Episode 20: David Kalat - Computer Forensics and Digital History
BRG Director David Kalat talks about his path to becoming a forensic expert. Discussion includes his background as a digital historian, the ways in which he conducts digital forensic investigations, and a preview for his upcoming article in ThinkSet magazine on how laws protecting IP have struggled to keep pace with technology.
David, thank you so much for joining us on the Thinkset Podcast today. How are you?
I'm doing very well. Thanks for having me.
You often write about digital history, including a new regular column for Thinkset. Talk to me a little bit about your passion for information technology and where that comes from.
Not just a passion for information technology, in and of itself, but also, a fascination for its history. And you mentioned the new column that I just recently started for Thinkset. I also write a monthly column for Legal Tech News called Nervous System, which is similar in some ways. Both of them deal with addressing issues of contemporary technology through the lens of what was the first instance of fill-in-the-blank. And what drew me to that is this fascinating tension between, on one hand-- I'm sure everybody listening to this has some personal experience with the way in which changes in information technology have disrupted their personal life, their social life, their professional life, often times, in disorienting ways. And everybody feels very much on the bleeding edge of technological changes. When you dig into what these things that feel so new and feel so urgent actually have in terms of history, that history goes back way, way farther than I think anyone would intuitively expect, and that, oftentimes, when you're looking for what's the first instance of a particular issue with information security, for example, or a particular piece of technology, and to discover that it goes back 50 or 100 or 150 years can be difficult to reconcile with how these things feel like they just came out of nowhere.
I know you've got a bit of a unique background for somebody who's in your field. When you found this interest in sort of the history of information technology, did you originally find yourself as a history buff that just came across information technology as a blend of your two interests, or was it information technology that led you to reading about the history of it?
Well, I've always been interested in computer science without actually being a computer scientist myself. I was one of the kids of the '80's who was fortunate to have a computer in my home. We had, originally, a TI-99/4A and then the Apple IIe. Had the very first iMac that was kind of in the background even though that wasn't what I did professionally at first. So then when I came to work in this professionally and to deal with digital investigations and to confront how other people were reacting to certain things as if they had just appeared out of nowhere, and I had this recognition that that actually wasn't quite so new. I remember experiencing that when I was a kid. That was the starting point of realizing that there were stories there that maybe could be shared.
Now you mentioned a couple of times that this isn't your first career, and I think you've got a very unique background, especially when it comes to folks that work in expert services. Usually it's something that they get into either as a practitioner and then make a transition over consulting and expert services, or they've kind of been in it since the beginning. So could you give us a little bit of background about how you ended up here at BRG?
I think that I, starting off, was able to benefit from the way in which technology was transforming various businesses. I was definitely on the receiving end of that at first. I originally ran a video post-production facility in Washington, D.C. called DC Post. And in the mid-1990's, it was a great time to be dealing in digital video, which was what that company was very well-positioned to do because it was a crucial moment of transition from analog video technologies that had dominated that industry, were giving way to new digital technologies. And so DC Post was riding the crest of that wave, and by virtue of being in charge at that time, I got to bask in that reflected success. So that was an opportunity for me to position myself into digital video right at the advent of DVD. So this was 1997, and that consortium of electronic producers led by Philips were just beginning to introduce this format that was going to replace VHS and replace laser discs and encourage people to shift over to this new way of thinking about buying movies and owning a library of movies. The light bulb went off, and I realized, "Wow. This is an ideal way to market niche market films because I knew there were huge communities-- maybe not huge, but they were sizable and significant communities of people who were very eager to see classic, American independent, and foreign films that weren't otherwise getting a lot of attention from the mainstream video business in the 1980's and early 1990's because it was very difficult to make money off of them under that old model. But the new medium of DVD changed a lot of that business model in a way that made that profitable, and so I actually started the first independent DVD publishing company in the U.S. And so there in 1997, you had Warner Brothers, you had Sony Pictures, and there was me with All Day Entertainment, desperately trying to hold my own. And I ran that company for about 15 years, but then the next wave in digital technology was streaming, which is a very different business model. And it's one that favors conglomerations of content providers rather than niche market providers with relatively small catalogs. So I could tell that it was going to be very difficult to keep doing what I had been doing, that the avenues for selling physical media to consumers were drying up. Many of the people that I considered my audience were shifting over to spending their entertainment dollars by subscribing to streaming platforms, so I made the decision to go back to school and get a master's degree in information science. And that's what led me into consulting.
