Michael van Rooyen:
0:01
Here is part two of my discussion with Darren Hopkins, partner at McGrath Nickel. If you missed last week, I suggest you have a listen to that. First Just want to talk a little bit more again around some of the digital forensics quickly because I think that’s very interesting. I certainly appreciate your point on getting the ability to mitigate early, get insights, get views etc. But for those listening can you just explain a bit around kind of the digital forensics you do, maybe even give an example of the kind of work you guys do from an interesting point of view and how critical it has become for how to mitigate and help customers get out of the problem and really what the digital forensics part plays in helping customers.
Darren Hopkins:
0:40
Yeah, it’s still a really important part of our business and it’s where we came from helping customers.
Darren Hopkins:
0:44
Yeah, it’s still a really important part of our business and it’s where we came from. We’re sort of proud to actually have a group of really talented digital forensic professionals who do those things. It’s a different discipline in that it’s highly technical. It’s one of these things where you have to really know the underlying technology you’re dealing with and generally there’s no tool with a find evidence button. There’s a few of them that help us in our job, but it still relies on a few things. It also relies on an investigative mind to do what you’re doing, so a lot of the work we do in that space would often be either connected to misconduct or other investigations into issues where the technology is really relevant. Often we’re working for lawyers or for a court process as well, and it may be a litigation where you’re supporting A really common type of work. That we would see would be something as simple as an intellectual property theft, and many businesses have seen where, as a business, you build up some intellectual property that’s really important to your business, and maybe even just a list of really important clients and pricing models and a way you go approach your market that makes you successful, and somebody in your business decides that they could start up their own business and it’s not that hard, and maybe assume that because they’ve been working with you or for you for the last so many years that they’re entitled to some of that as well, and and often go off and leave and start up in competition. Now you can’t just go off and do that and take all of that work, product and effort from the first business to start your own up. Yes, so we often get called, get called in to sort of well, help us just to prove that this has happened. You know, we think this has happened, we’re pretty sure it’s happened. Often they know because clients ring them up and say hey, I’ve just had a mail out from an ex-person and they shouldn’t have my details, but they seem to.
Darren Hopkins:
2:18
The digital forensic side enables you to collect evidence from devices to prove those certain things, and often what we’re doing is relying on evidence that’s on a computer designed for a different use but we’re interpreting it in a different way. So a classic example is I want to know if someone stole some IP and transferred it to a USB drive. That’s the number one question. How do they get this stuff out of here? Do they email it to themselves, do they drop it into a Dropbox or do they pop a USB? In Computers don’t keep a track of every file you copy to USB and have a lovely audit list for you to look at? I wish they did. I’ve been asking Microsoft to do it for years. They haven’t. So how do I work out what was stolen? And that’s the first question, and what you have to use is a whole bunch of different artifacts that the computer has to tell that story.
Darren Hopkins:
2:59
So when you plug a USB in, the first thing that happens is it looks at the make and model of that, that device, and it works out that I need to load a driver to open that USB up so you can see it. So in the background there’s a driver that is found and loaded and runs and that device comes on and the registry, which is the database on your computer to keep track of settings, it’ll go hang on. You’ve just loaded a new USB. I need to keep a track of that so next time I can do that. So there’s a registry store for the USB and it will keep a track of the make, the model, the serial number when you first connected that USB and the last time you connected it, and it’ll even quite often tell you the last drive letter that was signed to it and it’s just a database of keeping a track. Sure, so I now know the first and last time you plug that USB in, and sometimes I can even tell the multiple times you’ve done that and I know the make model and serial number, great.
Darren Hopkins:
3:47
I then go off and have a look at something like link files, so shortcuts. You know every time you create a shortcut on your desktop or you open up Word and if you go into Word or Excel and you’ll see the last 10 documents you’ve looked at yes, the way the computer does that into that folder and it’s just a link to where the document really is. But in that link file, when you look at it at a binary level, it has other things in there. It actually says well, this particular link file goes to this device, which might include the device’s name, and it will also go off and tell you where it’s connected. It’ll give you a volume serial number and it’ll also go off and give you the file’s connected. It’ll give you a volume serial number and it’ll also go off and give you the file name. It’ll give you two sets of dates and times when you opened it and the dates and times on the document itself. So that’s helping me build a plan. And then we might look at something such as a shell bag. And it’s another weird concept If you open up a window, if you’re a clicker like me, clicker like me and you like to double click on my computer, then c drive or go to your documents folder and have a look in there.
