If you haven’t yet met Phillip Moore and you’re in the digital forensics or incident response fields, you’re likely to at least know him from one of his top forensic blogs:
What you might not know, is that these two wildly successful endeavors are simply his side hustle. Phill is a senior digital forensic analyst for a digital forensics unit in Australia. In his role there he’s performed a variety of tasks including the identification, preservation, analysis, and presentation of digital evidence across a number of platforms including computers, mobile devices, GPS devices, and CCTV systems in local, state, and supreme court matters. He’s also been involved in various process improvements and organizing events for digital forensics professionals in Sydney. I sat down with Phill to learn more.
Bret: Thanks for your time Phill -- I know that’s a premium for you with everything that you have going on.
Bret: You earned a Bachelor of Science in Business Information Technology and then earned a Postgraduate Certificate in Computer Forensics and a Master of Cyber Security in Digital Forensics. When did you first know you were interested in Forensics and what inspired you to get degrees in the field?
Phill: A few things fell into place to really identify that the field of digital forensics even existed for me. I was at school studying to be a business analyst or project manager, both of which weren’t very appealing to me. After a brief study-abroad at the University of Texas at Austin I came back to finish the final subjects that I had delayed and a digital forensics elective was running for the first time. I figured that sounded interesting and loved the class. After that I decided I wanted to get into the field, and after landing a job as a civilian examiner, I was able to continue my education with post graduate degrees specifically in the Cyber Security and Digital Forensics field. Work was generous enough to encourage and contribute to our development to make sure that we had relevant qualifications to be accepted as experts by the courts.
Bret: You’ve gone on to earn a variety of other certificates. Can you talk about the value of being a lifelong learner, and what certificates you think are most important for individuals seeking a career in digital forensics or incident response?
Phill: It’s hard to keep up with the field if you’re not a lifelong learner. Even discounting all the new stuff that’s coming out, our understanding of devices, operating systems, artefacts that have been around for a while is still developing. Not a week goes by without learning about something new, because you just have to.
Certification shows you that at the very least, you’ve been exposed to information relevant to the course that you have taken, or the studying that you’ve done, and were able to relay some of that information during an examination. Some jurisdictions require you to have had some level of training on the tools that you’re using so that you can be assumed to correctly interpret their results. Also, if you’re looking for work in the field, it’s not uncommon to see that having industry recognised certifications such as those from IACIS or SANS, as being a requirement. It’s hard to say which certifications are the best, it really depends on the individual.
Bret: Your readers have come to rely on you for industry news. How do you stay current with industry news with as busy as you are?
Phill: I don’t go outside. It’s hot in Australia and I burn easy. I also spend way too much time on the Internet :)
I rely a lot on my RSS reader, which I add as much DFIR goodness into as I can. Even if a person has written one post three years ago, I’ll add it to the list. That way, I can try and catch everything that’s posted somewhere. For the rest, I’m on a few different listservs, forums, chat platforms, and spend way to much time scrolling through Twitter.
Bret: You’ve also done a lot of research into Google products. Can you talk about that and how you think Google products will challenge the forensics industry?
Phill: Google’s just everywhere. It’s scary and great at the same time, so I figured that it was worthwhile picking things that are going to be seen in investigations; my first project I even had a case that led me down the track of researching how Google populates search URLs, the Google Home one was just for fun and that no one else had done it.
I’m not sure if Google’s going to challenge the forensics industry, they’re probably going to be helping us way more, as long as you have legal authority and access to a user’s data. Google is a data and metrics company, which stores so much information that people don’t necessarily know about, or delete, that may be useful to an investigation. Google offers customers seemingly unlimited cloud storage, and also allows them to back up data from a variety of Google and non-Google owned services. Adding this information to investigations has and will continue to help investigators in solving crimes.
Bret: How did you get started blogging? How do you stay motivated?
Phill: When I wanted to get into the field, I emailed one of the people I knew in the industry and he sent me the list of blogs that he read. I added them to my RSS reader, and then whenever I found a new one, I’d add that too. From there my list just kept growing. The problem was that I would leave articles to read for later, and never get to them. Then eventually my reader would clean them up. I figured that if I had a goal of getting through everything every week then I would stay on top of everything. I also found that I would remember bits and pieces about articles, but not how to find them, so why not put an index online.
A colleague started a blog in the beginning of 2016 and sent it over to me, and I that was the kick start I needed to start posting on my own.