Wow. You witnessed, firsthand, the inflection point where VHS skipped laser disc to DVD. Do you remember a time, by chance, where you realized that it was DVD and not laser disc? Because I remember, specifically, sitting in classrooms that were built on laser disc that were then having to be replaced two years later because laser disc didn't take off. My school district took a bath on laser disc. But you were actually there and saw that within the industry. What did that look like firsthand?
There was a company that had really put all their eggs in the laser disc basket that I'd actually modeled myself on because I admired the way that they were trying to connect with the same niche market community that I wanted to connect with. I appreciated the integrity that they brought to how they approached their productions. They kind of looked at me askance like, "You actually think you're going to do this with this crazy new format?" Just as I was looking at them going, "I think you're on the wrong boat."
In your current role, you testify about digital forensic investigations in new discovery. Can you explain what that looks like sort of on a day-to-day basis when you're engaged in the specific case?
Like I say, I treat computers like crime scenes whether you're dealing with a theft of trade secrets sort of situation or some sort of employee misconduct or other situations where there's critical electronic evidence that might be relevant to whatever issues are being litigated. What's common to all of these cases is that the users of computer systems are often completely unaware of the extent to which they are leaving behind a footprint of how they're engaging with that system and what they're doing. And even users who are knowledgeable and attempting to cover their tracks are going to leave behind evidence, at the very least, of the efforts to cover their tracks. And so what I do is to pick apart the systems and understand how they're supposed to function and how user interactions get documented within those operating systems, and then extract that information out to tell the story of what is oftentimes unauthorized access to a computer system or unauthorized use of particular data.
Now, when you're going through that on the back end, you're actually dealing with a physical machine, someone's actual computer, cellphone, or even servers in an office building, right?
Absolutely. And in fact, it's the physicality of it that is critical in many cases when you're talking about forensics. This is the thing that I think escapes people's realization is that even when you're talking about electronic data, somewhere there is a physical representation of those ones and zeroes. It exists in physical form somewhere, at least temporarily. And it's that physical nature of the data that can get preserved in certain ways even when other steps have been taken to get rid of it as a femoral data. So, for example, the classic story, any dinner party where I say I work in computer forensics, people are always going to say, "Oh, yeah. You can never delete anything." That's the go-to that people have is this idea that every file can be recovered, which, of course, is not true. I deal frequently with the consequences of the fact that data has been deleted. But it is true that there are circumstances when you think something has been deleted, and it can be brought back, to the detriment of the person who thought they were getting rid of it. And what's happened there, in a lot of cases, is that you've got a piece of physical media whether it's a hard drive or a flash drive or something like that that has its physical representation of that file in some form on it, and the user goes to delete the file, and basically, all you really do when you do that is you're deleting the index that tells the computer how to get the file from that physical media. That's the first step, and unless other steps are taken, that may be all that's happened, and the physical representation is still there and still recoverable using forensic tools. It isn't always true, but it can be very dramatic when it does happen.
So as a digital historian, do you have any idea where the term "Nothing can ever be deleted," comes from?
Oh, yeah. There are definitely some high-profile cases where data was recovered in a deleted state that was the turning point for that particular case. There was a serial killer. He was the BTK killer, and for decades this coalition of local police, FBI agents, and professional high-profile serial killer trackers had all been working on this case. And there was a mountain of physical evidence that consisted of hair fibers and fingerprints, and written notes that he would send to the media taunting them. There were several instances where he had actually failed to kill somebody, and so there was actually a witness who had seen him. You'd think that with all of that kind of evidence that they would have caught him long before, but instead he goes on decades and decades until eventually you start to transition into the information age, and he stops sending typewritten notes to the media, and he sends a floppy drive. And it had a standard taunting message on it just like the other ones, but the forensic investigators who looked at that floppy drive, and it had a deleted file. It contained information about a particular, I think it was a particular church, that it was a church bulletin. So the document itself wasn't in any way related to the case, but it was evidence that tied that floppy drive to a real place. And then it made it possible for them to stake that real place out, and see his car that had been witnessed, and that was enough to then to start to get a search warrant, and it ultimately led to his arrest. It's a go-to story when people try to talk about the effectiveness of computer forensics, that you had every piece of firepower that you could possibly imagine on the traditional police investigative end, and it's one floppy disk and one deleted file, ultimately, catches the serial killer.
So when you went back to school to study library information science, how did you land on that area of study in particular?