Darren Hopkins:
4:46
Each time you open up those windows it displays things in a way that you remember. I like to use detailed lists, I don’t like the icons, so I like to. When I open it up, I want the window to be a certain size and I want to see the documents in a list. And it remembers that the usb store, when you plug it in, creates a shell bag entry in the registry that keeps a list of the way you want to see that folder. And, lo and behold, it keeps a list of what was in that folder. Oh, wow.
Darren Hopkins:
5:09
Now when you take all of those artifacts and pull them out of databases and registries and log files and settings files and merge them together, what I do is I know that you plug the USB in on this date and it was assigned D drive. And then when having a look at D drive, on that data, I can see there was a list of files on that drive and I can tell you that they were USB and they’re an external to this device. And you unplugged it and the make model serial number was X. Wow, pretty powerful evidence. And then to take, someone said well, this is how you copied the files and I’d like to see that USB delivered back to our client, please. Wow. And that’s one of many different examinations where you’re pulling data from a computer that’s used for different purposes to tell a different story. And it’s one of the exciting things about digital forensics and it is trying to find those little snippets of things that are quite relevant to telling something different or proving something’s occurred.
Michael van Rooyen:
5:56
Yeah, look, I’m just getting excited listening to it. I mean, people don’t think of that, but that’s what you guys specialize in. Would it be fair to say, looking at your history of the 20 plus years where forensics started, compared to how well we’re connected now with these machines, that there’s so much more digital fingerprinting on everything, so you can easily build a better case to work out what’s happened?
Darren Hopkins:
6:14
Yes and no. Some of the good old school Windows type artifacts have been disappearing as Microsoft and their infancy and wisdom makes their operating system better. One of the issues in digital forensics it’s often point in time I’m looking at what happened and I’m looking at what I can see right now, and some of those artifacts will be lost. I only see what’s there now. One thing that we are now starting to see is this convergent between the digital forensics world and the security world. I get excited in digital forensics when I know that the client has a SIEM. Yes, so they’re shipping all those log files, they’re shipping all that data, all of those telemetry events, into a SIEM and a database, and you can go back far, far further and you can actually start to trace other behaviors and activities and components as well and merge those two sources together to really tell a story, especially with the online stuff as well. But one thing that has happened is that there’s better tools for us.
Darren Hopkins:
7:06
We’re now dealing with devices such as phones. Yes, so a lot of our digital forensics has moved to mobile devices and in the past we were a bit more careless with it came to. I’ll send myself an email or I’ll talk to someone in email about the bad things I’m doing Now. You’ll text each other or you’ll jump into a WhatsApp group and have a chat there bad things I’m doing now. You’ll text each other or you’ll jump into a WhatsApp group and have a chat there. We still get access to those devices and we’ll still interrogate that evidence. It’s just a little bit more difficult and uses special tools to do it.
Michael van Rooyen:
7:33
Right, if I think about cloud computing, then if we just pivot slightly to think about, is it getting harder now that there’s so many things put in the cloud? Or is digital forensics even harder now that a lot of people shipping stuff you know into cloud environments, or is it still kind of on par with what you do today?
Darren Hopkins:
7:48
if they use a computer, there’s still often some evidence of what they’ve done. All those cloud repositories for storage you still have to go to them or connect to them or have something to copy something to. But pure cloud now, where everything’s sitting there and your data’s there, it it’s different. It is We’ve had quite a few breaches which are full cloud breaches in various platforms. If someone gets into a bucket and then we’ll steal data from those things, it’s a very different approach. But ultimately it’s just understanding where the data sources are.
