So this interview is a bit of an experiment in that it’s the first vendor interview that I have conducted for the blog. I don’t plan on doing very many of these because I don’t want the interviews (or anything else I do here) to be thinly veiled sales pitches. However, in this case I wanted to try something out because I know there is a considerable amount of concern on the part of security leaders in regards to enabling mobile devices. It’s one of the hot button topics these days along with cloud computing and advanced threat actors. The reason I wanted to do an interview with Andrew Hoog is that he’s a very sharp fellow whose team over at viaForensics has been approaching mobile device security in very comprehensive manner. In addition to their work in mobile device forensics, they have spent a considerable amount of time and effort studying not only the security implications of the various mobile device operating systems, but also the security issues pertaining to mobile device applications.
I also want to make it clear that this interview does not constitute in any way an endorsement of any of viaForensics products and services. I’m not a viaForensics customer and I have not purchased or used any of their products or services. I have, however, read and favorably reviewed Andrew’s recent iOS forensics book which we discuss during the course of the interview.
If you have a few moments to spare, let me know if you found this interview valuable since I will use the feedback to determine if I do any more vendor interviews in the future and how best to conduct them. Feel free to reach out via email if you don’t want to leave a public comment on the blog.
This will be my last blog post for the year and I want to wish you all the best for 2012. I am humbled and grateful that you continue to read and comment on what I write. I’m particularly thankful for all of the people like Andrew who were nice enough to take time out of their busy lives to participate in the blog interviews this year.
Professional Biography of Andrew Hoog
Andrew Hoog – Chief Investigative Officer and co-founder
Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, author of two forensic and security books, expert witness and co-founder of viaForensics, an innovative digital forensic and security firm. He divides his energies between investigations, forensic software development, and research in digital forensics and security. He also has two patents pending in the areas of forensics and data recovery.
He lives in Oak Park, IL, where he enjoys spending time with his family, traveling, great wine, science fiction, running and tinkering with geeky gadgets.
What does a Chief Investigative Officer for viaForensics do?
As Chief Investigative Officer, I am responsible for all non-administrative functions at the company including investigations, research, development, writing books and articles, speaking engagements, winning foosball games and making sure the beer fridge is well-stocked. Basically, I get to do the really fun stuff but don’t have to worry about the accounting, human resources, etc. I also work with the two other members of the management team (Chee-Young Kim, President, and Ted Eull, VP of Technology Services) to manage the direction and strategy of viaForensics.
Our course, the real question might be how did I ever come up the title Chief Investigative Officer? Prior to co-founding viaForensics, I was the Chief Information Officer for a medium-sized company (approx. $750 million in sales) and over my career have held senior IT positions in small, medium and large organizations. The end goal in the corporate IT world is, of course, to be the Chief Information Officer. When I finally achieved this at my previous job, I rather liked the title and decided I wasn’t ready to part with it. So I came up with Chief Investigative Officer which seemed to fit quite nicely. Plus, there’s the added benefit that I always have a title to select (CIO) on the never-ending barrage of pesky web forms I must fill out.
AFoD Blog: How did you obtain the knowledge that enabled you to get to where you are today? Did you study information technology in a university setting?
Andrew Hoog: I attended Saint Louis University and received a Bachelor of Arts in Computer Science (and a minor in Math). Yes, I know, a Bachelor of Arts…really? Well, I’m confident the degree was exactly what I needed. There are many fantastic technical schools and they generally provide a Bachelor of Science for CS which essentially means more physics and such and less softer skills (such as writing, philosophy, etc.). But it’s the ability to think critically, reason and communicate both written and verbally that have been major accelerants for my career. So, an important foundation was set for me at SLU. And let’s face it, programming in assembly language is nothing to sneeze at so I’m pretty comfortable holding my own with more traditional technical degrees.
Beyond formal education, though, I’m mostly self-taught. Like many of the readers, I’m absolutely hooked when it comes to computers so I find it enjoyable to work in this very technical discipline. I didn’t get involved with forensics until recently (2008) and my introduction to the topic included reading many books and blogs and then getting my GCFA. And that’s one thing I love about the forensics community: their willingness to share knowledge. Whether it’s on the many great blogs I follow, in books or simply talking to people over email, on the phone or at a conference, the knowledge sharing within our community is a tremendous resource.
