we had a little chat with Richard Bunnell, Co-owner of Digital Forensic Services LLC. We spoke about what is important in digital forensics, most popular services in this field and passion to cyber security. Dive in!
[eForensics Magazine]: Hello Richard, how have you been doing? Can you introduce yourself to our readers?
[Richard Bunnell]: My name is Richard Bunnell. I have been interested in trying to understand what goes on in the internals of computer operating systems since the 1980’s. I started with DOS and now the lab is completely Windows 10 and iOS 10.
My background is from working in a Fortune 100 company with excellent teams and management. I started out doing programming in PC Assembler and supported a dial-up terminal emulator. I have done mainframe COBOL and network programming. I was on an amazing team that developed a program on a floppy disk that, when the computer was rebooted, would install the operating system and all the applications required for a business area with no user intervention. Before I got into digital forensics, I worked on a packaging team. We would install applications on a Windows machine, capture all the changes from the installation, and then develop an installation package that could be delivered by an automated system to hundreds of machines. Just as it is easy to update hundreds of machines, it is possible to make a mistake and mess up hundreds of machines. Using an automated method can make lots and lots of extra work for you and your whole team.
My manager’s support was unwavering and his famous saying to the team was, “No matter what happens, if you learn something in the process, you will be ahead the next time.”
[eFM]: Can you tell us something about your company, Digital Forensic Services?
[RB]: I am co-owner of Digital Forensic Services LLC. My partner and I formed this business because we enjoy the process of digital forensic analysis. We bring many years of experience to the process of making the complex task of digital forensic discovery understandable to small and medium sized businesses.
Most smaller businesses cannot support a dedicated digital forensic team. We want to meet that need by providing professional, reasonably priced services.
My partner brings to the table many years of experience in law enforcement, teaching skills, and technical expertise in many areas.
I bring to the table the experience of dealing with clients in a multi-state corporate environment. Several languages (legal, business, and technical) are spoken in this environment and each client must be able to understand what we can do. We need to understand the legal requirements, the business requirements, and the technical requirements for creation of a defensible, honest digital forensic report.
[eFM]: What’s more important in digital forensics - legal, technical or business requirements? How do you balance them?
[RB]: I think that a good investigator has to excel in the technical skills first. If she or he is good in the technical area, they might need the assistance of someone skilled in business and legal communication to make sure that reports and communications have the correct meaning. It is very easy for someone who has skills in any one area to write or communicate with words or phrases that are difficult to understand by someone in another area. So if the investigator knows her or his own skill set, they should ask someone with the other skill sets to assist.
[eFM]: On your web page, you mention many services, but very generally. It sounds like you can do everything within digital forensics.
[RB]: Our web page does cover a lot of ground. We can do imaging and data collection on a wide variety of digital media in a forensic manner. This means that the process is repeatable and is documented at every step. We have specialized tools to analyze digital media from Windows systems, Apple systems, and mobile phones of many flavors. We can discover passwords and recover data from damaged files. We also have a business relationship with DriveSavers. DriveSavers can recover data from physically damaged digital media. Or if a user or company wants to take those computers out of the closet and recycle them, we can wipe the hard drives so that no critical data will be recoverable. We can also give training for digital forensic teams and make recommendations for hardware or software to meet their needs.
[eFM]: What is DriveSavers? Can you tell us more about it?
[RB]: DriverSavers is a data recovery company located in Novato, California. For over 30 years, they have performed data recovery on every kind of storage device including hard disk drives (HDDs), solid-state drives (SSDs), smartphones, tablets, USB flash drives, camera cards and enterprise-level devices like RAIDs. They handle every kind of data loss situation including mechanical failure, physical, water and fire damage, data corruption, file deletions, head crashes and more. They do all of their work inside a dust-free and static free cleanroom. Think of it as an operating room for damaged drives. We are proud to be business partners with DriveSavers
[eFM]: What is the service that is the most popular or needed?
