Hunting down criminals in the digital age is painstaking and sophisticated work, but the opportunities are limitless. That was the focus of the conversation in a September 1 webinar featuring digital forensics expert Heather Mahalik hosted by Slone Partners Cybersecurity President Tara Kochis.
Mahalik, Senior Director of Digital Intelligence at Cellebrite and a faculty fellow at the SANS Institute, discussed her many years of investigative work, some of the high-profile cases she’s been involved in, and the actions people can take to safeguard their digital privacy.
“The biggest mistake you can make is assuming you are not stalkable or not important enough to be a target,” Mahalik remarked.
A specialist in smartphone forensics, Mahalik says there are some simple steps digital consumers can take to protect themselves.
“The first thing that I recommend is multifactor authentication. And all you have to do is go in and say, ‘enable two-factor. Enable MFA.’ You'll see this in [your smartphone] settings. And yes, it's annoying because anytime you try to log in from a new device, you need a code that is texted to you, but then you also know if someone else is trying to get into your account.”
Mahalik has been involved in several high-profile criminal cases including the Delphi murders, the Crystal Rogers case, and the Osama bin Laden digital media investigation. She admitted that her work can be quite challenging, but also extremely satisfying.
“In my mind, I am still 25 years old, and want to be rolling up my sleeves and doing all the case work because that's what's exciting,” she said. “It's fun. And I feel like it keeps your brain working and it's like doing crossword puzzles every day. It really is. It's a good place to be.”
When asked how people can get into the digital forensics field, Mahalik responded, “I think curiosity is the biggest thing for cyber forensics and the patience to be able to put the puzzle together. So, [before] I came into cyber security I could honestly check email and use Excel. That is what I could do computer wise, but I was willing to learn. I was excited to learn. I loved seeing things behind the scenes. So, I think as long as you're willing to have that investigative mindset, you will do well.”
Read a transcript of the discussion below.
Tara Kochis:
I know one of the things that you and I talked about at first was how you got started. You have an exceptional career in what you do. I think, especially for females, but specifically, how did you get interested in cyber forensics and how'd you get into the field?
Heather Mahalik:
I'll be very honest. I was not interested at all in computer, cyber, anything relating to those terms. It wasn't something that was encouraged in, I guess, females in my generation. We just didn't. But back in high school, it was like AOL dial up. So it wasn't something that was super exciting. We needed ethernet in our dorm rooms and I did forensics, just regular CSI. I graduated in 2002 before CSI was a thing. I liked going into rooms and sounds really gross but taking a hammer and hitting a sponge of blood, and then stringing the wall to see how that attack occurred. So that was more the physical forensics.
I was in the Air Force to pay for college, and I was in the right place at the right time, on the back of a C-130 and someone came up and said, "Are you forensics girl? Is that you?" And I'm like, "Yeah, yeah, I'm the forensics girl." And he's like, "Would you like a job interview to do computer forensics?" And I hesitated, but then my dad was in my head on, "Get a job, get a job. You have a degree. Why aren't you getting a job?" So I said, "Yes." And honestly that interview just everything took off. I thought it would be a stepping stone. I thought I would use that hop into physical forensics and do more detective murder type work, but I loved it. I had an amazing first boss and I credit him with a lot of my success in this career.
Tara Kochis:
That's exceptional to hear. Mentors are so important, and you've done a lot in your career and going from the scene forensics to the really the digital world of cyber forensics – a lot of us carry smartphones, mobile devices, and you've done some talks on how to protect those devices but take it a step further. What are you gleaning from a smartphone that we're not aware of?
Heather Mahalik:
Everything. Honestly, I feel like it is the insight to your entire life on everything that you think you do. Your phone, the microphones are always listening and that's something we also don't think about. Honestly, if we talk about coffee pots right now, you'll all get ads for coffee pots. You're welcome. So we can say just ridiculous words, but it's insight, really, to our thoughts, what we do, what we search for, things that we think don't exist anymore that somehow touch the cloud. And pictures are a great example. And I am notorious for this. I will take a picture and my kids will always get my phone and they'll take 82 pictures. I'm like, "No, no, no." And I delete them, but I'm not fast enough at deleting. So, Google Photos has already intercepted my pictures and it's already in Google cloud. And then you think about iCloud and is it syncing there? So, all the things that exist that we are not aware of; that is constantly what I'm researching and working on because we want anyone who does the side that I do now with digital forensics, not just to find the data, but to prove how it got there, because that's one of the hardest things I think we do in this career field.
Tara Kochis:
Let's take a case study then and talk about Osama bin Laden and his digital media. How did you link all of that to help that investigation?
