SANS Digital Forensics and Incident Response Blog

DFIR Hero — Cindy Murphy Interview

MurphyCindy Murphy is teaching our Advanced Smartphone Forensics Course in McLean, VA in February 2016 . Sign up now to take this course with Cindy. We interviewed Cindy so you can get to know her a bit better. Cindy's real world experience working in law enforcement and cyber security communities combined with her unending knowledge of smartphone forensics (and almost everything else) makes her one of the best and most sought after speakers in the entire DFIR community. She is the current DFIR Hero of the week.

1. Who are you? What is your homepage?

That's pretty much the ultimate question, isn't it? J I am Cindy Murphy. I'm a detective with the Madison, WI police department, where I've been a cop for the past 24 years, about 19 years of that time doing digital forensics. I'm also a veteran, a mother, a musician (4 and 5 string banjo, cello, tenor guitar, mandolin, and ukulele), a protester for first amendment rights, a Brittany Spaniel enthusiast, and a knot tier.

2. Twitter handle etc?

My police department's webpage is www.cityofmadison.com/police, my band's website is www.hootnanniestringband.com, and my Twitter handle is @cindymurph.

3. Tell us how you became interested in IR or Forensics.

I almost literally fell into Digital Forensics. In 1998 I was involved in a high speed chase where an armed man ran from a stolen vehicle after he crashed it. I chased him over a chain link fence, and caught him with the help of another officer. After we tackled and handcuffed him, the other officer then kindly pointed out to me that my pants were torn from crotch to knee and I was bleeding profusely. I realized then that I had not made it over the fence unscathed but had messed up my lower back and lacerated my hamstring.

While on light duty, recovering from that injury, I caught the digital forensics bug. I worked with a now-retired detective on one of the first computer forensics cases our department had done. A guy was cutting signatures out of historical books at the WI State Historical Library, and selling them in newsgroups. Many years later, in 2012, I learned that Eoghan Casey was working the other end of that case in Boston. We solved that case using DOS commands on a DD image of the suspect's computer. It was new and fascinating set of problems to solve, involving some skills my dad had shown me when I was a kid. I put in a training request to go to the NW3C's Basic Data Recovery and Analysis class and ended up attending in Helena, MT in 1999 with my twin sister (we didn't plan it that way - she was working in network security for Yellowstone County, MT at the time, and they sent her to the same BDRA class).

Several months later I was back on the streets, healed from my injuries, and a new fan of digital forensics when I got into another foot chase and injured my right knee badly. Another trip to the E.R., knee surgery, and another long stretch of PT later, I came out in relatively good shape. I went back on light duty, and was assigned to work on a new computer forensics case. After consultation with my family, I promoted to detective in 2000 and became a Financial Crimes detective. I was also being tasked to help with computer related cases where they came in, and over the next several years they took over more and more of my case load. In 2003 the department created a new position in the detective bureau for Computer Crimes, and I was assigned to working computer crimes and computer forensics full time.

4. What gives you the most satisfaction while working on a case?

There are a lot of things that give me satisfaction about doing digital forensics work in a law enforcement environment. Usually, by the time digital evidence gets to me, someone's experienced something really awful, and I've got the chance to do something to help that person in a very meaningful way. Alternatively, they've been accused of something really bad, and my work might possibly exonerate them. Either way, helping people is a great motivator.

I also really enjoy the puzzle solving aspect of this work. It gives me a great deal of satisfaction to find ways to figure out or solve difficult or new problems. There's no shortage of digital forensics work in the LE world, and no shortage of compelling problems. Each time I tackle and successfully solve one of these problems, or make significant progress towards a solution, I've made a habit of celebrating it and if it's something I think other people will be able to leverage to help them in their work, I try to find the time to write about it and share it. Hearing back from people who have taken what I've done and built on it, or who have solved similar problems in different ways is really awesome.

5. What forensic techniques do you find the most useful?

It's hard to single out one (or even a few) techniques that are ?most' useful. Techniques, in and of themselves, are tools that help us to find our way towards the answer to a question, and which ones are most useful is really dependent on what sort of problem we're trying to solve. It's not really technique, but rather method that makes the difference.

The scientific method though? It works. And so if you consider use of the scientific method a technique, then I would choose it as being most useful. And it's actually really straightforward. Figure out what specific question you want to answer, develop a hypothesis, try to predict the potential results, test based upon logical predicted outcomes, and analyze the results to determine what makes sense to do next. Adjust and repeat. When you're successful, have someone replicate your results. Rely on peer review to back you up in your success, and then write it up so everyone knows how you did what you did.

6. What is your forensic tool of choice and why?

See above. The scientific method combined with the human brain. We have amazing processors when you think about it. As amazingly complex as data can be, and as much of it is out there, and as fast as technology advances, somehow we humans created all of it: the data and the machines and software we use to analyze it. Human brains and the consciousness that drives them are infinitely more complex than all of that hardware, software and data we've created. A well educated mind armed with the scientific method is an amazing thing.

7. What area of forensics or incident response needs to be understood by every new investigator?

You may accuse me of sounding like a broken record (or scratched CD), but my answer again is the scientific method. If you teach new investigators how to ask the right questions and to frame the way they go about answering those questions by using solid methodology, you will provide them with a solid foundation for the rest of their career. If you just teach them to drive the software tools and a few tricks about how to view data in different ways, they're much less likely to be effective as examiners.

