SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Sarah Edwards on digital forensic analysis

Posted on March 11, 2020

Sarah Edwards is a digital forensic analyst whose area of specialization is Mac and iOS forensics. She works as a Senior Digital Forensics Researcher for BlackBag Technologies, and is also a teacher, holding the position of Principal Instructor at the SANS Institute, where her pedagogical skills have garnered praise from students and colleagues alike. In addition, Edwards is the creator of an open-source tool for iOS and macOS forensics called APOLLO, which she will discuss at the upcoming Objective by the Sea 3.0 Mac security conference. We spoke with Sarah Edwards about her work, digital forensics as a career path, and why she doesn’t mind if Apple makes her job harder.

Last year, cybercrime cost the U.S. economy over $3.5 billion — and that figure only represents direct costs from reported crimes. The full impact of malicious actors on the economy may be far higher, with some estimates running into the trillions. And of course, in addition to cybercrime strictly defined, computers and mobile devices are also used to engage in all manner of criminal activity.

Digital forensic analysts investigate computer crimes and analyze devices to recover evidence for law enforcement agencies. Their work is instrumental in solving crimes, and in building the legal case needed to prosecute bad actors.

Part computer expert and part detective, a digital forensic analyst loves a good mystery — which is what first drew Sarah Edwards to the field:

I like solving puzzles. To be perfectly honest, I was part of the CSI effect of the early 2000s (well before CSI: Cyber!). I knew the show was overdramatized, but I loved the aspect of solving puzzles to solve crimes. And helping people along the way can provide a sense of accomplishment like no other. 

My path to digital forensics happened in college. I started out in various engineering majors (computer and microelectronic), but these weren’t quite for me, so I went to what I was already very comfortable with: Information Technology. During this time I was also doing a minor in Criminal Justice; it seemed like a good time to pair the two. I took classes that went over filesystems in depth. These classes were not for everyone — it takes a certain personality to love a filesystem! My first forensics course (and the first forensics course at Rochester Institute of Technology) was offered during my last quarter. Not having all the prereqs, I had to beg to get into the class — and I adored it! It affirmed that this was going to be my lifelong career.

Forensic analysts are essential to fighting crime in a digital world, yet the details of their work are often not very well understood by the general public — and at times, even by people within the technology community. 

Despite the dramatic portrayals of the job on shows like CSI: Cyber, the daily routine of a forensic analyst tends to involve long hours and painstaking analytical work, with some cases lasting far longer than most people would expect:

There are so many specialties in digital forensics: criminal forensics, incident response, malware reverse engineering, intrusion analysis, ediscovery, network analysis, to name a few. Each of these can be quite different, day to day, from the others. 

You want to be absolutely sure that what you say happened, actually happened — people’s lives are at stake.

My specialties have been criminal forensics, intrusion analysis and reverse engineering, and now research and development. When I was doing daily casework, a normal day was getting a new case (or three!) and working it until it was complete. This could take anywhere from a single day to months. I worked on one of my longest cases for 8 months! Each case is different. It will require different types of analysis, and you just need to listen to the data to drive you in the right direction.

Most days are fairly uneventful. Looking at screens of hex, filesystem metadata, putting the pieces together to tell the story of what happened on that system. In my early days working with DEA, I had the opportunity to go out every once in a while and collect evidence from the field. It is always nice to get out of the office and physically do something. We would go to various drug busts all over the country, and some internationally, to triage and collect systems for analysis back in the lab. Some days we were in very nice doctor’s offices, other trips we were in the worst of the worst locations, basically trying not to touch anything but the systems. These trips always had a certain thrill to them. While us nerds were generally not part of the initial entry, we would be in the midst of all the action throughout the day while we were imaging. Late nights were always due course — we were always the last to leave, waiting on those progress bars.

One common misconception is how long it can take to do an analysis. Certainly some tasks can be completed quickly, but due to how technology changes there is lots of research involved. Back in the day we didn’t have to worry about encrypted systems, acquiring mobile devices, or dealing with hundreds of systems. Today even getting to the data is tricky — let alone the analysis! These days we are finding ways to deal with encryption, reverse engineering odd file formats, and testing different scenarios.You want to be absolutely sure that what you say happened, actually happened — people’s lives are at stake, and making assumptions could be to the detriment of many.