Heather Mahalik:
Well, and everyone's going to hate this, but a lot of that is classified, leading up to finding him and that investigation. But after the fact, CNN, everyone got it right. Everything we had, I have no idea. It was as quickly as we were aware of it so was everyone in the world with the news. But a lot of it was using his data after he was eliminated. That's the term we use, with upon his elimination, who else was next? So who else was he communicating with? So communications were a huge part of his interactions and then the training of those further to do more terror.
Tara Kochis:
Wow. So is that a blood spatter or spider web, same sort of thing in terms of people instead of drops. We're looking at people and where that leads us?
Heather Mahalik:
That's actually, you know what? It's interesting that you say that because anytime I look at Analyst Notebook or Cellebrite Pathfinder or these different tools that we use to string people together, I'm like, oh, I hate that view. But it's funny because that's exactly what I used to do. The blood that I said I loved, but it is. It's exactly that. And the terrorists don't really use a lot of smart devices. So they're not using the latest iPhones and Androids. They're using these really old throwaway phones that they can just leave behind and take their SIM card or SD card and run forward with what they're doing. And also, if you think about it, if you're up to sneaky stuff, it's probably smart because their data's not syncing to cloud.
Tara Kochis:
Right. That makes sense. So, as consumers or people on the webinar today, or folks who listen afterward, what can we do to protect ourselves? Because I have a smartphone.
Heather Mahalik:
Okay. So everyone locks their devices, I assume, and if you don't, just put a lock on your device right now. I have a lot of friends and the biggest issue everyone has is their social media gets hacked and then they get locked down. It's like one account to the next account to the next. And I'm guilty of this too. I use my G-mail to log into everything. And then I have friends that work at the social media providers and I say, “Hey, can you unlock Tara's account?” But my first thing that I recommend is multifactor authentication. And all you have to do is go in and say, “enable two-factor. Enable MFA.” You'll see this in the settings. And yes, it's annoying because anytime you try to log in from a new device, you need a code that is texted to you, but then you also know if someone else is trying to get into your account.
For example, there is someone out there that tries to get into my Instagram regularly, and I will get a code saying an attempt to access your Instagram happened and click here. And then you can also report it through email if it wasn't you. So you'll get an email, you'll get a code. And if it's not you, don't say okay, yeah, this is me. Please access my Instagram. But that's kind of the first step.
And if you think about the Sony hack years ago. What year was that like 2000? Geez. It was a long time ago.
Tara Kochis:
2012, 15.
Heather Mahalik:
Yeah, 2012 or something like that. It all started with social media fishing and hacking. They were using accounts from social media to then get access and gain access. And they just sat on their networks and watched. So – protect yourself; enable additional codes; and the biggest mistake and I say this at RSA every year. The biggest mistake you can make is assuming you are not stalkable or not important enough to be a target because you could be a practice target.
Tara Kochis:
I remember you saying that and I am guilty of the same sort of thing. What do I have that somebody else would want? But at a minimum, it's a big hassle and terrifying. Let's go into maybe crossing into your murder and blood to cyber forensics and talk about the Delphi murders and what you can share with us about that case that you learned.
Heather Mahalik:
All right. So this one's interesting. And I was randomly brought into this. I was in between leaving my last job and joining Cellebrite and the FBI Criminal Profilers reached out to Rob Lee and I from SAN saying, "Hey, would you two come in and talk to us?" And I thought the Criminal Profilers were a fake thing from TV. It was seeing Santa Claus when I met them and not at all what I expected, but they asked me to spend an hour on Android and an hour on iPhone. And just walk through if I were researching a serial killer, what would I look for on their devices, from habits and things to do.
And then after that, one of the profilers came up to me and she said, "Hey, have you heard of the Delphi murders?" And I hadn't at that point. And if you want to look it up, there's a lot of podcasts on it. It's called Down the Hill. And two girls, 14 and 15 years old were brutally murdered. It seemed like a random attack in Delphi, Indiana, and their bodies were left and then ultimately found in a gruesome situation. The only evidence that they had was one of the girls when she was walking across the bridge, put her phone under her arm like this and recorded a video of a man walking behind them. And it's blurry image. And she posted that on Snapchat. And then she also, when she put the phone down, she had it still recording and you could hear his voice say "Guys, down the hill." And that's why it was Down the Hill.
But what's interesting was these are things that the criminal profilers are good at that I would never think of. They thought it was a coach or a teacher because he didn't say girls. He said guys. And I know all my coaches always be like, “guys, stop it.” It's just a general term. There was no physical evidence. The cleanup was amazing. So, prepared with bleach and all the things to get rid of any of that type of evidence, but the things that I was thinking of outside the box with them. When our devices are within range of each other, it will ping Bluetooth, even if you don't connect to it. So maybe if you ping my phone right now, if Tara and I are in the same room, her device could show that she was near or within range of Heather Mahalik's iPhone. Now it could just be called iPhone and then that's not helpful. But things like that, that people don't think about, but then you never know if he had a phone on him. Did he leave it behind? So there are a lot of situations.