AFoD: Can you describe the process you used to teach yourself? How does someone go from having a Bachelor of Arts in Computer Science to being one of the leading mobile device forensics researchers in the field today?
HOOG: Well, first, I certainly appreciate your characterization of the research we’ve performed to date. There’s a tremendous amount of opportunity in the digital forensics discipline for motivated individuals and companies.
My preferred method for learning is to dive in and be very hands-on. So, if I’m working on Android, then I want an Android device (well, actually, as many devices as I can get) and I start tinkering. I do a lot of reading, whether from blogs, academic papers, books or simply source code. And I like to program…not superbly architected systems, but code that tackles the problem directly. For that, I use Python and if I happen to develop something useful and compelling, we turn the working code over to excellent programmers who do a better job with the overall architecture, abstraction, development, etc.
But I suspect there are a few fundamental drives I possess (beyond being a forensics geek) that many people in our industry do as well. First, if I encounter something new, I want to understand how it works. Second, as I learn the system, I want to expand upon existing knowledge base. In forensics, that often means how can I gain access to a device, forensically acquire the stored data, and ultimately analyze the information to create actionable intelligence (and that’s the really fun part). Third, once I’ve figured out something new, I want to code it. As I mentioned, I like Python as it allows me to rapidly prototype a system and attain results. And finally, I’m highly motivated because I find all of the above steps incredibly satisfying. Once I get started on a problem, I don’t want to stop until I feel I’ve at least made a good dent. I also like to share what I’ve learned which has led to HOWTO blog postings, many presentations (which are slowing being put online at our website) and recently several books.
AFoD: This past summer I reviewed your excellent iOS forensics book that you wrote with Katie Strzempka. You also released your Android forensics book around the same time. What can you tell us about both books? What makes them different from what has been done in the past?
HOOG: The approach for both books is to be very technical and provide examples using as much F/OSS software as possible for reader to follow along. So, I think the iOS book came out very well and provides not only extensive background and acquisition information, but also how to analyze iOS/HFS file systems, an overview of commercial tools, and a number of techniques anyone with an iOS device and a computer can do. The Android book doesn’t have to differ from the past as, to my knowledge, it’s the first book out on Android Forensics. At over 100k words, it is also very detailed and provides steps to build an Android forensic virtual machine (Linux) and plenty of examples. I also cover the open source YAFFS2 file system in detail.
As with the approach we’ve taken with viaForensics, the books also push into the mobile security space. So, chapter 5 in both books deals with mobile security but from the view point of a forensics examiner. Beyond the background info, the chapters target information to specific audiences: mobile device user, mobile app developer, and corporate IT security responsible for securing mobile data. What we’ve learned over the past few years is that forensics has a much larger role to play in overall security than it has in the past (IMHO).
The books have been well-received and sales are strong. Several universities are evaluating the Android book as a basis for a mobile forensics and security class and two universities have officially selected it (one semester class just ended). Katie was an excellent co-author on the iOS book and deserves much credit. We have a great team at viaForensics and we like to share our knowledge, so the books were a great fit for us.
AFoD: Digital forensics is a tool intensive discipline and there are a dizzying amount of tools being offered for the mobile device examinations. What do you recommend to people who are starting from nothing, but want to build out a digital forensics tool set to cover a broad range of mobile devices?
HOOG: One of the challenges of mobile forensics is that it’s very difficult and expensive to support a broad range of mobile devices because there are so many and they can vary greatly. Generally speaking, this is not an issue in computer forensics since you can pull the drive, attach it to a write blocker and image most of them in the same way.
I recently wrote a long post on this topic arguing that the goal for examiners should be to support the phones that they are 1) mostly likely to encounter and 2) most like able to extract meaningful data from. This is not to say that you can simply ignore other phones but if you try to support every phone, it will be very difficult.
