 And, without further ado, our next speaker, Najla, is a Penn State grad with a technical background in forensic science. She works in the area of forensic and clinical toxicology, more specifically, drug testing for various specimen types, urine, blood, and oral fluid. She is a criminal show junkie, avid thrill seeker, and traveler, and wine explorer. I like that. She is currently transitioning into the hacking speciality of security and labels herself as pen tester neophyte. Wow, that's a college word there. You can follow her journey on Twitter using these hashtags, hashtag toxicology to O-S-C-P, and hashtag scientist to hacker. Her website slash blog, forensicsandinfosec.tech, is focused on forensics and information security. Without further ado, Najla. Good morning. Good morning. Thank you, Hunter, for that nice introduction there. So again, I'm Najla. We're going to talk about how forensic science and information security merges today. I call it lifetime lovers and part-time friends. And I'll explain why as I go forward. So he did my intro for me, but it was there as well. Penn State grad, Jersey girl, any Penn State graduates in here? No, I can't do my VR chant. Dang it. Crime show junkie, I got into forensics because of CSI Miami. If you know Horatio, he had those one-liners, and those were my favorite. And now I watch it and I'm like, dang, these suck. Like they're not that great. But that's how I got into forensics. I like my wine, I like bowling, and now I'm on a journey to switch to pen testing. So just want to do a quick audience check. Any scientists in the room? Yes. Any straight information security people in the room? Yes. So do we have any medical professionals in the room? Perfect. And career transitioners? Yes. Yes, I like this audience. And crime show watchers. I need to know. Okay. Okay, I just need to make sure we're here. So let's get down to it. So forensics, it's come from the Latin word forensis. The definition is generally public. You're going to have a public discussion. It's argumentative. It's rhetorical. We have a modern definition from Merriam-Webster, and it's basically relating to use then or suitable to a court of law. So forensics is any science used in the court of law for the purposes of the court of law. And then we had, I was looking on the Pathways website for Homeland Security, and they said, you know, hey, we're just concerned with the recognition, the identification, individualizations, and the evaluation of physical evidence used for our methods of natural sciences. So I was like, oh, that's pretty interesting. So what do forensic scientists do? First and foremost, we are scientists. That is the heart of who we are. We classify it as forensics when it is used in any legal proceeding, whether criminal or civil. We tend to be accurate, methodical, detailed, and we do our best to be very unbiased in the field. We do a lot of report writing. So just like a pen tester report or those reports that you have to write up for anything, we do a lot of those, and that's how we present our findings and our research. We do a lot of that. And of course, we get called to testify. It is very scary. I haven't done it yet. I do desire to do it. I know that sounds weird, but we do get called to testify. And then we work in various areas of the industry, government, public, private. We're in labs. We're consultants. So you probably are working with a scientist and you don't even know it. So here are some disciplines. And these are from, we have an American Academy of Forensic Science Organization that kind of is the leader on how we do forensics. So these are the various fields. And as you can see, we have digital and multimedia sciences, which is basically digital forensics. And then we have some general. We have some pathology and biology, and then we have my lovely toxicology. So I'm going to do a little of this from my perspective, the clinical and toxicology perspective. So some information security, some basic definitions. So what is it? So it's the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. And then also I looked up geeks for geeks and they were like, hey, information is also can be physical or electrical. So it's not just the physical evidence that you have. It's also we're getting that electrical and things like that. So at the end of the day, you're making sure that no information is compromised in a critical issue. So what do we do? We protect the data in the systems using sophisticated tools, instrumentations. We manage, evaluate and monitor risk. We desire to improve and increase the security posture of our organizations by analyzing existing and future systems. We review and validate security designs and documentation, hardware, software and data. We conduct incident response such as forensic analysis and assessment of security events and logs. We implement and support network defense, identification, I'm sorry, authentication, access control and such. And we develop, sorry, we develop assessments and we use those to go forth as we do our designs of our security systems. So some small disciplines, some disciplines that I just listed. And of course, while I'm here, I've learned that there's way more disciplines than this. So these are just some ones that I know off the top of my head. Aviation, web and mobile application security, cryptography, cloud security, everything that you can think of plus more that's been here, drones and everything like that. So let's let's get down to it. Why don't these two fields work together? So from my perspective, we deal with PII and PHI just as much as anybody else. So when you go and have a drug test, you're giving your name, your birthday, your insurance information, all of that stuff that's protected health information, you're giving it to us. And so when it gets sent to the lab, we get that same information. We also have, you know, personal identifiable information. What's in the labs, you want to make sure that if you have vendors in, they don't have access to that information either. Endpoints. So forensics, when by the time we get stuff, the crime has already happened. We're at the end of it. And at this point, we're working backwards to figure out what exactly has happened to assist in telling the story. So we get a lot of endpoints and we do our best to make sure that we tell an accurate story of what's going on. Social