[RB]: The most popular service we offer is imaging and data collection from hard drives, USB sticks, and mobile phones. Most of the time, after the data is captured, some kind of analysis is requested. As hard drives and phones continue to increase their available storage space, these analysis tasks can take several days. Although we have very fast machines, the complexity of the analysis tasks is always increasing. In short, no two days are ever the same!
[eFM]: Recently there has been so much going on the security field. So many attacks, new threats, new types of intrusive software. It had to bring you a lot of new clients. Who are your clients? Mostly private people, companies or half-and-half?
[RB]: Our clients do not come to us as a result of an attack or a threat. They come to us to find out what happened on a computer or phone. Our job is analysis of the information and to present it in a clear and concise way so that our clients can understand it. Our clients are small businesses, accountants, and sometimes individuals who have heard about what we do.
[eFM]: You have a huge experience in digital forensics. Why did you decide to go in the IT security direction many years ago? I suppose it wasn’t a very popular and well known industry?
[RB]:I worked for a Fortune 100 company and I have always been given interesting and challenging assignments. There was a time when I had lots of questions about the security and configuration of my laptop – so I asked the Information Security team lots of questions. I think they got tired of my questions and called me up one day and asked me to join their team. I joined their team and have not regretted it for one minute. They were, and still are, very passionate about what they do. They always took the time to share their insights and why things were done the way they did them. Now that I am a part of Digital Forensic Services LLC, I have met many people from different companies, from academia, and individuals who share that passion.
[eFM]: What do you think makes or breaks a digital forensic specialist?
[RB]: I think the most important quality of a digital forensic specialist is that she or he, once they get a problem, stay with it until it is resolved. They exhaust all avenues in order to find the answer. Persistence, tenacity and a passion for the challenges of the job are keys to success.
[eFM]: What makes you so passionate about it? What inspires you and gives you a feeling that what you do makes sense?
[RB]: When I look at the definition of the word passion, “a strong feeling of enthusiasm or excitement for something or about doing something”, I feel that describes what I do. I like complicated tasks, I like to take things apart and put them together in new ways. I have always liked to learn more about computers – especially what makes them run – or what makes them crash. I also like interacting with people. I can do all of these things in this field. If business is slow there are always lots of things to explore – clustered computers, programming in Python, or even upgrading one of the computers in the lab. If business is busy, the hours go by with enjoyable tasks.
[eFM]: There have been many cyber security and digital forensics companies appearing on the market. What do you think about it? Do you feel threatened? Is it a trend or is there a big need for more and more of them?
[RB]: The cyber security and digital forensics fields are large and overlapping areas. There have been times when we have had to look at a computer that might have been hacked. We need to know what to look for on a computer or a phone so that we can make an accurate diagnosis of what, when, and how that happened. We need to know about cyber security not only from the perspective of our own business, but also in our personal and family lives. I think that the fact that these new companies are being formed is a good thing. First, because I think the market is very large for companies like ours, and second, because the public is becoming more educated to the need for forensic services – especially small and medium sized companies who do not have a digital forensic department. We do not feel threatened and would like to encourage startups to feel free to ask us questions about technical or training issues. We would be glad to assist.
[eFM]: What do you think will happen this year? What will be the target of attacks? Will we have another huge scandal like during the Ashley Madison hack last year?
[RB]: I think that for 2016 the outlook is unpredictable. Almost every week a new organization has been hacked. Ransomware is turning into a multi-hundred-million-dollar business in the U.S. It is relatively easy to harvest information from social networks and then use that information to send emails or links to people they know are interested in a particular subject. We are seeing more targeted attacks. The writers of this malware are getting better at what they do. There needs to be continued sharing about the methods of these attacks and ways to avoid them.
[eFM]: Do you feel that the current level of collaboration within the field is enough for that?
[RB]: I do not. There are a number of terrific resources available for the digital forensic investigator. One that comes to mind is Forensics Focus (http://www.forensicfocus.com/). There are also listservs. These allow anyone who is a member to ask questions of any other member. Some require membership and some are free. By going to this site, http://www.forensicswiki.org/wiki/Mailing_lists, it is possible to see many of these listservs.
