Q&A with Keith J. Jones, Digital Forensics, e-Discovery and Computer Security
CriminalJusticePrograms.com spoke with Keith J. Jones, owner and senior partner with Jones Dykstra and Associates (JD&A), a firm specializing in digital forensics, electronic discover and computer security. JD&A covers legal, corporate and government projects. In addition to his work at the firm, Jones is also the author of Real Digital Forensics: Computer Security and Incident Response and The Anti-Hacker Toolkit.
Below he shares his experiences in the field and what students should keep in mind if they're interested in pursuing digital forensics.
Q: What is your current position?
I co-own a company named Jones Dykstra and Associates, and I have a business partner whose name is Brian Dykstra. I have the title of Senior Partner here.
Q: What exactly are digital forensics, e-discovery and computer security?
Let me start with the broad subject first; that's going to be e-discovery. In 2006, there were some federal rules that changed and basically made electronic data a part of civil trials. If you have two parties suing each other, both parties have a right to discovery. One party may say, "I want all the emails that have to do with a certain subject," [for example]. That's where e-discovery comes in. It's kind of like walking into a barn full of hay, grabbing a handful of relevant hay and handing it to somebody so they can do the review. Computer forensics is more granular than that. If we're talking about putting our arms around the relevant hay in e-discovery, we're now talking about trying to find a needle in a haystack.
The third thing is computer security. These three aren't mutually exclusive, though, so you may start e-discovery sets, and then you'll find something that you've got to investigate. Also, in some aspects, there's computer security. [For example], so-and-so company may have exposed X amount of credit cards - somebody usually has to investigate that and figure out what data was exposed, how much of it was exposed and what that means for the company. Do they have to notify credit card holders, etc.?
Q: How did you get started in this field, and what kind of preparation does someone pursuing this career need?
When I went through the university, they didn't have computer forensics as a profession, per se. You couldn't leave with a degree that said, "I do computer forensics." I have dual bachelor's degrees: one in computer engineering and one in electrical engineering. I worked at the School of Criminal Justice at Michigan State University when I was there, and I was always interested in the computer crime side of things. I stayed around for my master's degree in electrical engineering. That allowed me to apply for the technical side of the legal profession - investigating computers and so forth.
[In this profession, you're typically] either an investigator and then learn the technical aspect, or you're a technical person and learn the investigative aspects.
Q: Does it help to have a background in investigation?
The nice thing is that the people who are graduating now grew up with computers, so teaching them the technical aspect is a lot easier than teaching somebody who never touched a computer in his or her life. If you take your average college student, they already know what Facebook, Twitter, and all those things are. You [just] have to teach them specifics about different operating systems. [Criminal justice majors] already have an understanding of things like evidence management, and so forth, from their college careers.
Q: What is an average day like for someone entering the profession?
My average day is a little different because being an owner of a company encompasses [a lot of different responsibilities]. The more associate-level employees - those who don't have to worry about finances and all that [type of stuff] - work on the data from day to day. They'll have a project or two floating around. An employee may be working on two to four projects simultaneously. In the legal world, things don't move very quickly. If I'm working on four projects, I may not work on two of them each week. [For example], we gave data to an attorney or a business manager who now has to make a decision. We're just waiting for them to look at what we gave them, come back to us and say, "OK, now I'd like you to look at so-and-so's laptop."
Q: In general, are there any specific traits that work well in this career?
First and foremost, [you need] communication skills. I can say this because I'm a technical guy, but at least in my era when technical people were being developed, [they tended to be more] introverted. [In this career], there will be times when you'll be presenting your findings to a group of maybe 10 people, and you have to be comfortable. Later, if you do testimony, you might have a whole courtroom full of people, and news people there. So, being comfortable communicating is key.
[Another trait needed is the ability to be] multifaceted. You need to understand the legal world plus your technical world. A lot of times there may be a disconnect if someone's very heavily technical or very heavily into the legal world. We'll talk to the IT staff for a client, and then we'll talk to the attorneys for the same client.
Q: What are some of the challenges in the field?
As you progress in your career, you're not always just sitting in front of a computer. You can do the greatest things on a computer in an investigation and if nobody understands it, it really doesn't matter. It's important that [people are able to understand] what you did. Also, I didn't really grow up with [computer forensics], but now it's all over TV with CSI, etc. Computer forensics really isn't as cool as it looks on TV. There is a lot of pressing the page-down and arrow-down buttons. Just be aware that there aren't a lot of flashy things, 3-D renderings, and so forth.
Q: What kind of changes have there been in digital forensics in the last few years?
There have been a lot of changes. Any time you talk about a technical field there are a lot of changes. Even something as simple as Facebook becoming more popular means we're going to see more cases that will involve questions about Facebook. It doesn't necessarily mean we're getting evidence from there, but it's just another one of those avenues that lawyers have heard of, and they'll ask for any type of information that might be able to come from it.
Probably the biggest change that I see right now concerning computer forensics, specifically, is regulation. Right now, because computer forensics and e-discovery are so new it's, for lack of a better phrase, sort of like the wild, wild West. You can set up shop and say you [are a computer forensics investigator] even if you have zero experience in it. [Since there is no] regulatory body for [computer forensics], you're seeing the different states out there saying, "All right, this is going to be our rule for the state of whatever." [A lot of different states have different licensing requirements], and that's very difficult because you could find yourself on a case in which you just have to stop, so that you don't get into legal trouble.
Q: What do you see for the future of the field?
Hopefully, we will get this regulation issue figured out. I think you're going to see investigations everywhere. Back in the day we only worked on computers. Then smart phones came out, and now we're regularly doing computer forensics using them. So as technology progresses, and you have new devices, new tools and new operating systems, there will be new investigative steps for whatever that particular device, tool or software is.
Q: Can you tell us about your books: The Anti-Hacker Toolkit and the Real Digital Forensics: Computer Security and Incident Response?
The Anti-Hacker Toolkit is a book I wrote that basically outlines all the different security tools. It falls more in the computer security realm with a little bit of computer forensics in there. It's more of a shop manual, if you will. The other book, which is newer, is Real Digital Forensics. One of the things that is really important [for training] is to get your hands on some data, and basically, play with it. Figure out what the data looks like, what's normal, and what's not normal. [In the book we have] some made up scenarios - realistic cases of different companies [with which aspiring professionals can practice].
Q: Any other recommendations for aspiring digital forensics professionals?
Volunteer for the project nobody wants if you're new. You'll learn a lot. Getting exposure to actually doing the work will usually help you. Shadow somebody if you can - that's usually the best way to get your foot in the door.