8. What area of digital foreniscs or incident response is the most exciting development over the past few years?

In my opinion the most exciting developments in digital forensics and incident response are in the mobile world. As legacy mobile devices have become smarter, we now are living in a world where a good portion of people are connected to numerous networks with mobile devices. This presents both opportunities and challenges for us in terms of sources of evidence, and the balance between people's rights to privacy and the investigator's ability to leverage that data in an investigation.

9. Why is teaching computer forensics to new students important? Why do you like doing it?

The DFIR field is only going to grow in future, and we need curious, flexible, and well educated minds to push the profession and field in the various directions it needs to grow. Albert Einstein has been quoted as saying "If you can't explain it simply, you don't understand it well enough." Teaching is a great way to learn the skill of finding straight forward ways to explain complex subjects, which is helpful to me when it comes to educating police officers, attorneys, juries, and citizens about technology. I find that through teaching, I gain better understanding of the subject matter and ways to explain it so that others can understand it. The questions students ask push me to hone my knowledgebase and often push my curiosity in different directions that I might not have otherwise thought to explore and research. Teaching is also a really great way to pass forward not just the technical information I've picked up in the years I've been doing forensics, but also the practical things that work in this field. The DF/IR field is one where the combination of doing the work, teaching, and research all support each other in really productive ways.

10. How long have you been instructing or teaching individuals in computer forensics?

I've been teaching people about computer crimes, and digital forensics or to actually do digital forensics since around 2002. My early teaching experiences generally involved mentoring other law enforcement officers who were learning forensics, presenting at conferences, and talking to citizens about cybercrime risks. In 2006, I started working with Madison College to develop curriculum for a certificate program in Digital Forensics which I helped to teach until recently. Madison College also has a program called "Girl Tech" for girls in middle school, which focuses on developing an interest in STEM subjects that I've participated in. I've also been a guest faculty for the National District Attorney's Association, teaching digital forensics testimony, and have consulted with other technical colleges about digital forensics curriculum.

11. What is your favorite part of the SANS FOR585: Advanced Smartphone Forensics class?

My favorite part of the SANS FOR585 Advanced Smartphone Forensics class is the capstone project in Day 6 of the course. Watching the "ah-ha" moments happen in real time as the students work through the realistic problems we've built into the capstone is always rewarding. Knowing that the students have learned about the various smartphone platforms through the lecture and 14 previous labs during the week and can practically apply those techniques to solve the challenging problems in that data set is really cool. It's a satisfying thing to know you've sent people home with a new skill set that they can put to use in their cases right away. I know we're sending them home with the knowledge and skills they need to succeed.

12. How did you get involved in SANS? What makes SANS unique?

I became involved in SANS through consistent searching for high quality training in the DF/IR field. Around 2008 or so, I attended a SANS Community course on ethical hacking and had some concerns about the messaging of the training material in regards to private companies reporting hacking incidents to law enforcement. I reached out to them about my concerns, and SANS responded in a really great way and improved the messaging. Not only that, but they asked me to get involved in the solution by presenting at a "What Works in Forensics and Incident Response" conference the next year. That's illustrative about what makes SANS unique. They consistently strive for quality and excellence in training, and work collaboratively with the DF/IR field to constantly improve on the status quo.

13. What do you do in your free time when not working on digital forensics of smartphones?

I have a really full life outside of forensics, and I try to maintain some semblance of balance, because my work is really stressful. For me, balance means spending time with my dogs, yoga, meditation, and tying knots. These days, it usually means I'm playing the 4 and 5 string banjos, cello, and tenor guitar with Hoot'n Annie. We're a progressive folk / newgrass band made up of cop, a defense attorney, a preacher, a teacher, a restaurant owner, and a child policy analyst, all of whom are extremely passionate about life. We're playing quite a few gigs and have a loyal and growing fan base in the Madison area. It doesn't get much more balanced (or more fun) than that!

Cindy's Full Bio:

Bio: Cindy Murphy is a Detective with the City of Madison, WI Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of many hundreds of hard drives, cell phones, and other items of digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She also helped to develop the digital forensics certificate program at Madison Area Technical College. She is a certified SANS instructor and co-authored and teaches the Advanced Mobile Device Forensics (FOR585) course for the SANS Institute. She has presented internationally on various digital forensics topics and frequently writes articles and whitepapers for the community on various forensics related topics. She earned her MSc in Forensic Computing and Cyber Crime Investigation through University College, Dublin where she completed her dissertation on the subject of victim age estimation from child exploitation images.
She is also involved with the Wisconsin Association of Computer Crimes Investigators (WACCI) where she serves as Past President for the WACCI West Chapter, Chicago Electronic Crimes Task Force, High Tech Crime Consortium (HTCC), is 2nd Vice President o The Consortium of Digital Forensics Specialists and is also a member of the International Guild of Knot Tyers (IGKT).

Listen to Cindy discuss "Advanced Smartphone Forensics" in this SANS webcast that every DFIR professional should listen to.

"Cindy Murphy is a force to be reckoned with! Very happy I signed up for this class." - Reza Z., DirectTV

"Cindy is Awesome! She fully understands what is happening in the field and how to do our job better." - John P. Shell Oil

"Good, real-world experience. Clearly, Cindy has been there, done that." -Chris Mallow, University of Oklahoma

Cindy Murphy is teaching our Advanced Smartphone Forensics Course in McLean, VA in February 2016- Register Now!!