Darren Hopkins:
8:20
One thing that cloud has done is that there’s generally really good logging and auditing and data behind the seams to rely upon, and often there are teams to support that. What I have seen which is disappointing is that clients sometimes they’ll like to not turn that on. So on a Windows computer it’s on generally by default. You know a registry you can’t hire to stop. But you can go into an AWS instance and not turn on guard duty logging or not wanting to keep your logs for more than 30 days because you don’t want to incur the costs. Sometimes they’re a poor decision when it comes to an investigation that happened six months ago.
Michael van Rooyen:
8:53
Absolutely, Absolutely. Would it be fair to say that I know there’s a lot of threat actors externally? We’ve touched on what’s the balance of internal threat actors disgruntled employees leaving Is that still one of the big seeds of some of these issues?
Darren Hopkins:
9:05
On the organised crime side, it’s still very much overseas threat actors that you see coming in. In the last 12 months I have seen more insider threats that are real in the cyber world than I have in a long time. I mean it’s Australians that were the ones that were doing something that you would expect someone from an Eastern Bloc country to maybe have done using malware and collecting data and doing other things, which is concerning. We see a lot more interest from organized crime groups to recruit insiders to help on what they do. It’s so much easier to break into a network if someone gives you the domain administrator username, password and an MFA. There’s big money for that and you can see on the dark web people trying to recruit and offer rewards for domain admin access on this particular type of industry. If you can give us those things, we’ll pay you a couple of hundred grand. I mean serious money.
Darren Hopkins:
9:59
And then I think about all the businesses where I think our own employees. Maybe we think we’ve got comfort, but how many contractors do you have that you’re not really sure about their loyalty and will they be here for very long? And would that risk of giving up those creds be something that we consider and we still see a lot of insider threat around the general risks to the digital forensic type investigations that we’re just talking to as well, and the economy drives some of that behavior. When the economy struggles, people will sometimes make poorer decisions around what they think is appropriate. If someone’s known about a vulnerability in a finance platform for a long time and they know that they could probably pay themselves an invoice and get away with it, if times are good and they’re happy and comfortable, they tend to like not do anything about it or even, hopefully, tell someone about the issue. When times are really tough and people are struggling, you’ll start to see people just having a go and it’s disappointing, but it’s human nature.
Michael van Rooyen:
10:51
Of course. Of course, that’s a really, really interesting data point. So would it be fair to say that you’ve seen a bit more activity now because people are going through a bit of a tough spell with the economy and this is more of a global question, I guess. Are you seeing any of that evidenced?
Darren Hopkins:
11:02
Yeah, certainly. As a firm, we have a really good investigations team that deals with the corporate corruption and other things as well, certainly seen an uptick in the poor behaviors and frauds. We’ve also seen a few matters where people are harvesting credentials of colleagues and things like that, and you have to understand. We have to ask the question well, why and why are you going to do something like that to try and monetize it internationally? It doesn’t make any sense, but we’ve seen more of it. Hopefully it’s not just due to I’m not saying we’ve got the poor economy at the moment, but cost of living is not what it used to be, of course, and, as you said, it’s human nature, right, unfortunately.
Michael van Rooyen:
11:47
Two other things you touched on there is a really clear message about SIEM and logging, because that really is the starting point of reducing some of these things happening. Visibility right, really getting key visibility. You touched on MFA briefly as part of maybe someone paying for someone to use their MFA. Have you seen a big impact in MFA really slowing a lot of these things down? I mean obviously more and more people adopting MFA. More, more applications are. Some people don’t turn it on, which is a different discussion, but have you seen that really have some dent in reducing some of these incidents?
Darren Hopkins:
12:08
Oh, absolutely. It used to be called our silver bullet. It wasn’t MFA, it’s a silver bullet to stop losing access to your accounts. At the moment, some of the incidents we’re dealing with it was no MFA, I mean single factor authentication, and someone lost their account. You’re sort of leaving it to be attacked and if you don’t have some software or technology or capability to monitor those attempts, that’s really hard to work out. I even see the attacks start to sort of reduce and you can see the efforts that Threat Actors put into it.
