WyzGuys Tech Talk

This interview is from eForensics Magazine.

Interview with Gerard Johansen

Gerard Johansen is an incident response professional with over 15 years’ experience in areas like penetration testing, vulnerability management, threat assessment modeling, and incident response. Beginning his information security career as a cybercrime investigator, he has built on that experience while working as a consultant and security analyst for clients and organizations ranging from healthcare to finance.

Please tell us a bit more about yourself. What are your background and current job responsibilities?

I became interested in cybersecurity during my undergraduate studies. I had the opportunity to take a good amount of coursework in IT and security at a university that had a really solid cybersecurity and information assurance program. I ended up leaving college and went into law enforcement, where I spent a decade in a variety of assignments. After leaving law enforcement, I transitioned to cyber security, working in enterprise and consulting roles. Right now, I work at Red Canary, a Managed Detection and Response company. Currently, I am working with a small team to develop additional products for customers to help them prepare for cyber incidents.

How did you get started in digital forensics?

The bulk of my law enforcement career was in computer crime. My first exposure to digital forensics was through a class held at the police academy. This was at the very beginning of cybercrime investigations, and I recall having to reconstruct FAT16 and FAT32 file tables along with other tasks that have now been either automated or entirely unnecessary. When I was assigned to the cybercrime unit, we went through extensive training in investigating cybercrime and conducting digital forensic examinations.

What is the most important contribution you have made to this field?

Authoring several editions of a book on digital forensics and incident response. My goal was to condense a good deal of what incident responders and digital forensics practitioners need to know in order to be effective at investigating incidents. When I started outlining the book, there were a lot of resources spread around but only limited written material that combined these into something digestible in a single location. It is my hope that readers are able to take from that and bring it into their own research or their daily role.

What would you say about digital forensics to someone who is unfamiliar with it?

The one thing that I really love about this field is that a good deal of resources and tools are free, or at least freely available to those that want to get their feet wet in digital forensics. There are commercial solutions but if you are trying to gain some knowledge through your own research, the only thing you will have to spend is time. Another key aspect that is related to this is that Digital Forensics is constantly evolving so it is imperative to keep researching, studying, and practicing with new tools and techniques.

Before entering the field of Digital Forensics, what competencies should our readers possess?

Understand how the Windows, Linux and MacOS operating systems work from an internals perspective. Even something as simple as grabbing an A+ book and the Windows Internals book will go a long way to understanding the core concepts of computer forensics. When looking at network forensics, having a good understanding of network protocols and architecture helps as well. In my experience, individuals that have a solid foundation in IT functions, such as help desk or security operations, need just some additional training in the core digital forensics concepts and techniques and are generally able to be effective in a short time.

Would you recommend any certifications to novices to help them improve their understanding of Digital Forensics?

There is a wide range of certifications out there but for the most part, the SANS DFIR certifications are really the gold standard in digital forensics. They may be cost-prohibitive for a lot of people but there are scholarships and other programs that cut down the price considerably.

Are there any skills in digital forensics that are in high demand right now?

The skills that are in high demand are those that can investigate and respond to ransomware incidents. Those that have the ability to keep up to date and apply the latest tools and techniques to this threat do very well.

What are the biggest challenges investigators face in the digital forensics world?

It is funny, when I first started this career, there was a shortage of data to pivot off of. Now, we have too much. I recently was playing in my home lab and fired up an event collector to SPLUNK. In less than 30 minutes, I was inundated with a whole bunch of event logs from a single Windows 10 system. Mind you, I had really turned up the logging, but this shows how DFIR practitioners can quickly find themselves drowning in data if they do not know where to start.

The second biggest challenge is the speed with which threat actors are able to conduct attacks. This forces DFIR personnel to accelerate their processes to get the key data points to decision-makers fast, which is often the opposite of the deliberate approach that DFIR follows.

What are the most desired digital forensic techniques and tools, according to you?

Pivoting off the last question, the key tools and techniques that should be a focus area are those that can handle evidence triage. Using remote evidence capture from an EDR tool or something like Velociraptor combined with Kroll Artifact Parser and Extractor is invaluable when you are triaging systems or trying to find key data points quickly in the vast array of data sources.

Please tell us more about your book “Digital Forensics and Incident Response”?

The third edition was recently published. There were some major additions to this volume from the last with an increased focus on investigation methods and ransomware. I also added several new tools and cut some that were no longer supported. What I wanted to give readers was a solid overview of not only digital forensics but the overall incident response process and how investigations and forensics help decision-makers understand the nature of the threat.

Could you describe what skills our readers can gain after reading the book?

The main skill that I wanted the reader to walk away with is an understanding of how digital forensics fits into an incident investigation and how that can be beneficial to the overall response process. Second, I wanted to give the reader a core set of technical skills around evidence acquisition and analysis that they can bring to their own research or their own day-to-day security role.

Let us know why your book is so unique and worth reading.

I am a bit biased, and really it is the reader that makes the determination that the book was worth their time. As an aside, every so often someone hits me up on LinkedIn telling me they liked it and it helped them. That is always great to hear. I would say that I set out to provide the cyber security practitioner with material that they can take from the page and use in the real world. I also focused on a range of tools and techniques that covers everything from malware analysis to memory forensics and examining network traffic. Overall, it is well-rounded, providing a wide range of tools and techniques.

Are there any new digital forensics technologies that you are excited about?

One aspect of DFIR that I have just started to peel back on is working in the cloud and how DFIR practitioners can leverage cloud infrastructure and applications to acquire evidence and even conduct analysis. I can be in New York City and give an organization in London an agent to deploy on a potentially compromised endpoint, collect the data and collaborate with team members all over the world. While this is not a new concept, the pandemic has forced many to get creative with solutions that allow us to collaborate and conduct analysis from anywhere on systems anywhere.

When you are not busy with your work, what do you like doing in your spare time?

First, I am really into the outdoors. Right now, I am just east of the Black Hills of South Dakota, which is a beautiful area. I have also studied martial arts for over 20 years, and I continue to study. When it is a slower time, I am a huge history buff and enjoy reading nonfiction stories.