Digital Forensic Diaries is a collection of short stories featuring Parker Foss, a witty detective that specializes in the field of digital forensics, or recovering and investigating electronic evidence to solve crimes. Apart from its British humor, the book stands out for its accuracy—both for the true-to-life methods and tools used as well as the investigative process.
Mike Sheward @secureowl is the author of Digital Forensic Diaries. A native of England, Mike previously ran the digital forensics and investigation unit for a cybersecurity company in Worcestershire before joining Concur as Global Security Operations Manager. Today, Mike is Director of Information Security at Accolade, a Seattle company that helps individuals and businesses navigate the healthcare system. The scenarios he describes in the Digital Forensic Diaries are based on his own experiences in digital forensics.
ExtraHop is offering free copies of Digital Forensic Diaries (while supplies last!) to IT professionals that sign up for our emails. Sorry, we can't accommodate everyone. U.S. and Canada only. Email me at tyson[at]extrahop.com if you'd like to receive a free copy. Also, if you'll be at Black Hat, stop by the ExtraHop Booth #1765 where we'll have copies while supplies last.
Q: Thanks for chatting with us, Mike. What do you hope readers will take away from the book?
A: A couple of things. The first is that, even without explosions, car chases, and stock footage of random Linux terminals, stories about digital investigations can be super interesting and exciting just as they are. Secondly, I want people, even people that already work in the industry, to understand that even though we're working firmly in the digital domain, a lot of the cases we work on have a very real human impact. I think all of these stories do that aspect justice. These are all based on genuine cases that I've worked, and it was just a case of going back through notes and transcribing them into each story—with identifiable information changed, of course.
Q: Tell us a little about your writing process—how'd the book get started?
A: Each of the five short stories in the book started life as an ebook. The series of ebooks began to be released about three years ago. People liked them, but not everyone likes ebooks. I always promised myself that if I wrote five of them, that'd be enough to justify putting out a printed book, which might increase the appeal.
Q: Why do you enjoy digital forensics?
A: It's a wonderful blend of two of my favorite areas of study, science and art. You have to be scientifically sound in your methodology during an investigation, but you also have to be super creative. I can't think of any other IT job that requires that blend.
Q: Has there been any recent headline news involving digital forensics, either at the forefront or behind the scenes?
A: Well, I can tell you that the story behind "Revenge of the Wire," an episode in the series, was in the press within the last 12 months! Other than that, digital forensics is everywhere. From the painstaking analysis of ADS-B and satellite data from the search for Malaysian Airlines flight 370, to the battle to break into the San Bernardino shooter's phone, it's hard to not find a story that involves digital forensics. We haven't even touched on the political stories! Hacked emails, validating email dumps etc.
Q: You use ExtraHop at your current company and also at your previous employment. Did ExtraHop help with digital forensics investigations?
A: Yes, in fact, the first time I used ExtraHop was as a forensics tool. I hooked it into a span port to track some strange outgoing DNS traffic that was being dropped by a firewall, even though it was being sourced internally. It took me about 10 minutes to figure something out that otherwise I'd have been working on in Wireshark for some time. We continue to use ExtraHop as our primary network, database, and application forensics platform as wire data is tamperproof.
Q: In general, what is the value of wire data for incident response?
A: Well, the analogy wire data is like CCTV comes to mind. You simply cannot delete or manipulate wire data like you can log files, or reported machine data. Most incidents occur because X talks to Y when X shouldn't, or it would be abnormal for X to start talking.
Q: What's next for Parker Foss? Will we be hearing more of him?
A: There are many more stories, so hopefully! I'm actually in discussions to write a nonfiction book on handling security incidents and the forensic investigations that span from them, so if that comes together it will be my next writing project. Fingers crossed!