Then in 2017 I decided that if I was going to be encouraging people to write up their research, I should practice what I preach and started my other site, ThinkDFIR. I find that if I’ve done some research, I can post it up there so that I can refer back to it myself, or point people to it. I aim to post once a month there; 12 posts a year doesn’t sound too difficult, as long as you dedicate the time. I often had to do the research anyways, so writing it up means I can get a few more eyes to look over it, and it might benefit others too.
Bret: What has been your most successful post? Why do you think it was appealing?
Phill: I don’t really do a good job of tracking all of that for the weekly blog, and because it’s weekly news it’s really dependant on everyone else posting. I’m sure one has been more popular than the others, but I never really looked into why. I do notice there’s still hits on the older posts though, which means people are using my site the way that I do; as a pseudo-index for people’s posts, so if they want to see all the research on a topic, as long as I’ve included the right words they can at least get started.
For my personal research blog, I found that a short post I did on APFS when it became the default file system on MacOS has been really popular. I ended up re-visiting it at the end of last year to add in some links for people to follow about the current state of play, rather than what it was when I originally posted. There was a bit of a teething process with APFS unfortunately, so I think people were just looking for anything they could find to help them figure out how to mount and analyse an APFS file system.
Bret: Can you share your writing process, from concept to publishing. How much time do you dedicate to it every week?
Phill: My writing process varies from project to project. The weekly post is a very specific style, where I have the concept down from the get-go. There’s very little thought that goes into it other than find posts, read them, write about them, try to put enough detail that I can find it later on if I need to. A lot of my time goes to those posts though, so much good stuff is put out every week! Over the years I have developed a routine, and some tricks to try and reduce the amount of time I spend on all the components of putting the posts together that aren’t directly reading and writing. I’m fine-tuning the process every week.
For everything else, I generally have an idea or a question that I need answered and try to put as much information down as I can; usually by just brain dumping, then filling in the blanks with what I can find online, and then testing and figuring out the rest. After that I iterate a few times. I usually get stuck after the brain dump stage for a bit, and end up with a lot of half-finished articles but it means that I get the ideas down and can work on them slowly as I find more information.
Bret: How do you attract new readers? Describe the methods you’ve used and their impact on site traffic?
Phill: I haven’t really done anything specifically to attract people to the site, relying almost entirely on doing a good job and letting the Internet take care of the rest. By keeping my site up to date, people know that they can come in on Monday morning and find everything they missed from the last week. In the beginning I think I had 100 hits a week, now it’s up in the 2000 range; but there’s plenty of room to grow. So many people don’t know about the site, and I really think they’re missing out. I try to take out the hard work for everyone so that hopefully they can remember they read something of value to a case and go back and find it.
Bret: Where can people see you speak in 2019?
Phill: That’s still very much up in the air, as I’ve been a bit busy to put any research into a presentation.
I am working with SANS as a teaching assistant for Ovie Carroll for the FOR500 Windows Forensic Analysis course in Singapore in March.
Bret: You also run a podcast, right? How would a listener find your podcast, especially if they’ve never listened to a podcast before?
Phill: I do! I know it’s hard to read through the hundred or so links that I put out a week, so I had the idea that maybe people might like to hear what I thought were the posts related to digital forensics they should check out and why I thought they were valuable.
The podcast episodes are uploaded up as articles just like the weeklies and you can listen on the audio player directly on the post. You can also subscribe through iTunes and your podcast player of choice.
Bret: It doesn’t sound like you have much free time. Do you have any other hobbies besides solving crimes for work and blogging on the side?
Phill: Yeah I spend a lot of time with my family. My wife and I welcomed a daughter into the world last year so we’ve just been figuring out all the joys of parenting. She takes up a lot my time, but it’s worth every second.
Otherwise I try to get to the gym, and play soccer. I used to read a lot more non-forensics stuff, but that’s taken a backseat recently.
Bret: You didn’t mention Netflix. Do you have a favorite Netflix binge?
Phill: I should have! I watch way too much TV, not just Netflix. Thankfully I can multitask. We get through a lot of the superhero TV shows, as well sitcoms like ‘The Good Place’, ‘The Big Bang Theory’, and of course working in law enforcement you can’t go past ‘Brooklyn Nine-Nine’.
Bret: All great shows and it's great that Brooklyn Nine-Nine is back! Phill thanks so much for all your time and everything that you do to educate and inform. We’ll continue to follow you on ThisWeekin4n6 and ThinkDFIR.