Apparently, there's a new lead. I have not heard what the new lead is yet, but it's five years old now. So it's an extremely cold case. Oh, really? Look at Lori. Hi, Lori, how are you? Do you see that news broke today that they may have found the weapon in the river?
Tara Kochis:
Yes.
Heather Mahalik:
I'm obsessed with these cases because that's something like I did a lot of terrorism. I even did like divorce cases, Invisalign suing a company in Kuwait saying they stole their braces idea. So everything from visa fraud, passport fraud, Osama bin Laden, a divorce, and this is kind of what was missing in my life. So, these cold cases are so exciting to me. I swear, I said to the hockey moms that I hang around with, we should start an evening group where we actually solve cold cases, real ones, not the fake ones that they mail to you, that you get the Instagram ads for, but real ones. Let's work this stuff.
Tara Kochis:
Oh my gosh. That is an amazing take on housewives. You do whatever you need to do, but I think if you could do that, you'd have an instant following. So I'm here to encourage you to follow those dreams. I know you have a lot of spare time, so maybe you have to stop writing in your blog for a minute to do that, because that would be incredible. And I guess from a forensics perspective, and I know they say this when somebody disappears, the first three days are really critical. Does the same thing apply with cyber forensics or is it kind of always there?
Heather Mahalik:
So, the data is there, but the issue is as technology advances the data doesn't. Some of my coworkers and I were just helping with another cold case from FBI again. And the data was from 2015. And it's funny how quickly we forget what the data looked like back then. Honestly, if I did not have access to my old SANS material, I would've forgotten a lot of this stuff on what to look for because we're all so hyper focused on what is now that we forget what was before and how did we communicate and the files that could exist. And sadly, if there were files then that exist now, it would be a lot easier because as our phones get smarter, they track more for us. Everything from how much time you spend looking at the screen, every time you touch your phone, how you unlock it, where you connect it, those things weren't always tracked historically. So it is helpful now, but it's also how someone uses their phone and when you get access to it and if it's been cleaned or cloud data, all of these things really come into play. And sadly, a lot of people are putting their devices into airplane mode or turning them off or not taking them at all before they commit some heinous crime.
Tara Kochis:
And that sort of locks it down in terms... So what does that do? Does that interrupt the signals so then you can't really tell where it was or it might not be picking up the recordings?
Heather Mahalik:
That's a good question. Somewhat. And this is where things are a little bit shady. So think about this. If you have the iPhone and it's turned off, if you log into your iCloud, you can still see your last location on where you were and you can still ping your device. Even if your device is in airplane mode, there are ways for data to get in and out of that device. It's not supposed to be typical communications, but it all depends. If you have airplane mode... okay. So good example. I was just on a cruise with my kids and the Wi-fi wouldn't work unless I put my phone into airplane mode, but then on occasion I would still get cellular data. It was so back and forth. And we worked a case recently where someone, it was actually helpful, put their device into do not disturb mode to go into the crime scene, but we could see when they entered that region and when they left, so.
Tara Kochis:
Okay. All right.
Heather Mahalik:
But I truly think the phone, even when it's off is always beaconing out somehow.
Tara Kochis:
Terrifying. Let's talk a little bit more about cases because it's real life and people's lives are at stake. Tell us what the investigation or what sorts of evidence you're able to uncover with the case around Crystal Rogers.
Heather Mahalik:
Okay. So that one, that's the 2015 one that I mentioned, the really old Android. And this scenario is apparently she went out on a walk and just didn't come back. But then there's different data sets too. This is what's hard. The phone was turned off and then turned back on, but trying to find how it was turned off, how it was turned on back in that time is a lot more difficult than it is now. Now, we actually have files that say if it was a forced reboot, if the person did it, when it was turned on. There's also weird situations where it seems like her child's father, that's the correct terminology, her child's father left for a short period of time and came back possibly to hand off their child to someone. But there's a lot of family crime in the background there and she's just missing. And her phone was found the next day and then acquired by police. But what they need honestly is one file to say when that phone was turned back on and that's what's insane not being able to find something like that and sitting there and going file by file will make you go crazy.
Tara Kochis:
Do you hang onto these cases like in the CSI and the FBI, like the TV shows, right? People keep thinking about the cases. Does that happen to you when you're investigating?
Heather Mahalik:
Yes. Oh yeah. And the Delphi stuff, specifically. That one I think will always kind of haunt me until they find it, just because I took it to the level of listening to all the podcasts and doing all the things. And somehow personally injecting myself into that situation where…I don't know. Some of these things just really, really stick with you. Yeah.
Tara Kochis:
Especially, as a parent, it's hard not to get connected to the real lives of people who lost their children, which is devastating. Let's lift it up a little bit. Where is the innovation taking us? You touched on it, but what's the next generation of cyber forensics look like from your perspective?