There is also another, darker aspect of the work of a digital forensic analyst — one that makes the work more emotionally and psychologically taxing than most people might expect. But this side of the forensic analyst’s job gets relatively little attention, perhaps because the issues it deals with are too disturbing for network television. Edwards explains:

Another misconception is that we are only looking at computer files. Many of us in digital forensics end up working cases in which we see things we would rather not see. Due to the circumstances of how this data lands on our desks, very often we’re not dealing with the happiest of situations. Forensics analysts can see some of the worst content that is out there: child exploitation, terrorist propaganda videos, sexual violence, murders. You name it, we’ve seen it. We see the underbelly of the Internet, sometimes on a daily basis.

While the work of digital forensic analysts may be somewhat misunderstood by the public, it can nevertheless offer valuable insights into device security and data privacy that everyday computer users can make use of. 

People do not realize what is saved on their devices. They use a secure app and assume it is encrypting all the things associated with it on their devices. But end-to-end encryption doesn’t mean it’s encrypted on the endpoint.

Forensic analysts need to access and examine mobile devices and computers. Because of this, they know — perhaps better than anyone — what data is truly secure and private…and what data isn’t. Their work takes them deep into the hidden recesses of operating systems and teaches them where to find data that most users aren’t even aware of.

Edwards encourages anyone concerned about privacy and security to be more mindful of just how much information is being captured by their computers, to learn about the limitations of the technology that they use, and to take precautions to restrict access to their devices: 

People do not realize what is saved on their devices. They use a secure app and assume it is encrypting all the things associated with it on their devices. But end-to-end encryption doesn’t mean it’s encrypted on the endpoint. 

So as far as advice goes, do make sure you’re using secure apps…but know their limitations. If you’re worried about access on your device, set up encryption, passwords, and take other precautions to limit that availability.

Another one is my personal favorite: how much these devices track user activity to an extreme level of granularity. If you’re ever taken in for an interview, don’t lie! The data will always tell the truth.

It’s understandable that average users are unaware of the inner workings of OS or network logs, and don’t have a deep understanding of how these are used in the course of forensic investigations.

But surprisingly, IT professionals can also suffer from knowledge gaps which cause them to make mistakes in the aftermath of a cybersecurity incident — mistakes which can complicate or undermine the work of the digital forensic analysts called in to examine the evidence.

In the event of a breach or intrusion, Edwards says that network and system administrators should do everything they can to reach out to the response team quickly — and avoid doing anything that could contaminate or inadvertently destroy valuable evidence. There are also steps that can be taken ahead of time so that, if an incident does occur, analysts will have access to the information they need:

I’ve run into a few “helpful” admins in my past. Those who like to go in and remediate a computer intrusion by running AV, re-imaging, or poking around in the system to “clean” it up. Please don’t do this: This makes my job of putting together the timeline of events much more difficult. 

On the proactive side: logs. Log all the things! Collecting the system, network, and server logs in a single location in the event of a compromise is like manna from heaven. Logs rolling over on systems due to time or size constraints makes the job difficult. If a compromise happened a year ago, those logs are gone from the system. But if they’re archived somewhere — you’ve just made an analyst very happy. 

Once an intrusion is suspected, first discuss with the incident responders how to proceed. They may want more specific collections of the network traffic coming from that system, or special handling of the system itself. If you have a mobile device with an unknown passcode, time is of the essence. Do not turn off the device. Call in the experts immediately as the data on that device will not last forever (sometimes only days). Turning off the device doesn’t freeze time.

Despite the pressures of the job, Edwards and her colleagues genuinely seem to love their work — and will enthusiastically recommend digital forensic analysis as a career path.

Like any specialization, digital forensics draws people from all sorts of backgrounds; people with different talents and aptitudes. But while there is substantial diversity within the field, Edwards has worked with enough students as a SANS Principal Instructor to identify three key character attributes that are essential for success:

You need patience. In most cases you’ll be working your way through different forensic artifacts like file metadata, databases, media, logs, etc. While there is some automation in this field, it all defaults down to eyes on data analysis. There is no “find evidence” button. Get ready to dive deep into the world of hex and swim!

You need a willingness to learn. There is no point in getting into this field if you think you know everything.

A sense of curiosity is also mandatory. You will need to let the data speak to you to find that one thread that you can pull to unravel the story of that device. One of the reasons I love this field and its community is our sense of curiosity. You find a thing, you get deeper into it through research and testing than anyone ever has, and now you are the expert in that thing. A kid in college getting their digital forensics degree can easily become an expert (albeit on a very specific thing), but that sense of curiosity is something that they will continue to use throughout their career.

