The Field of Digital Forensics
When you think of forensic science your mind is likely drawn to depictions on popular television shows like CSI. But what’s it really like in the field? We tried to answer this question by chatting with Steve Burgess, the founder and President of Burgess Consulting and Forensics, lead forensic examiner, testifying expert witness and a pioneer in the field of computer forensic science.
Burgess has been a computer and digital forensics professional for more than twenty years. He found his way into computer forensic science well before it became a recognized field. Burgess started the first data recovery company in the U.S. in 1985 and eventually sold it to DriveSavers Data Recovery in 1994 – where he trained and consulted for four years.
Burgess is an expert in most computer hardware, peripherals, operating systems and many applications. He is world-renowned as a leading expert in data recovery – and has personally performed over 10,000 recoveries. He is also knowledgeable in the areas of Patent search and generation, as well as the emerging field of Molecular Nanotechnology. Among his many credentials, Burgess is qualified as an Expert Witness in municipal, superior, state, federal and military courts in California, New York, Idaho, Louisiana and Texas.
Burgess started his own digital forensics consulting company in 1992, where he continues to manage and perform computer forensics, electronic discovery, expert witness services, data recovery and both teach and lecture on the field. Burgess is also an active member in the Center for Responsible Nanotechnology’s Global Task Force on Implications and Policies where he actively gives recommendations on public nanotech policy.
Burgess has written for the Institute for Ethics & Emerging Technology, the Forensic Expert Witness Association, Bloomberg Business Week and Nanotechnology Now, among many others. He is also a seasoned keynote speaker and guest lecturer on digital forensics, e-discovery, hacking and data security. Burgess majored in Biochemistry at UC Santa Barbara and earned his Bachelor of Science in Business Administration from University of Phoenix.
eLearners: How would you describe the field of computer and digital forensics to someone who is not familiar?
It’s kind of computer detective work. People go places on their computer that they should not, or take things that don’t belong to them, have illegal materials or images on their computers, or proprietary data that doesn’t belong to them. They may be communicating with people or organizations that they’ve agreed not to communicate with – either as an employee or employer, a spouse or significant other, or just a citizen. They may be trying to destroy information as well.
My job is to get into the digital devices (or in the Cloud) and show these breaches or lack thereof – to uncover the truth of their actions on the computer, online, or via electronic communication. I then need to present those findings in a way that the lay person can understand, to prepare it for court, and sometimes to testify in court or deposition about my findings, and to present my opinions about the findings as well. People think about it like CSI, and although we sometimes cover the same ground, and although some of the cases and people’s actions can be dramatic (or funny) and almost unbelievable, in the real world, we don’t have all of the handy (but often fictional) tools they have on the TV show.
eLearners: What, including your educational background and career experience, lead you to start your own computer forensics consulting business?
I’m kind of a self-starter/pioneer. I started the first commercial data recovery company in the United States in response to requests from clients (at the time, my company was engaged in floppy disk drive repair) – the first one being hip-hop star Bobby Brown’s manager. After selling that one to another data recovery company, I segued into computer forensics, a new field at the time with only a handful of practitioners—most of which came from the data recovery world or the law enforcement world. In the past five years or so, computer forensic programs at colleges worldwide have come into their own, but such coursework didn’t exist for the pioneers in the field. We had to make our own way, as it were, and use the tools that were designed for other purposes to render data usable in practice and in court. However, now I’d recommend a dual major in criminal justice and computer science, although specialties in computer forensics as a part of other programs (in justice and computers) are being offered.
eLearners: Can you take us through what your different responsibilities and duties are as an expert witness, data recovery specialist?
As an expert witness: My primary responsibilities for this particular hat are to testify in court and in deposition about my areas of expertise. Usually, it has to do with work I have personally done on a case, or as a rebuttal witness to work another expert or professional has done in the case. In deposition, sometimes the opposing counsel is trying to distract, upset, or otherwise get you to say something that is not well thought-out. In such situations, it is necessary to tell the truth, but not to casually be over-helpful or to volunteer information. Court with a jury is much more fun, taking on the role of educator, if you will. In court, the judge is far less likely to allow an attorney to browbeat the witness (me) than in a deposition, which can sometimes feel like a free-for-all.