Heather Mahalik:
A lot of cloud. I think a lot of cloud, a lot of open-source intelligence is a huge thing right now, too. All the things we all live so much on social media and make so much of our lives public. So having some kind of platform that collects all of that. But so many people don't realize everything that we do on these devices, on our computers, on our TVs even, all go to cloud. I think those are really the ways going forward. And then we also have to think about data sets and how large these devices are. I haven't seen what Apple's releasing, but Apple's probably releasing their 10 terabyte iPhone. How are we going to get all that data? We have to be able to almost work with data sometimes in the platforms that they exist. Doing forensics, I know SANS has a new cloud course out and doing forensics in the cloud versus pulling it all down and then trying to manipulate it is sometimes easier.
Now, with phone data, I don't know. I'm old school. So I like to have everything I want to do a full collection, have everything so that if you have to hunt the one file like in the Crystal Rogers case, you have access to that data. But it's hard. Technology's always changing with encryption and how people are protecting data and how cloud's collecting it. And then obviously legal authority.
Consent. How are you getting access to all this stuff is always going to be a problem.
Tara Kochis:
Either way, it all sounds pretty terrifying to me. Does it keep you up? What scares you about what could happen next? Because all of this is terrifying to me and it's what you do. And you went on a cruise and you're able to enjoy yourself. I would be terrified. So what scares you about what could be next?
Heather Mahalik:
I'm going to sound like a total creep here, but I love getting all the data. In my mind, I'm like I don't do bad things. If someone wants to see it, fine. What scares me the most would be not being able to access it to do anything because I don't know.
I did this challenge once. And I was like, would you rather be free or completely safe? And there are differences in, and everyone could fight about this forever, but I would rather be free and know that there's stuff out there and things can happen. So me being prevented from getting any data would be my worst fear and keep me up at night. And I feel like everyone's always like, oh, on the next Android device or on this next thing or in this app. And we managed to get it.
Tara Kochis:
Amazing. How do you think about your team? If there are folks out there thinking about a career in cyber forensics, how do they get your attention without hacking your Instagram?
Heather Mahalik:
Oh, yeah, that's actually... networking. I could tell you the worst place to reach me is LinkedIn because I probably have 800 messages that I don't read, but things like Twitter, I try to respond to every direct message on Twitter, even just replying to tweets, that's a great way. I think personally to reach me, Twitter is my primary platform that I use for technology. I try to keep my Instagram for family and I try to keep my Facebook for just old friends. But those are also ways. But email, networking at…I think when I say networking, I'm going to take that back a little bit. I am one of those people if I go to a conference, even meeting up with you and Robyn, I was like, oh, I don't know. I don't know. And I was nervous and I dragged my friend Rob along with me, because I was like, I don't know who these people are because I'm one of those, like an extroverted introvert. I can be really outgoing when I need to be. And then I'm like, nope, not talking to anyone and hide.
But even using Slack channels. So something we did during COVID with the DFIR Summit, we used Slack and we realized so many more people were talking. There is a chance I will type a comment in this chat right now versus raising my hand or I'm muting myself and saying something. So use that to network. Start watching people, not in a creepy way, but in a way that if someone piques your interest start following them, make yourself known with them. Lori's a great example. Lori ended up taking my SANS training. I knew Lori from a lunch show I was running, and we keep in touch. And it's a lot of this career is who that will help you land, where you want to. It's a huge thing.
I don't know Kate. If you're still on, do you have the link that we can post at the end of this on getting started in DFIR? There's a lot of stuff in there on who to follow, interviews with getting started, ways to get some free training. So playing and capture the flags, asking people to join your teams. All these user summits and user forums are fantastic to go to.
I strongly recommend them.
Tara Kochis:
I want to ask you this. Does your advice change for women or people of color? Is it the same path or do you recommend something different?
Heather Mahalik:
I would say it's the same path, but with exceptions. So I was very lucky in the fact that my first bosses treated me fairly. I have been in situations where I have not been treated fairly. And I was told you can't be technical because you're a female or I don't trust you because you're female and called out right to my face. “You have kids so you can't do these things.” But just surrounding yourself, even if you have someone above you that's acting like that surrounding yourself with your teammates and people you feel safe with that will have your back is really, really helpful.
I can say Cellebrite has been great to me about everyone's the same, no matter what. SANS, same thing. So I've been very lucky from those aspects, but just be careful who you latch onto. If that's a good way of saying it. Make sure it's people that you trust that actually have your wellbeing and your best interest ahead of you. Because, and honestly, it's not like, oh, a man is going to try to hold you back. But some women, we can be nasty to each other instead of cheering each other on. You're like, nah, “I'm going to hold her back so I can take a step ahead.” So I wouldn't say it's anything relating to gender, race or anything like that because everyone has a nasty side. It's finding the good in the community. And I know cyber's huge, but in DFIR specifically, I feel like we are a close family that kind of protects each other. And it's nice. It's really nice. But there are obviously people everywhere you can't trust. You have to find the ones who want to cheer you on from the sideline.
