Q&A with Cindy Murphy, President & Co-Founder of Gillware Digital Forensics
In this Q&A, we talk with Cindy Murphy, a digital forensics expert and the President and co-founder of Gillware Digital Forensics, about her start in the industry, the prevalent trends she’s been seeing, and her use of Magnet AXIOM in her cases.
Magnet Forensics: Tell us about how Gillware Digital Forensics got started.
Cindy Murphy: Before Gillware Digital Forensics, I was getting close to the part of a police detective’s career where it starts to make a lot of sense to retire from public service. Although I had a lot of hobbies that would occupy my time in the leisure-filled retired life, from music to teaching, I wasn’t ready to give up the rush I got from forensic work just yet.
Fortunately, it just so happened that the folks at Gillware, who I’d known for years and had even relied on for data recovery expertise on occasions, were looking to find a better way to deal with the increasing number of inquiries their lab was receiving about forensic work. I had a lunch meeting with Scott Holewinski about being brought on as a consultant for a digital forensics service he wanted to spin off from Gillware, that lunch meeting turned into several lunch meetings, and by the end of it all, I was the president and co-founder of Gillware Digital Forensics.
What really convinced me to take this step was finding out about a case from their data recovery lab in which their engineers had recovered hundreds of photos from an SD card that had appeared totally blank. I and most of my colleagues never would have thought any data on the device was recoverable. At that point I realized that even after such a long and successful career, there was so much I still didn’t know about.
MF: What’s the biggest trend you’ve noticed in digital forensics over the past few years?
CM: The biggest trend I’ve noticed is definitely the constant increase of data we forensic investigators have to sift through. Every year people produce more and more data—on their computers, on their phones and tablets, in databases on servers—and that’s an ever-expanding amount of stuff we have to turn our eyes toward. Our workload just keeps getting heavier. Most of the increase in workload comes from mobile devices.
But in response to the growth of our workloads, we also have newer, more powerful, easier-to-use tools to use all the time, especially in the realm of mobile forensic tools. This is great for staying on top of all the data we need to take into consideration, but it can be a double-edged sword. As we come to rely more and more on tool results, forensic investigators might start trusting the results without following their guts and delving deeper. In short, the more we have to depend on the output of our tools to keep up with the work we must do, the greater the risk of forgetting the most important tool of all: our brain.
MF: Is there a particular investigation that you are proudest of having solved?
CM: I’ve been doing forensic work for about two decades now. That’s a lot of time to rack up cases I’m proud of. I’ve done investigations that were instrumental in state and federal Supreme Court cases. I’ve done investigations that have exonerated innocent people accused of crimes, one of the cornerstones of the justice system stretching all the way back to colonial days. I’ve done investigations that have brought justice to the most vulnerable of victims.
All in all, I can’t single out one case. What I’m most proud of is the body of work I’ve done. Whenever I take a case, I tell myself that I’m going to work hard enough that I’ll be able to look back on it and say, “this is the case I’m most proud of.”
I guess you could go with the old standby and say I love all my children equally.
MF: What are your thoughts on the toolkit approach to digital forensics?
CM: It’s great that we’re always developing new tools we can rely on to keep abreast of our work, but we have to keep in mind that there is no one-size-fits-all tool for everything, and that over-relying on the reports from your favorite tools might inadvertently train you to let some things pass you by.
Ultimately, tools are only part of the solution to every forensics case, and you need to have many tools to handle specialty situations and the wide range of data storage devices and methods you’re bound to have to deal with. The most important tool you have at your disposal isn’t a piece of software or hardware, though. The most important tool is your own brain (and the brains of your colleagues).
MF: How would you describe your typical workflow?
CM: It’s like being a chef in front of an eight-burner stove trying to keep everything from burning over. In summation: ultra-controlled chaos.
No two cases are alike. Each one will require a slightly different approach within the structural framework of forensic investigation. Different tools used, different combinations of tools, preparing different solutions to different problems as they present themselves to you, testing, re-testing, checking, re-checking, and so on and so forth.
MF: Can you tell us about a time when you used a Magnet Forensics product to solve a case?
CM: I don’t have to talk about just one time I’ve used a Magnet Forensics product to solve a case, because AXIOM is, in fact, one of the primary tools we use here at Gillware Digital Forensics for just about every case. AXIOM lends itself so well to ease-of-use and ease-of-understanding and is such a flexible and easily-tweaked tool that handles so many different forms of storage so well that it’s almost always one of the first tools we use in an investigation. AXIOM is probably our most often-used forensic tool as a starting-off point in our investigations before we start digging even deeper.
We also have incredibly responsive support and help from Magnet Forensics on the off chance we do end up having trouble using AXIOM in an investigation. The assistance we receive when we need it always comes quickly, and from the nicest of people, too. That means a lot to me. Given the choice, I always prefer to endorse and do business with nice people.
MF: You’ve recently kicked off a monthly series on your blog, “My Favorite Artifacts!” — how do you stay up to date with what’s out there?
CM: There’s a lot to keep up-to-date on. Fortunately, we forensicators tend to really like sharing the things we pick up in our line of work, if not through conferences and symposiums like SANS and other industry forums, then through blogging platforms. Our passion for sharing knowledge makes staying up to date with the latest developments in forensic tools, in software or hardware quirks that might help or hinder us, or anything else related to the field a lot easier compared to if we all stayed cooped up in our own little isolated towers.
MF: If there was one piece of advice you could give yourself 10 years ago, what would it be?
CM: I was ten years into my forensics career in 2008, just about to begin my studies at UCD. Since then, I’ve felt things have only ever gone forward for me. I don’t have any regrets about the path of my career and the decisions I’ve made. But if I could travel back in time to 2008 and give myself some advice, here’s what I would tell the younger me:
Trust your gut.
Keep an open mind.
Play as much music as you can.
Keep reaching for the next rung on the ladder.
Try to have as much fun as you can along the way.
Cindy Murphy is the President and co-founder of Gillware Digital Forensics, a forensics lab headquartered in Madison, Wisconsin and founded in 2016. Cindy’s career in law enforcement as a detective investigating computer crime has spanned decades, during which she made a name for herself as a forensic examiner recognized internationally as one of the foremost experts in the field. She obtained her Master of Science degree in Forensic Computing and Cyber Crime Investigation through University College Dublin in 2011.
Cindy brings a wealth of knowledge and passion with her wherever she goes. In addition to overseeing all forensic investigations at Gillware Digital Forensics, Cindy also teaches intensive courses on advanced smartphone forensics at SANS DFIR summits around the world to help train the next generation of forensic investigators. Other passions of hers include music—her instrument of choice being the banjo. When she’s not teaching a course or attending/giving a presentation, you can find her at SANS summits jamming out with other musically-inclined forensic investigators.