Darren Hopkins:
12:31
Mfa absolutely had a great impact on reducing the amount of people coming into platforms just with the username and password. And then what we saw is the Threat Actors counter with great tools like Evilgenics which are designed to steal that MFA token. And then they pivoted and adjusted the way they were attacking us to not only get our username and password but also to get that MFA piece. And that was a clear change in the way that the threat actors have their business model and their playbooks to counter the security we’re putting in place. Then you see players like Microsoft once again go off. You know what? Okay, we can fix that. Yes, and we’ll put in. You know, single session can’t be shared tokens and you can’t do that anymore. And the cat mouse game that you’ll see played is interesting. Yes, but those core technologies that just make you safe, if you put them in, they work, yes, and they reduce the risk enormously.
Michael van Rooyen:
13:19
That’s a really good point, right, and I think you’ve touched on it a couple of times. There are some fantastic tools out there and some of them don’t actually have to cost a lot of money. Things like MFA, you know, are fairly low cost and are even provided by certain applications and services you know really use them right. Is your point there to say you know you’ve got this ability to reduce your risk exposure personally and business, right?
Darren Hopkins:
13:38
I think you should even go a step further. If you have the tools at your disposal, and even if most of them won’t cost anything I think MFA is included in every Office 365 license through the security essentials package that you just get. It might not be as easy to configure and maintain if it’s at the basic level, but it works. If you elect to not turn on the technologies that are inherently available to you, that everyone would say will benefit and secure your platform when something goes wrong. You’re opening up a very, very clear opportunity for someone like a regulator to hold you accountable for not doing enough, because the tools were there, the knowledge was there and the intent is that you keep this stuff safe and you’ve just decided not to do it. Yes, and if that’s the case, you should feel that you are going to be hit pretty hard with that stick, of course.
Michael van Rooyen:
14:22
Of course, just a few more questions I’m interested to talk about. What are you seeing as some of the emerging technologies that you believe will impact digital forensics and cybersecurity, and maybe how could businesses leverage them?
Darren Hopkins:
14:37
security and maybe how could businesses leverage them. At the moment, I think we’re all sort of focused on that one crazy two-letter word, ai, that is impacting many of the things that we’re doing. I know I enjoy sort of doing a couple of searches each morning to see what the latest AI app is, how someone using or misusing AI to support what they’re doing, and there’s some incredible advancements there. On the defense side, I see what the security companies are doing with AI to improve the ability to respond and detect cyber incidents. It’s incredible how quick AI has adapted the core technologies. We have to just be better and faster Some of the technology that we use in incident response. We’ve now got AI embedded in that technology and we can go off and actually ask it questions on how to actually do things better.
Darren Hopkins:
15:17
So how would I go off and look for evidence of a nation state threat actor in this network if the nation state was X? The technology will come back and say, well, this is how you do it and do it well without me having to work those things out. I mean, those are things that make us smarter and faster in our job. And then you’ve got that next level in the defence world, which is well. Rather than relying on all my SOC operators and all my people to look for alerts and understand what they are, let’s let the AI do that for us. It will determine what’s at risk and what’s not, based on behaviours and all these things, far quicker than we ever would, and then let our specialists deal with how do I deal with those things? So, so the real time piece around being better to respond, and I can see all of those technologies coming in just to support our ability to detect, block and make it safe.
Darren Hopkins:
16:07
Unfortunately, threat actors are doing the same thing and they’re using the same technologies. Write me a brand new piece of malware that will just get around these particular types of defenses or exploit this particular type of vulnerability, and so what they’re doing is they’re able to leverage and pivot vulnerabilities faster than they ever were able to, maybe quicker than we can actually come back with a response. Right, and certainly the social engineering side of the world has gotten harder. Now I sort of started this. You know, in the old days, threat actors couldn’t spell Google correctly and it was really obvious. Now we’re having a Zoom call with a person who’s a simulation, who’s not real. Who’s having a real-time conversation in someone else’s voice. Who’s trying to make you make a payment and all that’s driven by AI and deepfake technology and it’s really hard to pick up. And how are people supposed to actually counter that? It’s hard.