Tara Kochis:
That’s great advice. And we see networking really working as well. And so from a sidebar, from a job hunting perspective, leveraging your second tier network in whatever that platform tends to be the most useful. So, the people closest to you know you the best. They're like, “oh, I'm sure she'll be fine. Or she'll figure it out or whatever it is.” But the second-tier network is like, “oh, you made this request of me. I don't know you well enough to be like, you'll be fine.” So your second-tier network tends to act on a request more so than your first tier network. So, from a job-hunting perspective, that's something for everyone to keep in mind because at some point it's always good to be able to pull those levers. And those tend to be the most powerful because for the reasons I mentioned, so.
Heather Mahalik:
That is true. I think I learned this. I just did a Harvard Business School thing last year and it's been about a year last fall and they taught us something that we all flock. So, think of your friends group, if you're in a workplace environment or a conference, you're going to the flock to the people who are very similar to you. If you branch out like you were just saying and maybe go to someone you typically wouldn't talk to, the opportunities could completely change. And that's honestly how I've had random opportunities open up from people I typically wouldn't flock to.
Tara Kochis:
I was super impressed to develop, not just with your background, but looking at and looking at the work that you've done and the work that you're doing through the SANS Institute and having access to that network is also pretty amazing. And I don't know if you want to spend a minute just talking about what you think is available there. I'm not sure how much people know about the SANS Institute. I think this would be a great platform to call out what it avails to others.
Heather Mahalik:
Absolutely. And I saw the link was posted earlier so you can start there, but SANS as a whole is a gigantic institute. We have many different branches. Mine specifically is DFIR, so digital forensic incident response. And we do things a little bit differently than others, but across the board. If you're looking for things that are free, for example, there are something called livestreams and Viviana, she is the deeper marketing. She will reach out all the time and say, “Hey Tara, are you researching anything cool? Can I have an hour of your time?” And you share through live stream free anything you're researching, anything that's new. Something that's exciting to you. You could tell a case story, a case study.
It's a good way for you to learn one, people you could listen to for six days straight because that's important. SANS is an investment. So you have to connect. You have to find someone that I like to say speaks your language. And I had a student come up to me once. I've never been a police officer, but he's like, “wow. You know how to talk to cops.” And I was like, thanks. I don't even know what that means, but thank you. He's like, seriously, “you take it to a level that I needed to ingest it.” And I was like, okay, so you could learn that. All of the courses, and this is something that's super cool. Every single course that we offer in DFIR, you can get between a 25 minute to a one hour preview. So you could actually watch it. So if you're new and you're like, I don't know if I want to do network forensics or smartphone or cloud or intrusion. You can get little snippets of free training.
You could spend say, okay, every Friday I'm going to watch something free from SANS and just see if it's what I want to do. But beyond that, the free tools, the posters, the cheat sheets, we're going to be working on something new it's in progress. It's called the toolbox. And it's going to show you... I saw Zimmerman tools were being mentioned earlier, Carlos Cajigas for example, he's going to do something in regards to velociraptor. So, if you're like, “what is this tool? Why would I use it in a case?” What does it mean? And it's just almost the way they worded it to me was it's an appetizer to get you possibly to the main course.
Because obviously if you're new, you're not going to possibly dive right into a five-level training and think you can survive. You need to start somewhere. So we're trying to really pull people in and educate people and introduce them to possibly different modules because it's a great career. And it's something that once you are in, if you like it and you make friends, you become DRIF family and people will always take care of you and you will find very quickly you always have a spot to land. So it's really nice.
Tara Kochis:
It's really comforting. And in this world of cyber forensics. You just made that very, very approachable. Let's talk about some of the people. Who are some of the experts in the field that you admire?
Heather Mahalik:
Ooh, that's a good one. So there's a lot out there. I'll start with newer people that I have met. So Ian Whiffin, he was digital forensic investigator of the year. I work with him at Cellebrite and he is brilliant. I have no idea when this guy sleeps ever. His research is always the latest and greatest. He is the one that my team and I are always joking like, of course, Ian answered first. It's almost a challenge. Can you answer before Ian or has he already done it? But I work with really smart people, and we've dubbed ourselves “the dream team” and we make jokes about it. But Ronin, Paul, Matt, Jared, Ian, and myself, we try to form together to answer all the questions. And these are all my friends at Cellebrite. We're friends at Twitter or Twitter. We're all on Twitter. We have done DFIR in different walks of life. So some law enforcement, some not, and we've all come together.