There are a number of F/OSS solutions examiners should consider. First, BitPIM has been around for a while and supports many phones. We (viaForensics) also developed an Android forensics logical tool (AFLogical) free to qualified law enforcement and government agencies. So, these are great options to start out. If you see a wide variety of phones and need to attempt to image them all, you’ll have to purchase a commercial solution that provides broad support (two examples with seemingly happy users are Cellebrite and XRY). Since we have our own commercial forensics software which focuses on Android, we know how difficult supporting even one platform can be so while they phone may be covered in the product literature, the amount of data extracted can vary. I would encourage examiners to test ahead of time (if possible) or perhaps check out NIST to see if they have tested the software.
Mobile devices are increasingly important pieces of evidence but they are troublemakers. So, focus on the most important, high-yield devices. Take advantage of F/OSS software. Look at resources you can tap to find out if a mobile forensic platform works well, such as NIST reports, blog posts, MFC, mailing lists, conferences, white papers like our iPhone Forensics white paper or simply call other examiners on the phone and just ask them. And if you have experiences you can share, add your voice to the discussion so we can all tackle this increasing difficult problem.
AFoD: One of the reasons I wanted to do this interview with you is that you are doing more than just talking about the forensic examination aspect of the mobile device security. For example, the team at viaForensics has spent a considerable amount of time addressing the overall security implications with these devices through avenues such as your appWatchdog work. What do you tell a chief information security officer who asks you about the impact these devices will have on a corporation's risk profile and how that organization should be addressing those risks?
HOOG: Mobile devices are quickly changing the risk profile for corporations and CIOs/CISOs are justly concerned. It’s interesting to look at how these changes happened so quickly. When Apple released the iPhone, they were not targeting corporate enterprises directly; they were focused on the consumer. And while there is now some attention to needs of the enterprise, Apple (as well as Google) is still largely focused on the consumer. But this lead to an interesting development: employees -- many of them senior executives -- began using mobile devices, both personally and for corporate systems, and they were able to do this without getting the approval of IT. So, the tables have turned and IT departments must accept the reality that these devices are here to stay.
Early on, corporate IT was not aware of the risk to their organizations but this has changed over time. A growing part of our business is performing testing and analysis for corporations who are trying to mitigate the risks introduced by mobile devices. And the risks are considerable. On the obvious side, an enormous amount of corporate data is cached on mobile devices and is outside the control of the IT department. The data can easily end up on personal computers or even eBay/Craigslist. Beyond data caching, devices can be used to compromise a company, whether from an insider or an attacker gaining control of a device.
We are often asked what a corporate (or individual) can do to protect themselves from mobile risks and jotted a few suggestions down just after the Epsilon breach. We’ve posted a number of free (and one paid) resource to answer these questions and I’ve been interviewed extensively on this topic (so perhaps just Google my name). Here are a few examples:
· Tips for both consumers and corporate IT for securing mobile devices (free)
· A series of 10 questions on mobile security (I chose one but you can access all from the free article):
· Our Mobile Security Risk Study, a very detailed report (80+ pages) covering mobile security risks affecting corporations. The report includes detailed analysis of the efficacy of security controls such as passcode protection, and focuses on the security of iOS (iPhone) and Android (paid)
Rather quickly after starting viaForensics, we realized that digital forensics can play a far larger role by expanding beyond a reactive model (investigations and incident response) and into a proactive model. The proactive implementation of digital forensics is now a primary focus for viaForensics and has led to initiatives such as appWatchdog (free mobile app security testing), appSecure (paid, sophisticated mobile app security testing and certification) and liveForensics (proactive forensic monitoring for key assets). This is the really exciting stuff. We have made tremendous strides and impacts in the larger security space by applying the forensic discipline to the many problems the industry is facing.
AFoD: Can you talk more about what you mean by the proactive implementation of digital forensics?
HOOG: While we are relative newcomers to the digital forensics field, we’ve been at it long enough to see patterns emerge in many investigations. For example, how many of us have done the “departing employee data theft” case and when you look at it, you realize 80% of the investigation is the same as the previous one? Once I see a pattern like that, I can’t help but look for a way to improve (i.e. automate) the process. And we found that there were ways to do that indeed, especially since most of the forensic tools we use are command line.
The next realization was that while we could tell a client the last time someone connected a USB drive to their Windows workstation, we could not tell them much about previous activity. So we (and other examiners) have become very good at figuring out what happened with only a fraction of the data points we need. But it seemed far easier to simply capture that data than to try to guess what happened. When you look at the forensic metadata you would need for this historical information, it’s really not a lot of data (in terms of MBs).