engineering. So I've gotten people call on the lab and say, hey, I'm the parent of so-and-so patient. I want their test results. And I was like, no. They were like, but I'm the parent. And I was like, no. And they're like, I want to speak to your manager. I was like, they're not here. And I can't give you information. You're not the doctor. You're not the nurse. I understand you're very concerned about your child, but I cannot give you that information. And they curse me out. And then they hang up and then they call back. And it's still a no. So we do get those calls. And people are trying to get information out of us. And results. We are consistently in the lab pushing patient results. We are doing drug testing. We're doing trace evidence. We're doing all types of things. You go to your doctor and you get your physical and you get that annual physical. They take your blood. They take a year and they run all those tests. We get all that information. So we have a lot of stuff that we do protect on our side as well. So why do I say that we're lifetime lovers? So we cross over a lot, a lot. So number one is documentation. Just like information security, documentation will help you go a very long way. And it's the same thing with forensics. There is never enough details. The more details that you give, the better you are in your case and presenting anything. So documentation, those SOPs, my model for documentation. And it may sound bad, but I feel like if I'm working, and when I'm working in a team, I want to document as much stuff. So when I go on vacation, I do not want you to call me because I want to enjoy my vacation and not worry about work. And that's selfish of me, but at least I know that my teammates know how to get stuff done, resolve any issues that are there while I'm away. No one wants their vacation interrupted. I know I don't. I like my vacations. So we have various disciplines. As you can see, I listed quite a few of them and breaches, our favorite thing that's going on right now. So how many people have heard of the HIPAA Wall of Shame? There is a thing called HIPAA Wall of Shame and it's updated daily about all of the small medical facilities that have breaches. If you just Google HIPAA Wall of Shame, it's going to be a website that pops up and you can see all of the breaches that has happened. And it actually tells you how it was breached. It gives you the name. It gives you the location of the facility and everything. Recently, someone was in my Twitter DMs and they were like, hey, we got breached. And I was like, I don't think you should be telling me this. And it was a facility called Eurofins in the UK and they do a lot of police work and they took their network down for about three to five weeks. And I think they just posted, it happened June 3rd and I knew the day that it happened and I was like, this isn't good. And then the article came out like toward the end of June that they had gotten breached. So we get breached as well and people don't realize we have sensitive information as well. So some governance, compliance and ethics, so we deal with governance as well. It's based on operation. The corporate is dependent on the corporation. And we also follow those big name organizations as well. We all know NIST, we know HIPAA, we know DOJ, we know SOCS, FDCC, ISO. But the ones that are double ashrich, those are specifically for laboratories. So we have CAP, which is College of American Pathology, DEA, we all know that. So with the DEA, if you have powders in your lab, you have to have a DEA license. And they will come in and randomly inspect you to make sure that you're storing this stuff correctly. We have ASCLAT lab, we have CLIA. So we also follow a lot of guidelines and restrictions as well as we're doing our work. And then a code of ethics, and that's also dependent on the corporation as well. So my part-time friends, so my part-time friends idea is that sometimes we talk to each other and sometimes we don't, sometimes we agree on it, sometimes we don't. And there's a couple of things that I noticed. So user acceptance testing. So a lot of times we got all of these different vendors in there. And then when we're doing testing, if we have a third-party test and if you're a small corporation, you don't have access to those funds to make your own platform for reporting out results. So we have LIMBS is one of the popular ones that a lot of labs use. We have Orchard Harvest and reporting it out. So IT doesn't have access to anything that these are doing. So we don't, we just go by what the vendor has told us is good and we don't do anything else outside of that. And I think that that's a very important part, that IT should be integrated into that. So risk, we have risk of being shut down when we don't follow our organizations that govern us. We get inspected all the time. They come in and do audit to make sure we are following all of the guidelines that we've set. And then ethics. So there's an ethic in forensics. A lot of people are worked for the government. So a lot of times you'll see that it's a government lab or a state lab or a local person that is forensic scientist. But then you have myself. So I work then, I work that quest, big lab. It's a esoteric reference lab. So a lot of small labs use them as a reference. And so in the community we have it where, well, you're a private forensic scientist. You're not a public government official forensic scientist. So then you have that kind of debate between us. Like are you really qualified to be doing what you're doing? And so then we have this idea of, well, you don't have a PhD, so are you really sure that what you're saying is credible? So we have a lot of ethics issues there. And then the hacking and computer crime. So that's gonna, in privacy, that's gonna be with the digital forensics. All of this stuff that's going on, we often don't talk about it. And then you have these ethics that people follow, but then some people just don't follow them. So hacking and computer crime and privacy is a big area where the forensic community is not together. Neither are they working with the InfoSec community as well. So a medical device. So we're in a biohacking village. And in the labs we often have medical devices. The instruments that we use is often classified as a medical device. Now this long boring definition is from the FDA. And it basically