But major people that I always follow -- Sarah Edwards for anything Mac related. That's a big one Katie Nickels, and I'm not trying to only list females by the way. I just listed my guy friends first. But Katie Nickels is brilliant with cyber threat intelligence. Robert M. Lee, obviously he's a huge name. He's wildly successful, but the two of them, they are completely, completely brilliant. Rob Lee, he was one of the first people that I kind of ever followed. And Rob is the reason I'm on Twitter. He's like, "Where's your Twitter?" I'm like, "Why would I do that?" And he's like, "You need a presence. You need something to be and things to do." But there is so many out there that I just kind of watch their blogs, Alexis Brignoni. He writes a lot of free tools. He works the FBI. I try to watch a lot of the stuff that he does. Jessica Hyde. See very quickly if you watch me on Twitter who communicates with each other, and it's great because we're all different walks of life, different companies, competitors, and it's still a big team of people. I'm sure I'm forgetting someone and someone's going to be like, Heather forgot to mention me, and I'm going to feel terrible about it. Who did I not mention?
Tara Kochis:
We'll have a chance to come back together or we'll connect on Twitter. I love it. Well, what does the future hold? If you could push the five year button, what's cyber forensics look like five years from now?
Heather Mahalik:
Honestly, I feel like it looks very similar to what we have now with more hurdles on gaining access to the data. That's what I think will keep happening. But I also believe that the vendors will keep up in helping us clear those hurdles. For me, something that I am struggling with is being more of a manager and not the practitioner. I've learned from great bosses ahead of me that if you want people to respect you, do the work alongside them and not just trip down. So I really try to do that, but I feel like I'm being pushed upward more, which is great. But in my mind, I am still 25 years old and want to be rolling up my sleeves and doing all the case work because that's what's exciting.
I think if you are in more of a management position, just remember that you still have to inspire the new people coming in and you want to still roll your hands or sleeves up and get dirty and do things with them. But you still can't lose the passion or the sight because I've worked with people and I still work with people. You are in charge of managing and they've never done the job and I get it. Why people hire that way. But it's also very difficult, I think, on different respect levels with personalities, because there's a lot of personalities when it comes to this career field, on getting people to hear you when you have different personalities and different management styles. So that is a tricky thing.
Tara Kochis:
I don't think that's necessarily something that only your industry struggles with. I think that's just the way of the world, so to speak.
Heather Mahalik:
Oh, I see a question. All right. Navarro. I see your question about BitLocker. So yes, and I have done a lot of acquisitions on devices with BitLocker, but it's how you acquire it. So you could do more of, and this is something we teach even in Forensics 500. Think about this, if the data is powered down, it's locked and it's encrypted and you could potentially get the key to unlock it after the fact, but it's easier to examine it in its live form. So you could do a live acquisition. You could use Eric Zimmerman’s KAPE to extract data that way. And that's a free tool. So there are a lot of ways to do that.
More questions here. How do I balance work and my family? It's difficult. I try to involve my kids as much as I can though. They understand that what I do hopefully makes a difference to make them safer in the long run. My son once told his preschool teacher that all my mom does is talk on phones and fly on planes. It's like, “Oh my gosh.” Can't imagine what his teacher thinks of me, but he's right. All I did was talk on phones, create data, fly on planes to go teach to travel for work. But I try to involve them as much as possible, even simple things like, Hey, do you want to watch this phone get unlocked right now? Do you want to see this data? Would you like to see my slides? And they are technologically aware, but it is a hard balance.
Honestly, John, I said a few years ago, I was at this seminar, this fitness seminar. And I remember asking, I was like, “I feel like when I'm excelling at work, I'm a terrible mother and a terrible wife. But when I'm excelling at being a mom, my job is suffering. So how can I be perfect at all?” And her advice was who made you ever think you had to be perfect at all things? Because it's all ebbs and flows. But I try now…my latest thing now as a single mom is to between 5 and 8… This is what my son says. If my phone rings, he'll say, "Mom, is the world on fire?" And if my work world is not on fire, that person has to wait until after eight o'clock. So I try to block and sometimes things are super, super urgent. The world is on fire. A course isn't going well or something's happening. So I try my best to balance that.
And I do still study. I do. Usually what spurs my studying is when someone asks me a question that I cannot answer, and then I have to research it and also creating CTFs and researching for the class that I author with Lee Crognale.
Tara Kochis:
Nice. I guess to be a teacher, you have to be a student at some point, right?
Heather Mahalik:
Yeah.
Tara Kochis:
Let me ask a different question then, because you brought up kids and the next generation seems to be more digitally savvy than anything I've ever seen. And I will say that on the website, our company website, the first video we ever posted was produced by my then eight year old son. So even back then, that was the case. It's only gone way over the edges from that perspective. Is the next generation, are they good candidates for cyber forensics? Or how do you evaluate someone who's technologically savvy versus their cyber brain?
