February, 2014

Tech and Law Center interviews Jesse Kornblum, Security Engineer for Facebook. Based in the San Francisco Bay area, his research focuses on computer forensics and computer security. He has helped pioneer the field of memory analysis and authored a number of computer forensics tools. These tools include the Hashdeep suite of programs and the ssdeep system for fuzzy hashing similar files. A graduate of the Massachusetts Institute of Technology, Mr. Kornblum previously served as a computer crime investigator for the Air Force and with the Department of Justice.

Twitter @jessekornblum

When did you become interested in digital forensics? Was there any particular event that triggered your interest?

As a kid I listened to a lot of old time radio shows like “Dragnet” and “Yours Truly, Johnny Dollar”. They piqued my interest in getting ‘just the facts’. Love always starts with a romantic vision, really. By the time I got to college I had enough knowledge to make that vision into a reality. I had been working with computers-playing, really-from a young age. By the time I was in elementary school I was quite adept with them. Combine those two things together and you wind up with a computer forensics geek.

What is your opinion on certifications and education in the forensics field? What improvements would you make?

I don’t find certifications useful. They’re not something I look for in hiring people. and don’t see them as selling points for myself. That being said, continuing education is absolutely vital. Everything
in the computer industry changes every seven years. Seven years ago there were no iPhones, but now they’re everywhere. Seven years before that there was no Windows 2000. Seven years from now, everything will be completely different. If you’re not taking training and learning new things, the world will pass you by.

What can we expect when it comes to malicious code on mobile devices? Are there any interesting things that people need to be aware of?

I believe that the bad guys go where the money is. There doesn’t seem to be a need for the bad guys to up their game at this point. The same phishing, social engineering, and other scams will make their way into the mobile world.

Storage capabilities of todays system are increasing at a very high pace. How is it possible to manage in an efficient and comprehensive manner the huge amount of data that have be analyzed?

Yes, the overall capacity of our devices is increasing, and will continue to increase. But I don’t believe those increases will present a problem for investigators. The amount of data on any device will
still be limited by the capacity of the user. My mobile can hold up to 64GB of data. But there is no way one person can actually *use* that much information. Sure, yes, my entire photo collection and a few movies will fill the space. But it’s easily to identify such bulky content. The items of interest in an investigation are things which people use to facilitate their illegal acts. It’s an email, or a bank transaction, or a trophy picture. The bad guys want to hide that data, yes, but they also have to use it. We can follow the same process they use to access their information. A bad guy with 64GB of text email will need some way to organize it-search by keyword, sender, picture, or perhaps something we haven’t thought of yet. Those trails will lead us precisely where we want to go. Bad guys want to hide their information, but they also have to use it, too. (Did I just extend the Rootkit paradox?)

Which will be, in your opinion, the challenges that Digital Forensics field will have to face in the coming years?

More and more data is being stored in the cloud. That’s not a challenge as people will always have a cache of information on their local devices. But the real challenge will be that cloud storage systems can change the format of the local cache whenever they want. The docx file format isn’t going to change without warning. But the the way an app like Facebook stores data on a local device could change overnight. They don’t have to tell anybody, let alone get any approval. This is a good thing for them and fosters innovation. They can move quickly. But when they break our tools, we may have no way of knowing until we’re in the middle of another case..