If I were to describe the information science, I'd say it's computer science for the humanities people. I'm terrible at math. That's not going to be my forte. But I am interested in computer science, and as I said, it reaches back to my past, and I was studying Pascale when I was in elementary school. So it was something that I wanted to be able to engage with while recognizing that I probably wasn't going to be able to hold my own against people who had been computer programmers their entire lives. But information science is very much a sister discipline to computer science. And it deals with the human interfaces, the human use of information systems and a lot of the issues that, I think, people are wrestling with right now in terms of searching and retrieval and how information systems can be designed to be more user-friendly, more effective, so that people can find what they're looking for in gargantuan masses of data.
Now, the old saying goes that those who don't learn from history are doomed to repeat it. Now, you've got quite of an extensive background, both in the history and on the technology side. What are the lessons that you think we should be learning right now about how technology will shape our lives in the coming years?
As I said, one of the reasons that I was focusing on history was that a lot of the things that we feel we're struggling with right now, there's a context to them that can help explain it. So, for example, the first piece that I wrote for Thinkset was about the origins of password security and password insecurity, that if you go around to people, right, you'd probably get a very common sense of frustration with how all these different devices that people have to, or choose to, engage with-- you've got a smartphone and perhaps a tablet and maybe your work computer and maybe a computer at home. And so there's not just a bunch of different devices but then all these different platforms on them. This is how you interface with your bank, and it's how you book your reservations for dinner, and it's how you book your travel. It's how you interact with your family and friends. It's how you engage socially. These are the interfaces that we use for almost everything we do, and there's all these different, therefore, portals that we're having to authenticate ourselves on. And if the rules of password security are to say, "You need to come up with a password that is unguessable, and you're not supposed to write it down, and you should change it a lot, and you need a different one for all these different platforms," that is an absolute recipe for failure. That's not a system that's designed to succeed with people. But if you look at where this whole idea of password authentication came from, you go back to the 1960's, was just an ad hoc solution for a time-sharing system where they needed to allocate computer resources to a handful of users. And nobody who came up with this system really intended it to be a long-term method of information security. And it wasn't terribly secure because the very first passwords were hacked back in the early 1960's. So the idea that we're still relying on this today when the stakes have gotten so much higher, the need for information security is so much more urgent, I think, points to the fact that this is a system that really wasn't tenable to have lasted as long as it has, and we really should start thinking about coming up with an alternative, whatever that form might take whether it's some combination of biometric authentication and/or blockchain. There's different technologies that might be appropriate, but at the very least, we shouldn't be relying on something that's over 50 years old and didn't work that great on day one.
So you just touched on one thing that I actually want to ask you about. Blockchain is a technology that most people are at least aware of, but many people don't quite understand how it works. In this scenario, how could blockchain be applied?
One of the things that blockchain does well, and I think the reason why it's going to have a significance far beyond whatever cryptocurrency applications first brought it to people's attention is the idea that you can use it as a way of taking a digital asset and making it unique, making it a single instance of something. Because that's how the cryptocurrency platforms try to work is to say, "There is a single unit," and say, 'We can track this item as it passes around electronically because we can identify each of those transactions with specific unique markers that everybody can agree to." And so the ownership and the interactions with this item are very transparently documented in this online ledger, the blockchain. Applying that to authentication of user identities is still a work in progress, and there's lots of different ways that it can be applied, but the concept is there that there is a way of saying, "Something that exists in the digital world can also be unique, and we can track where it is in time."
We talked with BRG expert, Allen Jacobs, in the past about what different models might be for businesses built on blockchain. That wasn't one that he had mentioned, so I was curious what your insights and thoughts might be on it. You're in a unique instance as a writer for Thinkset for us, so could you just give us a preview of what your next column is for Thinkset?
It deals with various IP protections for computer software as a way of illustrating the challenges that the law has had in dealing with technology. I mean, personally, I think that the effort that goes into writing and passing laws shouldn't be underestimated, and they're meant to stand for a long time. Changing laws is difficult. And so it gets really tricky when you have a law that tries to be very specific about a particular kind of technology because the technology changes almost faster than anything else in society, and you can end up with situations where laws that are meant to be very much on top of technological issues can get rendered obsolete. And you can see that play out in the challenges that people have had in applying IP protections to computer software because, at various points in time, patent protections and trade secret protections and copyright protections have all kind of miss-fit with what it would be like to protect computer software.
Great. Well, we'll look forward to reading it when it comes out. And David, thank you so much for joining us here today.
It's been my pleasure.