Heather Mahalik:
One thing that I think you need is curiosity. I think curiosity is the biggest thing for cyber forensics and the patience to be able to put the puzzle together. So [before] I came into cyber security I could honestly check email and use Excel. That is what I could do computer wise, but I was willing to learn. I was excited to learn. I loved seeing things behind the scene. So I think as long as you're willing to have that investigative mindset, you will do well. I used to always say, when I teach, if you're nosy and people are like, oh, don't say that, that makes it sound terrible. I am nosy person. I like to know things, but if you're inquisitive, so curiosity is a big thing.
But I think too, I try to speak at STEM academies to prep kids to not ruin their digital fingerprint, because think about it. Us growing up, we didn't have pictures of every single thing we did. We didn't have social media. The bullying was done in a different way than it is now. Like worst case scenarios, someone handed you a note or put a note in your locker and you didn't know who it came from, but you could do handwriting analysis. It's not like someone pretending to be a different persona.
I think we just have to be careful with how much time we allow our kids to be behind screens and being anonymous. And there's no right... my kids use iPads. I'm not going to lie. I need them to be on it at times so I can have a mental break for myself, but just grooming them to understand the traces they're even leaving behind or what can be done in hindsight on these things.
Tara Kochis:
I saw the note in the chat about human behavior and it got me thinking about the background. So if somebody has a degree in psychology, does that potentially help them in this field or do they have to follow the more scientific computer science, cyber backgrounds?
Heather Mahalik:
Not at all. I had to take psychology courses and most of it was to learn to deal with death and how to process that because a lot of forensic cases involve someone dying in homicides. You can really do anything. Lee Crognale, she coauthors 585 with me, the smartphone forensic class at SANS. She has a, what does she have? A business and marketing degree, I believe. It has nothing to do with anything, but she was my roommate. I would bring home work. I would teach her. I'm like, "This is unallocated space. This is how to recover deleted files." And I groomed her into this position. She is brilliant. Absolutely brilliant. So, it's really, again, who you know and are you willing to learn?
Tara Kochis:
Fantastic. What else is on your mind? Coming into today, what do you want to make sure we give you the platform to share?
Heather Mahalik:
A big thing is it's never too late. I think people are afraid to make career jumps that could potentially change their lives or make them happy. I love my job. And I'm glad that someone asked about family versus jobs. People always say, do you have hobbies? And sadly, I gave up a lot of my hobbies because research is my hobby. Learning is kind of my thing. But it's never too late to make a switch. Also, it's never too early to prep someone into doing this either. And I feel like some people are like, oh, “that sounds so nerdy. How did you end up in something so nerdy?” But it's awesome. It is good to be a nerd. It really, really is. It's fun. And I feel like it keeps your brain working and it's like doing crossword puzzles every day. It really is. It's a good place to be.
And I spoke at Notre Dame. How long ago was that now? With Jessica Hyde, we went out there maybe three years ago. It was right before COVID. Whenever that was, that feels like ages ago. And I just recently met up with one of the interns. She was taking a SANS training and we took a walk together one morning. And she's like, "If you could give advice to yourself in your twenties." She's 23 years old. She's like, "What would that advice be?" And I'm like, "Huh, it's tough." And I was like, "Wait, career, personal? What are we talking about?" And she's like, "Career."
Honestly, what I wish I had done was take more risks early in my career. When I got that first job, I thought, okay, this is what I'm going to do for the next 20 years. I'm never going to branch out. And I wish I moved to different cities, tried different jobs. Just lived a little, maybe dipped my foot in corporate a little earlier, and law enforcement. All the different fields versus getting trapped because you have the rest of your life to feel like, oh, I've been in this for 20 years. Now I have to stay. So take risks when you're young.
Tara Kochis:
I think that's amazing advice. And we also think of it this way – to not be afraid to try something and have it not work out, knowing what you don't like is as valuable as knowing what you do like. And what is going to work and knowing what doesn't work. So when you weigh out those options and look at it as value add, then it maybe is less intimidating to make a change. So I totally get it. I want to make sure that we have a chance to answer more questions. Maybe open it up if somebody prefers voice over chat to ask questions, but there is a question in the chat if you can say it. It says, how are you defining the difference between digital forensics and the traditional sense?
Heather Mahalik:
So Joey, to be honest, I feel like I'm old school and I'll say computer forensics. And then I'm like, well, I do phones. It's more than computers. I feel like cyber is such a buzzword and everyone uses it. What I would say digital forensics is still cloud. To me, computer forensics are digital. Forensics is everything that can be on a piece of media that we would look at for an investigation. Cyber is obviously the buzzword that everyone always wants to hear. If you took any training with me, I don't think the word cyber is anywhere in it, to be honest. Because I think it's more of the sexy buzzword for digital forensics, but that's just my opinion. Some people will say, no, cyber is this, digital is this, computer is this. And to each their own. Good question.