Finally, you need a willingness to learn. There is no point in getting into this field if you think you know everything. It changes almost by the hour. You will have to learn. And you will have to take what you’ve learned and teach others. This is how knowledge is transferred from analyst to analyst.

A career in cybersecurity can be rewarding, both personally and financially. But despite these incentives, the industry as a whole still struggles to attract new talent in sufficient numbers — and this at a time when there is a critical shortage of cybersecurity skills in the workforce.

One way to address this issue is to recruit the next generation of cybersecurity professionals from groups which have been historically underrepresented in the field (women, for example, currently make up only 25% of the workforce in the cybersecurity).

But improving representation isn’t always straightforward or easy. And unfortunately, some of the obstacles come from within the security community itself. Women working in the field have to contend with pay disparity, discrimination, and outright hostility from some of their colleagues.

But while Edwards recognizes these problems, she sees the forensics community as being something of an outlier within the world of cybersecurity — with crucial differences that make it a particularly welcoming environment for young women entering the field:

The interesting thing about forensics and security is that women are generally treated completely differently. I’ve seen this from both sides in my chosen career path. 

In information security we do get the unfortunate normal imbalance: paid lower, mansplaining, and a general “you don’t belong” here vibe. 

Meet the folks in this community. You will make lifelong friends who will always have your back.

However in forensics, it’s the opposite. I see more women at our conferences year after year. I’d love to see even more, but I’m very happy to see the amount of support we give (and get) from others in our community. 

Forensics is, of course, a much smaller field than infosec, but I’ve always been amazed at the amount of support and positivity in it. Certainly some negative things happen, but it’s much less frequent. Forensics is a small community and it seems everyone knows everyone else. I’d like to think our community wouldn’t put up with it.

To a young woman entering this field, I’d say you couldn’t have made a better choice (I’m biased of course). There are challenges you will have to deal with, but our community will support you — as long as you seek that support out. We are here to raise everyone up to their full potential. My best advice is to network, get on social media, go to conferences, meetups, etc., and meet the folks in this community. You will make lifelong friends who will always have your back.

This strong sense of community may be attributable, in part, to the need for mutual support in a field that seems to change overnight.

In the world of Mac and iOS forensics, for example, Apple is now taking steps to secure its devices to an unprecedented degree — which will likely complicate the work of forensic analysts working on cases involving iPhones and Macs. 

These changes have caught the attention of high-level government officials, with Attorney General Bill Barr calling on Apple to create a “backdoor” to its devices for investigators to use when working on criminal cases.

But Apple has resisted these requests, saying that the existence of a backdoor would undermine user privacy and security. The company appears unlikely to reverse its stance: Though much of the public debate over the issue has been about locked iPhones, there is every indication that Apple is committed to moving macOS in the direction of iOS in terms of encryption and access.

Edwards realizes that Apple’s moves may one day make her work harder. But she is convinced that the company is doing the right thing, and that what the government is demanding is fundamentally impossible. 

This is not to say, however, that she is pessimistic about the future of Mac forensics. On the contrary, she sees the increased difficulty of working on a hardened Mac as just another puzzle to be solved — a challenge that she and her fellow forensic analysts welcome:

I’m on Apple’s (and the rest of the security community’s) side. I know it will make my job harder, but that makes me work harder. It’s just a more difficult puzzle to solve, but there is a way. 

A backdoor would be abused. No backdoor is “just for the good guys”.

I think a backdoor would be abused. No backdoor is “just for the good guys”. As an avid Apple device user, I cannot risk my personal security to make my job easier. And from a technical perspective, while there is a lot of data on these devices, that is not the only data that’s available. It’s time to start thinking about other sources of information.

At some point in the future, we’ll be jailbreaking Macs. I already see the merge between iOS and macOS happening with the forensic artifacts: Once we have the data, it’s nearly exactly the same. Getting to the data is the difficult part. It’s been hard with iOS devices for ages, but not impossible. Apple has introduced “iOS-like” protections on Mac, such as the T2 hardware encryption, that make getting an acquisition of a device challenging. Challenging…but not impossible. 

SecureMac thanks Sarah Edwards for taking the time to talk with us. If you would like to learn more about Sarah’s work, you can follow her on Twitter or visit her website. If you’re a student or security professional interested in training with Sarah Edwards at SANS, you can read the official description of her well-regarded Mac and iOS forensics course here.

Sarah’s presentation at Objective by the Sea 3.0 is called “Exploring MacOS with APOLLO”. Her talk will be livestreamed for Patreon supporters of the conference’s parent organization, Objective-See.

Join our mailing list for the latest security news and deals