ever experienced a ransomware attack, or any kind of cyber attack in their business, knows how important it is now, and they do everything they can, but there's still people who are so casual about it, and dismissive of it over minimal costs, and it's a real problem. It's kind of like, decades ago, when we instituted legal requirements to wear seat belts in cars.

Everybody with any ounce of common sense knew that driving a motorized hunk of metal, might result in injury to you if you get in a car accident, knows that, but a lot of people didn't wear seatbelts until they were forced to do it. And I don't like that that's probably where it's going, but I think that's what is going to have to happen to effect some real change, it's going to have to be regulation, and requirements and probably penalties.

[00:36:44] CS: Can you wave a magic gavel and sort of give me an idea of what your ideal sort of legislation to solve this? What would be the things, in a package like that, what would you absolutely want to see?

[00:36:58] TH: I think they're already starting to develop, I just don't think that the teeth is there. So, you see a lot of legislation happening right now, where there is liability on the decision makers of businesses, if they ignore cybersecurity, and then there's large scale public damage, as a result of information getting out that affects a large number of people. Part of the problem in Canada, you may not appreciate the difference in damage awards, when you sue somebody, when in Canada, they're fairly limited compared to the US. So, we could sue somebody all day long for a data breach, and they're only going to get entitled to if they actually suffer damage. So, if you actually had your identity breach, and you suffered a loss, so you tend to just get these companies that get a slap on the wrist, provide everybody who is breached with two years credit monitoring, and they're just willing to accept that expense.

But if you maybe penalize these companies more for really flagrant violations, but I'm not suggesting that anybody should be penalized for marginal or well-intentioned, but insufficient measures. But once were really bad, I mean, you look at the Marriott breach from a couple years ago, where somebody was literally in there for years stealing records. An organization the size of Marriott certainly had a budget, there's really no excuse not to detect that and be aware of it. And those are the kind of instances where I think we really have to make examples of people to affect real change. And that could be a case where there were punitive damages. I don't know. But, certainly, I just got some notice in the mail that I may have been part of it and get some credit, that's great. But maybe something with a little bit more teeth.

In Canada, we do have some legislation that makes people liable. But nobody thinks for a minute that anybody's going to go to jail for that, even though the legislation allows that to happen, or that anybody's even going to be fined significantly for it. So, I think having some real teeth behind it will be important. But with everything going on in the world, it's so hard to get lawmakers and business people to consider this a high priority problem, even though it is. So, I get it, I get the resistance. But it’s a challenge. I don't know quite what the answer is other than to scream from the rooftops, day after day after day that we have to pay attention to.

[00:39:19] CS: Yeah, it takes no small amount of education of the people in the legislative bodies as well to understand the sort of the scope of this.

[00:39:30] TH: I've been in the war room when there's an active phone call from an executive. And all of a sudden, their entire organization is looking to them. What should we do? And all the investors are calling them saying, “Do we need to get out?” You could almost see the gray hair sprouting in real time. It's so stressful for these people. And they are so relieved when somebody gets to the scene and is able to say, “Here's the next steps. Here's what we know. Here's what we're going to do.” They’re just like, “God, you're here.” It's so time sensitive, so it's a really good thing to be involved in. It's really rewarding actually, to be involved in situations where you feel like you're contributing to a solution, and you're being valued.

[00:40:11] CS: That's enormous and that really brings a lot of job satisfaction, I imagine. So, as we wrap up today, there's always people writing to us saying, I feel kind of stuck in my job, I want to do something different. But I've been doing helpdesk for however many years, or I don't feel like I know where to get started in a new thing. What one thing someone could do tonight that would get them closer to being a digital forensic specialist?

[00:40:39] TH: Connect with me on LinkedIn.

[00:40:42] CS: Awesome.

[00:40:43] TH: Not that I have the power to change your situation, but it's a start to getting known. As I was sitting here waiting for this to start, I had a recruiter on LinkedIn that I don't know who was saying, “Hey, we're starting up this is really great position here. Do you know anybody?” And I’m like, “Yeah, I actually do.” We help each other, it's a really close-knit community. So, just start connecting, it helps and it helps get your name out there and helps you getting connected to the right people. And that's where we are in the modern era. It's not a send out random resume, I could get a thousand resumes and if I get one, well-crafted LinkedIn message from somebody who knows who I am and knows what they want to do, the message is received, believe me.

So, I would I would go for authentic connections like that and just start developing them as much as you can. I think that's the best way.

[00:41:38] CS: That's awesome advice. Thank you for wrapping up on that one last crucial question. If our listeners do want to connect with you on LinkedIn or learn more about DFI Forensics, where can they go?

[00:41:50] TH: Just search Tyler Hatch, search DFI Forensics, we're just under there. If you want to know what we're like, I mean, I would say our Instagram page is really cool. It's a lot of fun, some good information. I approach everything to be very genuine. I'm a very genuine person and there's a real human side to what we do and who we are. If you want to know what my life's like, as boring as it is, if you like dogs and guitars and computer stuff, follow me on Instagram. There’s nothing special about me. I just happen to be doing this. But I love it and if you want to see somebody who's doing it and passionate about it, then connect, get to know people. That's probably the best way.

[00:42:31] CS: Nice. Well, Tyler, thank you so much for being our guest today on Cyber Work. This was awesome and I think we'll probably give people some great directions if they feel like they want to get started on this path.

[00:42:40] TH: Thanks, Chris. I really appreciate the opportunity. Thanks.

[00:42:43] CS: And thank you all, as always, for listening and watching. New episodes of the Cyber Work Podcast are available every Monday at 1 p.m. Central Time, both on video on our YouTube page and on audio wherever you find podcasts are distributed.

Also, don't forget to check out our hands-on training series titled Cyber Work Applied. This is a new thing. Each week expert Infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real world scenarios. Go to Infosecinstitute.com/learn and you can stay up to date on all things on Cyber Work. Keatron Evans is one of our great teachers and he's doing the first rounds of these. So, I hope you'll check it out.

Thank you once again to Tyler Hatch and DFI Forensics and we will talk to you all next week. Thanks for listening. Bye now.