question to, um when did decide to go from working on a file format? Thio Actually, a commercial product. Like what?
You know, you were working on this kind of academic situation and then yet
just jump us so well. So we did. We did the original effort for research and paper in about 2009 and being being out there in practice full time really brought things sharply into focus for me.
Um, specifically the problems that we were facing at the time. So
in the early this decade, we were starting to see the driver's getting larger than a terabyte. We were
dealing with imaging terabyte drives of U. S. B two, which for those of you walking to server rooms is still a problem that we run into on occasion. They haven't really lived until you've spent 20 some hours doing that.
Yeah, literally days. It can take t copy hard drives. So I was out in the field doing large scale acquisitions on the first problem that I was. The first question that I asked myself was, Why can't this go faster?
I always I was going into into environments with a stack of live see days like these? Yes. Stack pre prepared USB drives like
the Like these? Yeah, and is going from computer to computer, setting them up and getting them copying.
and then the that was a real trick to I mean, you were essentially distributing by hand.
Yeah, Yeah, exactly. Um and that that was that was really the only way Thio quickly get through that many computers. So, you know, if you're spending four days solid
2 p.m. or sorry to, I am in the morning in server rooms,
trying to acquire an entire company worth of pieces and service.
That was really the only way,
at the Thai, we were just we were focusing mainly on on hardware tricks to make it faster,
you know, because the formats were just the formats, right?
So, you know, you were going with, you know, trying to use faster fire aware, And can we use thunderbolt for this? And you know, what's the fastest status speeds we can get? And you know what happens if we write to, you know, you know, flash drives and, you know, raids and just every, you know, every silly thing we could come up with trying to improve the speed.
Yeah, and I think there's a lot of learnings that you get through three going through all that, um,
the thing that the next step that we did was starting to
rather than doing full acquisitions off the computers in the field. We were sort of taking me to the triage approach where,
um, we would look at a computer and then we were using the linen ante F s, um, programs. There's a program in there that lets you create a
allocated only image of a off a hard drive. So we were doing things like,
in essence, creating Justin. Justin allocated clone off the off hard particular hard drives, pulling that the original hard drive and walking away with that and then dealing with the imaging back in the lab but leaving them with a fresh, hard drive that still worked to all intensive purposes like the original.
So that's kind of what led me toward the idea of off of allocated only acquisitions that you see these days and every metric. Sure, here, I'm kind of so that that was that was the world that I was in there. So the question that I asked was, What are these bottlenecks? Why are we going so slow? We've
at that point multi cool was starting to be a thing. So we were starting to see new C P is coming out with two and four et cetera, drives who was starting to get you a high speed us bay three,
coming through. So there were these high bandwith interconnects, and we did have the CPU. So that's what really drove me to start playing around with
identifying where the bottlenecks work. And
the interesting part of doing that was was really coming to the realization that actually, it wasn't hardware issue. It was a software issue. Um, and that, uh, ultimately,
um, the main problem that we were hitting with using raw Oreo one. Well, men probably eating with the Owen was the slow speed of compression and hashing really it,
um and then the main probably hitting with role was just the was was hashing on just the the
amount of time that you waste copying zeros from one device to win, right? There's the sheer iose.
It was not good.
so that it took us a while of off tooling around in in in in spare time to kind of get to a point where we thought we had proof of concept.
Andi was probably 2015 by 2014 2015 by that time,
and decided at that point to commercialize it and had a beta program and showed a few people around. It's, um, some conferences
on and we finally did the final launch in 26 states.
Yes. And say, I think I saw you at the SDF con.
When was that? 2016 to 2016
16 or 17 year? Yeah.
And I think was 16 maybe
And I don't think I fully got a time. And then I want to say 2017.
Um, I'm constantly reviewing tools, right? It's just, you know,
you have to always looking for the next thing. Anything that'll make it a little bit better.
And I remember stumbled across the website getting on. I remember this guy
and then then, you know, seeing some of the test stuff we're going.
Wait a minute. I don't believe that that that can't be riel.
And, uh, yeah, they just went from there, so
So So So you just
decided like, there's there's a commercial market for this. I'm just I'm just gonna do this. I'm gonna
I'm gonna write a tool, and I'm just gonna go after guidance software on my own.
Um, not quite. Uh, I mean, ultimately, I
and M imagery came about because I had a pressing problem in my practice that I wanted to sell.
so the other problem, we're sort of going backwards again to the sort of you know
why we commercialized in the other.
A key part of always own with Demetri was that was made answering, questionable.
Why can't actually do some real work while I'm waiting for all these hard drives to be imaged on. So that's the other. The other main problem that I have met resold. So it it lets people actually, uh,
do meaningful analysis while they're doing their acquisition. So they don't have to white hours and hours. Well, they can start doing some real work. Sure. Now, I know in your forensic practice, are you doing mostly criminal type workers we find here in the U. S. That's like the market for that, you know, really? Time forensic stuff tends to be in the
either the D o d u mark, you know, battlefield acquisition type stuff, or we're ah were
in law enforcement.
So So my practice is primarily civil litigation on and, uh, do a little bit of criminal defense work on, and ah, a little bit of criminal prosecution work.
Uh, incident response. Ah, little bit of that. Uh, but, um, tried thio.
Keep away from that at the moment. Uh, I tend to come sometimes in at the mop up stage. Hitting the, uh, hitting the timing targets for my artwork
is not something I really want to do when I've got other people to support around the world with elementary. Yeah.
Yeah. All right. I I think there was a right answer. The question?
Um, yeah. Do do you know the exact moment in time where you're just like I'm doing this?
Um, look, it had to be, I think maybe 20 somewhere in 2014. Probably.
One of those moments where you're just like it is three. In the morning and you just had it with something.
Not working it like that's it, right? My O'Toole, I do with this.
You gotta have a quick story, like maybe over 90% of it already. A modest will finish on the 20 something nearly that exciting, Okay.
Computer Forensics File Formats: Why you Should be Using AFF4
If you’re not using AFF4 (Advanced Forensics File Format v4) then your forensics process is ...
1 CEU/CPE Hours Available
Certificate of Completion Offered
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training
Do you know how to leverage the MITRE ATT&CK® framework to conduct Security Operations Center ...
2 CEU/CPE Hours Available
Certificate of Completion Offered