Michael van Rooyen:
16:52
It’s just continuing this cat and mouse thing, right? I mean, we’re using it to defend, they’re using it to work ways around it, and it’s going to be fascinating to watch how that evolves over time from an AI point of view and how else we use it. Being a leader, obviously, managing teams, and you’ve worked in high critical situations and bring people together, et cetera, et cetera. What advice would you give aspiring professionals who are looking into getting into cybersecurity or digital forensics? Everyone’s keen on it because everyone sees the movies and all that, but obviously there’s a lot of hard work behind it. Can you give some advice?
Darren Hopkins:
17:21
Yeah, there’s no such role as Abby from CSI, who can do all of those things. She’s an amazing white hat pen tester, digital forensic expert and she also works in a lab and does DNA testing. She doesn’t exist I wish she did, and she can solve a crime in 30 minutes. The exist I wish she did, and she can solve a crime in 30 minutes. The reality is there’s far more education out there if you’re interested in this realm.
Darren Hopkins:
17:41
In the past, universities didn’t really have cyber courses. They all do now and they’ve all got quite good courses the industry qualifications that you can go off and achieve yourself, certifications, and those programs are excellent. I hold a lot of weight for someone that’s gone off and done a certification as they start to this, because it demonstrates they can do what they want to do, and we’re absolutely all recruiting at very, very junior levels. You don’t have to have a lot of experience. I just want to know that you understand the fundamentals. You do need to have a decent technical capability because it’s hard to learn some of those things on the go, and you’ll get that through, whatever you end up doing, as long as you focus on those areas and then be willing to continue learning, and that’s the no different to any job, I guess, is you’ll start by learning and keep learning, and I’m still learning. Cool, so it’s just be committed to it.
Darren Hopkins:
18:26
The cool thing about cyber is that um and I sort of joke with my team all the time you know, not all heroes wear case, but we probably should you’re actually working for a mission, that’s we’re actually defending, we’re out there countering Russian threat actors and organized crime. How many jobs? Can you say that my day job is to defend a country against an organized crime group. That is pretty cool. And you’re actually helping businesses, you’re helping organizations, you’re helping people in your day job? Yes, and then, coming from a law enforcement background where that was the mission, that’s what our goal was to do. Being an industry where you can still, in a way, play a part in that, it’s quite a fulfilling career to actually have you look at absolutely beat, and it’s a really good point.
Michael van Rooyen:
19:07
You’re defending people and their livelihood right, effectively at a grassroots level. How do you see the skill shortage in this area? It’s always talked about. How are you struggling with that?
Darren Hopkins:
19:21
Yeah, I’m not sure if there’s a complete skill shortage. Sometimes it’s hard to get the right person for the exact job that you want. Often you have to be a bit more flexible to say I’m happy to retrain or to support or grow somebody into the role you have. One thing that I’ve noticed is security professionals, because there’s not as many of us out there and it’s clear you look at the university stats and other stats as to how many are sort of entering this market. We don’t have enough females in our industry. We’re so, so short on good professionals in that space, and I’ve talked to universities about why and we’ve got to do better to get more girls into our teams.
Darren Hopkins:
19:51
I’m lucky I’ve got a team which is very, very evenly balanced and and I got some incredibly smart people there. But it is a smaller team and people accelerate their careers quite quickly when they’re good can be an expensive resource to acquire. I know for some small businesses they would love to get some security professionals in and quite often they look at what they need to pay and it’s just difficult to manage that. So I don’t know as an industry how we counter that. I think it’s going to be allowing more junior people in quickly and acknowledging that you don’t have to have 10 years experience to do a security job. You can absolutely be effective at a lower level and probably better skills training across the board to acknowledge that.
Michael van Rooyen:
20:31
Yeah, fair enough too. As we wrap up, reflecting on a career, what’s been some of the most rewarding experiences and what continues to motivate you is it is it that you know protecting people, or anything outside of that?
Darren Hopkins:
20:44
crazily enough, I still get a buzz out of a crisis.
Michael van Rooyen:
20:46
I don’t know why I’m living someone else’s crisis every day for a long time yeah, uh, it’s a weird adrenaline rush.