So we began to work on proactively collecting forensic metadata from key systems on a scheduled basis, typically daily (but we can handle any frequency). We then store that data, analyze it with the techniques we developed above, and then import all of the information in a data warehouse. This allows us to provide sophisticated reporting, analysis, dashboards and even visualization to our clients. We no longer have to guess about the other times a USB drive was connected since we have all the data. It’s a tremendously powerful solution and we’ve been quietly providing it since the end of 2009. We call the service liveForensics® and we have a growing list of clients that utilize it.
There’s quite a bit more I could say on that topic but instead, I want to provide one other example. As we were performing investigation on mobile devices, we were consistently uncovering sensitive data on the phones that no one, except the “bad guys”, would benefit from. For example, we have uncovered full credit card data (16 digit number, CCV, name, etc.) and it really bothered us. If law enforcement was doing an investigation, they did not need the CC data. If we were doing a corporate investigation, again, they had no need of the CC info. The same goes for “domestic cases” and the end user does not need the CC info insecurely stored on the device. So, the only benefactors of this info would be cybercriminals.
We again looked to proactive forensics to begin to address the issue. We created a free service, appWatchdog®, where we examine popular mobile apps on iOS and Android to determine if they store usernames, password or sensitive app data unencrypted on the device. If so, we note what is stored and provide a rating for the app on our website. The consumer can then determine if they apps they use put them at risk for financial or identity theft. We are coming out with an Android app soon (and hopefully an iOS shortly thereafter) which will look at the apps a user has installed and let them know which ones pass and which have security issues. The info is also posted on our website and we posted a study recently highlighting the first 100 app audits we completed.
So, these are two examples of how we apply forensic techniques proactively to solve security issues. Why wait around for an incident to occur when you could use the power of forensics to detect and ultimately thwart the attack? So, we’re kind of hooked on the proactive forensics thing and we’re just getting started.
AFoD: Thank you for taking the time to do this interview, Andrew. Is there anything else that you'd like the readers to know about regarding what we can expect out of viaForensics in the future?
HOOG: Since viaForensics is heavily invested in forensics/security R&D, there’s quite a bit folks can expect in 2012. The most straightforward are a number of key updates to viaExtract, our forensic software.
In mid-December, we’ll release version 1.1 which will extract considerably more data from Android devices. As some of your readers know, we also have significant experience in physical extraction and analysis of Android devices so expect some developments on that front. In fact, we know a bit about that on the iOS side as well and Windows Mobile is finally positioning itself as a mobile OS worth researching. Finally, we’ve developed a new SQLite recovery technique which extracts far more data and we’ll likely build that into viaExtract soon.
We are also working on some new NAND Flash acquisition techniques. This is still very much in the R&D phase, however, on some phones, we expect to have a working NAND Flash write blocker (software based) and we are working on solutions for NAND Flash that have embedded controllers. Of course, acquiring data is only one part of the challenge so we are working on decoding and analysis tools as well.
Another interesting project we are working on is YAFFS2 support The Sleuth Kit. This should be good news for the community as there is limited support for YAFFS2 today and we will release our code as open source and part of TSK. Soon, we will also release an open source version of AFLogical, our Android forensics logical component.
Our liveForensics service is in the process of major upgrades as well. The collection agent is maturing rapidly and we are improving the analysis and reporting interfaces. We will also develop a black box version of the service so it can be deployed internally at our larger clients.
On the mobile security front, we will continue to combine our forensic and security expertise to analyze mobile apps. If any of your readers have responsibilities in this area, they should keep track of our posts. We’ll have some interesting findings posted soon and some compelling products on the way. Our mobile security work is also applicable to mobile malware so we have some interesting things in the works there.
While there’s quite a bit more, I finish off with one final item. We’ve recently developed some very advanced techniques for securing mobile devices that extend well beyond any commercially available solutions today. I can’t dive into specifics yet but if organizations require very advanced security on mobile devices, we will release a solution in 2012 to address current shortcomings. I better stop now or we’ll bore your readers. Thanks, Eric.