In this Q&A, we talk with Nathan Little, a partner at Gillware Digital Forensics who leads incident response and data breach investigations. Nathan will be presenting his expertise when he co-hosts our upcoming webinar, “Fraud, IP Theft, and an Intrusion: A Case Study with Gillware Digital Forensics“. Learn more about how he got his start in the industry, his approach to forensics, and his use of Magnet AXIOM in his cases.
Magnet Forensics: Tell us about how you got your start in digital forensics.
Nathan Little: My start in digital forensics began when I started exploring the functionality of open source digital forensics tool when I was in college. I’ve always had a passion for computer science and investigations, and I wanted to start a career in digital forensics. I got a job with Gillware right out of college and my first responsibilities were writing the internal data recovery software that we use for many different types of file systems. The detailed knowledge of filesystem structures and the ability to create custom software made me a natural fit to become a forensic analyst at Gillware and I’ve been doing that for several years now.
MF: What’s the biggest trend you’ve noticed in digital forensics over the past few years?
NL: Forensics moving to the cloud and the ever expanding sources of data in all facets of investigation. In some aspects, it’s made digital forensics easier because there are less incidents that require onsite work, which helps keep costs down for clients. On the flip side, there are so many sources of evidence that collecting and analyzing forensic evidence can be a daunting task. For example, in employee data theft cases, we may have to collect a forensic image of the employees desktop, the employees laptop, and the employees phone, as well as collect evidence from an internal file share, remote access logs, SharePoint, OneDrive, Salesforce, Dropbox, etc.
MF: In our upcoming webinar, you’ll be describing a time when you used Magnet AXIOM to solve a case. Can you give us a quick preview of what that entailed?
NL: The case involved a CPA firm that discovered that many of their clients tax returns had been fraudulently filed. They asked us to determine how the breach occurred and what data was compromised. We used AXIOM throughout the investigation to determine the root cause of the breach, determine the actions of the attacker while in the system, and find evidence showing what data was compromised and how it was transferred off of the system.
MF: How did you come to select that case for the webinar?
NL: It’s a great example of how powerful of an end-to-end investigation tool AXIOM is. We were able to use AXIOM to get to the bottom of a client’s seemingly confusing situation and quickly get concrete answers to the client, which allowed them to act accordingly to preserve the relationships with their clients.
MF: What are your thoughts on the toolkit approach to digital forensics?
NL: Having a great toolkit is absolutely necessary and extremely important. There is no one tool that does everything perfectly, although AXIOM comes close. I think the risk with the toolkit approach is that it can cause investigators to miss some evidence in their investigation. If you are dependent on just a few tools, and you always use those same tools, you may not notice if that tool is missing valuable information, or if the tool has fallen behind as far as functionality goes. At Gillware, all of our analysts can add whatever tools they want to their toolkit and we are always adding an expanding our toolkits.
MF: How would you describe your typical workflow?
NL: Once the case arrives at Gillware, I collect a forensic image of all hard drives and solid state drives involved using Gillware internal data recovery tool, Hombre. While that is happening, we use AXIOM to collect forensic evidence from mobile devices and cloud data sources, such as, Office365 and Google Accounts.
After we are done running physical media through the Hombre tool, we then process the forensic image with AXIOM. I typically let AXIOM find as much information as it possibly can, which includes things like processing Volume Shadow Copies, free space, etc., in order to give us the most complete picture that AXIOM can provide. After that, we will typically spend a while creating a timeline of events with AXIOM and make some preliminary conclusions based on the evidence found. From there, we use at least one other tool or our own tools to verify findings and find any additional information that we think is necessary for the case. After that, the investigation can take a wide variety of paths depending on the needs of the client.
MF: Is there anything you feel like you’re missing from your forensics tools? Any particular features you’d like to see implemented?
NL: The majority of the forensics tools in the industry struggle to acquire data from current mobile devices, especially iOS devices and password protected devices. While most tools have some level of support, it typically involves collecting a backup of the phone, which only allows the data that the phone is capable of providing in a backup to be analyzed.
MF: If there was one piece of advice you could give yourself 10 years ago, what would it be?
NL: 10 years ago, I would have told myself to not worry so much about what to study in college, and focus more on training your brain to learn and problem solve in many different ways.
Nathan Little leads the incident response and data breach investigation team at Gillware. Gillware provides cyber security, incident response, digital forensics, and data recovery services from its offices in Madison and Milwaukee, WI. Nathan has designed and written data recovery and digital forensics software, has investigated all types of security incidents, from employee data theft to complex network attacks, and specializes in find the root cause of an incident and determining and narrowing down the volume of data that was compromised during a security incident.