But put cyber in your resumes because people like that word.
Tara Kochis:
They're going to search for that word.
Heather Mahalik:
And you know what? Speaking of resumes, there is Lesley Carhart. She's hacks4pancakes. She is amazing. She will do things at conferences where she'll do a free resume review for you. She'll talk to you. She'll look at your resume and give you tips on things to add, not add. And she works right now with Robert M. Lee, who I mentioned earlier, his group at Dragos and they do amazing threat intel work. Great.
Tara Kochis:
I think there's one more. Chester had a question. Speaking of career jumps, what advice do you have for former police detective for getting into cyber IT and landing a job?
Heather Mahalik:
Make friends. Seriously Chester, I have helped a lot of people, students for my classes who were law enforcement and just needed to make that career jump. I met, actually, he's in instructor development right now with SANS. I taught a class down to the military, Marine Corps, and I wasn't trying to offend him, but I walked up to him, and I said, "What's next for you? You are so smart. And I appreciate that you want to be a Marine, but what is next for you?" And we kept in touch and he is now an instructor development. He's worked at Facebook, AWS, Google. He's brilliant. Seriously, make friends. Reach out to people. Email me, tell me what you would like to do. I am happy to help you.
Tara Kochis:
That's amazing. What is your platform solution for performing large scale forensic investigations compared to forensically examining one endpoint at a time?
Heather Mahalik:
So I don't do a lot of IR and endpoint examinations, but if you email me, I will put you in touch with the right people to get that information. Or if someone else wants to chime in too, this can be collaborative. It doesn't have to just be me talking. If anyone's doing investigations…The closest thing I've honestly had to that was taking Forensics 572, which was torture for me because that's not my favorite topic, but I am friends with the instructors and I love the content, but it's not something that I'm passionate about. So sorry that I couldn't answer that one for you.
Tara Kochis:
I have a different question. How do you think about the difference between corporate, industry, versus government or non-industry work?
Heather Mahalik:
So I have done both.
And I will say working with attorneys was one of the more difficult things I have ever experienced, but it toughened me up as a human. And I don't think I would be who I am without that. My corporate experience, you are so fast paced because there are billable hours and things are different, but you also have to really believe in every single thing you put in that forensic report, because you could be depositioned on it. You have to defend every single thing that's in it. And some people are like, oh, “I'm a police officer. I have to go against the defense.” I felt like doing consulting in corporate, I was defending every single thing I wrote all the time. So I think it really makes you a strong examiner because you learn to validate and believe in your work product.
Not that I don't do that with my government work and everything else. It's just, it's so fast paced. And you're almost, it's like your feet are held to the fire every day in such a different mindset.
Tara Kochis:
How would you characterize the mindset differences then?
Heather Mahalik:
So in my government experience, everything from the visa fraud to terrorism, something occurred and you were then going to fix it. When I was doing corporate investigations, it was like side A versus side B. And you don't know. It's like you're in the middle trying to find the truth. And it's hard. I feel like in that situation, it's harder to form a bias, which is good. If you're working an investigation, you could say, okay, Malaysia Airlines plane crash. Everyone had all these assumptions. Who calls this? Who did what? In your mind, you already think you know who did what. If you're working OJ Simpson, Nicole Brown, you may have an idea in your head who did what and why. And it's hard in those situations I think to let the evidence speak the truth versus what it you want to tell you. And I felt like when I was doing consulting corporate, there was no assumption thrown your way. It was like, just do these things and give that data. Do these things, give that data. So it was completely different, which almost saves you from having those biases in the work and the bias can help you, but it can also really hurt you if you're not willing to see the truth in the digital media.
Tara Kochis:
Amazing. All right. Let me make sure that in our last couple of minutes, if there are any last-minute questions. This has been great. And I'm hopeful that the work that you've done and others have done will lead to some cold cases getting solved.
Heather Mahalik:
I hope so too.
Tara Kochis:
People will get some peace and new careers are hatched, so yeah.
Heather Mahalik:
When I start DIFR nerds are solving cold cases, I'll let you sign up.
Tara Kochis:
You have to. I think everyone on this call wants to be involved somehow. So murders in the building, if anybody is out there watching, then we can be your groupies.
Heather Mahalik:
It's amazing. Thank you for having me. This was fun.
Tara Kochis:
It was fun. Thank you for joining and thanks everyone for today. Really incredible. Heather, have a wonderful afternoon and all of you do the same and stay safe.
Heather Mahalik:
Thank you.
Slone Partners Cybersecurity
Toll-free phone: 1-866-245-9653
South Riding, VA
info@slonepartners.com