It’s very important to be clear and accurate, and also to consider how words on a page look to a person who is not present in the courtroom (or deposition room) and to consider your body language, tones and inflection. Often, for instance, a witty comment can fall flat on the written page.
For instance, in a 2-day deposition I was in many years ago, deposing counsel got into a sort of buddy-buddy attitude with me, acting fairly jovial. He asked me a semi-rhetorical question and, the mood being light, I said, “I’ll have to ask my Mommy.” You had to be there. It was funny at the time. When the time came later to read the transcript for accuracy and to approve it, when I read that line, it fell utterly flat. I was appalled – it made me look childish and dorky.
As a data recovery specialist: The first part is being sensitive to the client – they may be very upset as a history of their personal photos of their kids, vacations and so forth may be on the crashed hard disk. It could be the data they need for an IRS audit. It could be the financial data they need for a loan. It could be a doctoral thesis or a book. It could be the data that their business depends on, without which it will fail. I have had all of these situations and more come to me, so we have to be understanding and supportive.
The next step is to get an identical image of the device. If it is nonfunctional, this requires troubleshooting and solving the operational issue. There are mechanical, electronic, and software systems on digital devices, and we need to get it to function without degrading it in order to get the bit-for-bit copy. The copy needs to be made as quickly as possible, paying attention to physically damaged areas on the device, skipping over them and coming back to try to image the damaged spots after the rest of the device has been imaged.
Finally, there may be the rebuilding of and detecting of damaged partition and file structures in order to pull the most important files off intact. The last step is delivery of the data in a form the client can use – or in some cases, the delivery of the bad news, preparing for the client’s reaction – for it is not possible in every case to recover the data, and the client has a vested interest in getting it, for the reasons above. Delivering such news can require the utmost in sensitivity.
eLearners: What are some of the more memorable cases that you served on as an expert witness? What was your role and/or how did you affect the outcome of these cases?
With this many years in the business, I have many stories. Here is one of them.
I got a call from a lawyer in Boston whose client was accused of hacking a government nuclear research site and trying to sell access to an FBI agent. The FBI heard about the guy, code name GreeenHat (GH), who seemed to be more of a wannabe than a major hacker. They contacted him to buy access to a couple of servers, and then tried to see if they could get more from him.
When the attorney called he was new to the case and GH’s previous lawyer had advised to him to plead guilty and try and get a deal. This isn’t actually unusual in cases where people feel a little guilty and are faced with hard time. GH had been investigated by the Secret Service for hacking when he was 14 so he likely already felt that tinge of guilt. The FBI told GH that he was facing 20 years in prison, a $750K fine, 9 years of probation and tens of thousands of dollars in restitution among other things.
So GH’s lawyer wanted to know if he did it and/or if there was any evidence. When I chatted with GH, he seemed smart, young and full of himself. To that last point – he had sold two sets of passwords for $500 each and had the money wired to his real name through Western Union. Not exactly a seasoned superhacker.
I was presented with a pile of hard disks, copies of Federal indictment papers, transcripts of alleged chats and a copy of the plea deal. Jessica, my formidable forensic tech, searched 60 keywords and phrases using EnCase Forensic for every hard disk and flash drive. We included text from alleged chats between GH and the Feds among URLs, server names and more. There were close to half a million results but nothing looked like the chats the FBI had provided. Given the number of hits, it was clear that GH hadn’t cleared his computer free of the terms.
Now, GH sold passwords and backdoors to the Feds – but what we found was one for a server about pizza and another for a webhosting company. And we never saw access to any of the hosting company’s host of clients. The question becomes, what about the national nuclear lab? Where was the proof?
We decided – to be fair – that we’d look at the electronic media where the government had the chat transcripts and other damning evidence. But, surprisingly, they didn’t produce it to us. What about the list of IP addresses for the servers GH handed over to the Feds? We searched the companies and found that the majority of them were public info.
Our official response was, "We do not find evidence to substantiate the FBI's claims regarding Mr. H's alleged hacking activities, including the alleged installation of backdoors or root-level access to servers. Of note, the chat logs provided by the FBI do not appear on these drives."