Another resource is digital forensic conferences. These are good for networking, vendor and product awareness, and education. A list of upcoming events can be found here: http://www.forensicswiki.org/wiki/Upcoming_events#Conferences.
And last, there are two types of education – vendor neutral, and vendor specific. Vendor neutral courses teach the ideas behind the GUI (graphical user interface) found with many of the largest software vendor’s products. They answer the question “what is going on behind the scenes when I push this button or click this checkbox?” Vendor specific training stresses product knowledge and sometimes certification. They can give deep knowledge of a specific forensic tool. Both types of training are excellent opportunities for collaboration. A list of training providers, vendor neutral and vendor specific, can be found here:
To answer the question, collaboration benefits practitioners in the field, and also students and people just starting out. There always could be more.
[eFM]: Are there any challenges your company is facing at the moment? Any plans for the future?
[RB]: The challenges are some of same ones that any IT organization faces. We need to keep up with current technology through computer hardware and software upgrades, training, and membership in professional organizations. We also need to be aware of the resources on the web, particularly those dedicated to digital forensics. We need to always network and establish new relationships in this field. We need to assist the students who are just starting in this field so that they will know what questions to ask and how to get the answers.
Since we do not work in the same office, we need to keep communication open between us and our customers. Small companies can excel in customer service, and we must work at that all the time.
Plans for the future include being aware of new business opportunities, continuous training to keep up with new technologies, and assisting our present and future customers to the best of our ability.
[eFM]: Could you give a piece of advice to our readers?
[RB]: Actually, I could give two pieces of advice. The first is that once something happens on a computer that you think might end up in court, do not attempt to “investigate” yourself or have your IT team do it. There are special forensic processes that should be followed so evidence is not damaged or overwritten. Documentation and standard processes are very important here.
The second is that everyone should know that whatever is done on a computer may be there for the life of the computer. Don’t do anything that you might have to explain to someone later.
Thanks for the opportunity to speak about our business and about myself.
Richard L. Bunnell is a co-owner and a digital forensic investigator of Digital Forensic Services, LLC, a full service digital forensics firm that provides imaging and data collection, analysis of digital media, decryption, data recovery, media wiping, and training for private and publicly held organizations. Mr. Bunnell has extensive experience as a digital forensic examiner for the MassMutual Financial Group, is a founding member and previous chapter president of the Connecticut Chapter of the High Technology Crime Investigation Association, and has done digital forensic team building and training to enable him to be an effective investigator, trainer, and presenter.
He has held the following certifications: GIAC Certified Forensic Analyst (Gold), GIAC Certified Incident Handler, GIAC Reverse Engineering Malware, and AccessData Certified Examiner. He also is qualified as a Cellebrite Certified Logical Operator, Cellebrite License 2034982000, and a Cellebrite Certified Physical Analyst, Cellebrite, License 20204982000.
He has earned a M.S. in Economic Crime Management from Utica College, a M.S. in Computer Science from Rensselaer Polytechnic Institute, a M.S. in Education from Central Connecticut State College, and a B.S. in Business Administration from the University of Florida.
He owns several LinkedIn Groups, of which the main ones are Reverse Engineering and Malware Research and Digital Forensic Hardware.
He has a passion for digital forensics – whether it is discovering the contents of digital media, recovering a crashed hard drive, teaching an intern basic forensic concepts, or using specialized forensic tools to slice and dice forensic images to meet the needs of his customers.
He has managed a digital forensic lab to ensure that its software is current, patches are installed properly, forensic software is installed to meet its hardware and software requirements, and the examiners have the tools they need to efficiently do their jobs.
Digital Forensic Services, LLC wants the best for its customers – best practices, consistent documented procedures, current software, best use of hardware and software resources, and most of all, an ear to their suggestions and comments to continuously improve whatever we do.