Darren Hopkins:
20:54
Uh, there is something about being able to come in and being part of a team to solve and protect. If I look back in my way, way back in the early career, at the end of my career, a lot of that was working with the teams in the child abuse teams or the child exploitation teams around protecting our kids, and that was incredibly important back then to be able to, you know, demonstrate that you’re doing something that has meaning. I think we all look for that in a career. Now I still see and often come away from a job and I’ve helped maybe a smaller business come out the back of something where they can recover and continue trading and business and continue to move forward or protect a bunch of people’s identities. Any of those things help and it’s an industry that’s continually changing it. Just it doesn’t stop giving you something new to learn.
Michael van Rooyen:
21:43
That’s quite, quite fun, even at my age yes, motivating, motivating, uh, and darren’s fairly young, by the way, for those listening, he’s, he’s, he’s done playing. How old he is. Um, look, I know you touched on quite a few important points uh, boards and approaches, everything like that. Just to close out, is there a final key message you’d want to leave people listening? I know you’re very passionate about the space, about helping people be protected and looking after businesses, et cetera. Anything you want to summarise as a key takeaway for them around cyber and forensics and protecting themselves.
Darren Hopkins:
22:14
If you, as a business or organisation, are only just starting, the fact that you’ve started is important. Don’t stop the journey to becoming more resilient and secure. It’s really important. I’ve seen what happens if you don’t actually invest and take this threat seriously. The other thing that McGranicle does is we’re a firm of two halves and the other half of our firm is one of the preeminent restructuring and insolvency firms in the country. I don’t want you to meet those guys quite clearly, because if you get to meet that team, it means something has gone terribly wrong. Literally. My only advice is it’s never too late. Start now, understand where you need to start, build a plan and start doing something about it, and understand that this is a business risk it’s no different to any other risk that you deal with and just make it part of the DNA of the business, and then, if you make it really hard for a cyber criminal, they’re probably going to move on. Yes, so don’t leave yourself exposed.
Michael van Rooyen:
23:08
Fair enough, fair enough. And then the last one that I’d like to ask all participants who I get a chance to interview is can you tell me about the most significant technology change or shift that you’ve been involved in or seen in your time doing this? And that can be anything. It can be pretty broad right I can give up my age at this point to be honest, I actually got to see the first mobile phones.
Darren Hopkins:
23:28
I mean, I was one of the lucky ones that had a mobile phone in a bag, right which there was a battery which weighed about I don’t know five kilos, and then a handset, and then when I finally progressed to my brick which you’ll only if you go off and uh google search, you know large brick phone, you’ll see what I mean. And there’s a few early uh movies that used to have them. I was pretty cool back then to be able to have something which was about the size of a brick, yes, yes, as my mobile. But I mean the shift to mobile was an incredible change. That happened very, very quickly over a few years where we were in this world of big tech, large infrastructure and to these personal devices that now we just take for granted.
Darren Hopkins:
24:10
That phone that we all have and that we all use has more capacity and capability than whole file server rooms and huge amounts of infrastructure I used to look after when I started and it just blows me away and the next five to 10 years, anyone in our industry. You have a look at what AI and the other tech advancements we’re seeing and the minimization of technology still, and I was watching the new robots being marched out by mr musk and his team and how incredible in in two years they’ve transformed that piece of science. And I think his last thing is that he expects that within a few years time you’ll be able to have your own robot for about 30 to 40 000, he said about the same cost of a car. But this thing will be do anything else you want to do and that’s ahead of us in the next short amount of time and it’s pretty exciting to see that you know when our overlords take us over and we’re just minions to the AI that we got to see it.
Michael van Rooyen:
25:07
Yeah, correct, we’ve been able to live the journey and send it from Cinebop. But I really do like the mobile phone. I think people have misappreciated what that really meant for us, right and the ability to, as you said, use this device for so many things. It really has changed the world and even if you look at a few movies and even TV series that aren’t that old, really you know you don’t see them using that right, using phone booths and being able to not even just we just consider it as standard right. So I really like the one. Darren, really appreciate the time today. Thanks for the chat, very, very insightful and, yeah, thanks again, no thanks for having me it was good great.