However, unfortunately for him (especially given how weak the case was against him) GH had already pled guilty. The government decided to make a deal for 18 months and $26,000 if GH admitted everything and said he was really, really sorry. And there you have it.
eLearners: Are there any particular digital forensics technologies that you are excited about?
Yes, Cloud forensics and preemptive forensics. They are both pretty new and that is, all by itself, reason for me to get excited about them. There’s a lot to be determined, methodologies to be designed, new ground to cover.
eLearners: You are a member of the Center for Responsible Nanotechnology's Global Task Force on Implications and Policy. What can you tell us about how public nanotech policy as it relates to your field?
Wow – that’s an unexpected question. One of the important issues with nanotechnology, as with software, is open source design, and data that is therefore distributed over a great amount of geography, as collaborators work together to design software and molecular manufacturing both. Being distributed widely means data in the Cloud (incidentally, many people have an impression of the Cloud as being kind of amorphous, floating data, but of course, data in the Cloud is on physical devices in physical geography in the world). Law with regard to electronically stored information (ESI), and therefore with data that’s been sliced and diced for distribution on devices all over the world, is rapidly evolving and affects the field of digital forensics, e-discovery, and where open source nanotech designs are stored as well. Hacking and security similarly affect the accessibility of data in the Cloud.
Having said that, when thinking about implications and policy for nanotech, while we’re thinking a lot about open source design, we’re also thinking about the protection of intellectual property, which is tied closely to digital forensics work.
Also, some people hack computers, but with molecular manufacturing, hacking can extend to atoms, and to life. Where nanotech seems to fork off (at least insofar as I’m thinking about it right now in response to your question) from digital & computer forensics is in the biological implications of self-replicating machines operating in a more or less invisible realm, in the implications of potential conditions of plentitude and who may try to control it, but also in how dangerous individuals or organization may try to create harm & havoc using nanotechnology.
eLearners: What types of qualities and skills may make a student more suited to a successful career in computer/digital forensics?
An interest in a field that never stands still – lifelong learning.
eLearners: What do you think are some of the potential challenges for students pursuing digital forensics degrees? Do you have any suggestions about how to cope?
Deciding how to pursue inserting oneself in to a job. Starting your own business is tough. One of the best ways to segue into digital forensics may be to pursue a job with law enforcement, get a lot of training once you’re in, then see about moving into commercial practice. In some firms, you’ll be expected to generate business yourself. In law enforcement, there will probably always be a surfeit of work to do, but you’ll also always be looking to land the bad guys and it seems that this must change a person’s perspective on other people.
eLearners: Do you have any other advice for students who are interested in earning their degrees in digital forensics or a related field?
Remember that the real world is not like the learning lab – the learning lab has controls on the situations you will see that are far more limited than “in the wild.” Also that the field never stands still – mastery in digital forensics (like most things, really) is a moving target, an ever-changing goal.
The other thing is this: If you don’t enjoy a job, and you go to it every day, life will be a drag. Enjoy what you do and life will be much more fulfilling. You’ll probably do better work, advance faster and make more money if you love what you’re doing. At the same time, the dilemma is that – unless you hate or love something immediately – it’s hard to know or imagine how you’ll be with it in a few years – or even in a few weeks. “Follow your bliss” is great advice, but there’s generally a certain amount of living and doing to be done before you can find out what your path really is. It’s a dilemma.
But at least have an idea that you’ll like doing something as a profession before you jump both feet in. And in this field, you’ll have both feet firmly in before you know it. Like everything else, it can be remarkably rewarding to solve some of the puzzles, to think creatively, to catch a bad guy or two, and to work with similarly creative people. But also like everything else, there can be periods of boredom, unlikeable or arrogant folks to work with. It’s all a part of the package of any life and any profession.
Good luck with yours!
The expert interviewed for this article may be compensated to provide opinions on products, services, websites and various other topics. Even though the expert may receive compensation for this interview, the views, opinions, and positions expressed by the expert are his or hers alone, are not endorsed by, and do not necessarily reflect the views, opinions, and positions of [eLearners.com] or EducationDynamics, LLC. [eLearners.com] and EducationDynamics, LLC make no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information in this article and will not be liable for any errors, omissions, or delays in or resulting from this information or any losses or damages arising from its display or use.