says any instrument, apparatus, machine, anything that is intended for the use for diagnosing a disease or condition for treatment for an animal or man is classified as a medical device. So we get tons of them. A lot of the organizations are also regulated. A lot of the vendors are regulated by FDA as well. And then some of them are not. So when we have to report out results, we have to say this is not approved by the FDA when we come up with methods and stuff like that. Because otherwise it comes back to us and they'll sue us and we don't like that, we don't like that. So I was, again, Twitter is my baby. I think we're in a relationship and it does well for me. So I was on Twitter and I got a DM. Shout out to Hexplates. She sent this to me because she's in DFIR. And it's an article that says exactly what my goal of my talk is to say, hey, you guys are information and security professionals, but when you're doing your digital forensics and you're doing your evidence collection, you're not really trained to do that. And so you have those issues that come up when your evidence isn't logged correctly or someone makes a mistake and they don't know how to make sure that everything is documented so that when you go to court or when you're trying to prove what has happened, you have everything lined up for yourself. And so there's this thing where they're saying, hey, you guys should look into hiring some forensic case coordinators because they'll help you improve upon your digital forensics and incident response. So I thought it was pretty cool to see and she immediately, she's like, hey, I think you should check out page two. And I was like, bet. So it was very informative. And I think that in that space, I think it's very useful to read about the scientific part of it. Just a quick note about my toxicology love. So it's expected to make 10.25 billion dollars by 2025. All of the drugs, all of the prescriptions, all of that is all tied into toxicology, all of it. So by 2025, it's gonna be a $10 billion industry. It's insane. So I say that as a caution. So when you go to the doctor and you get these prescriptions, ask those questions because sometimes they don't tell you everything, they just get your prescription. Ask those questions because you wanna make sure you're also being safe. But it is a very lucrative industry. I don't do it for the money. I do it because I really do love forensic science and it teaches me so much about what's going on. Like I can tell you what drugs are popular in what area of the US. That's how intense it is. So let's meet in the middle. So here are my key takeaways. Documentation is key. In forensics and information security, you can't get enough of your documentation. It won't hurt you. It will only help you in the end. And if somebody comes to you and say, hey, how do I do this? If you're not wanting to sit and explain, you can say, hey, here's this SOP with details about how to do XYZ. Check your access control. So in the lab, we make sure that you don't have access to biology section or you don't have access to the crime section because that's not what you need to know. You just need to make sure you're focused on your area of expertise. Segment your networks. You don't want everything to go down all at the same time because you won't get anything done. Failure to comply will result in loss and revenue restrictions, auditing and fines. We all know this. We all know this and we don't like it and we're seeing it happen every single day. Make sure you're keeping up to date with your compliance. Scientists, talk to your IT people. If you deal with IT people, talk to them. IT people talk to the scientists. It's kind of like developers and security. They don't talk to each other but we should actually really start talking to each other because that's the only way everything's gonna get better. Check your third-party equipment as well and then have your IT security group recheck it. Basic stuff, this is general basic security stuff that we all should be practicing but it's very good to reiterate. And then my suggestion for DFIR people is to suggest getting some training from some forensic professionals, the scientific forensic professionals and they'll help enhance. I know that they have their way of doing things but I think it would be good to get it from a scientific perspective. And you can look online and find webinars, local government entities often have some trainings as well. So just a quick thank you, the Biohackin Village for giving me this opportunity to speak. This is my first DEF CON. This is my first time in Vegas. And I was very happy to have this opportunity so very much thank you Biohackin Village. The Twitter InfoSet community, I know we're on Twitter and it gets bad some days but I do recommend that it has helped me network with a lot of people. I use hashtags, I'm on there helping people and people have helped me so I really do thank the Twitter InfoSet community. And if you're on there, say hi to me, I'll say hi back, like it's no big deal. The Cyberry community, so Cyberry is a IT platform so you can make a free account, you can learn basic security stuff, they have access to free courses, certain free courses and then some stuff you have to pay for with the membership. And that's what I've been using on my journey for penetration testing. So that helps. Aside from Google University and YouTube University those are, Cyberry has been helping me. Any and everyone, thank you all for coming to listen to me. I really, really do appreciate it. And Izzy, Steph, Megan, Jay, Zay and Mo, they're all up there being crazy. You have to find a community and I found them and we talk and we talk through any instances where we're having troubles on any part of our lives so I really do appreciate y'all. And then here's my website that Hunter mentioned at the beginning and that is also my Twitter handle. And again, thank you so much. Any questions? I don't buy it, I promise. Yes. So in a crime show, when a detective wants to know the outcome of a forensic test that they're for a crime, they sort of, they like wander into the lab and look over their shoulder and I'm hoping that's not really how that information is transmitted. What are the workflows there? So it just depends on the lab. So generally it's very secure. So especially in a forensic lab. So forensic, they make you do that chain of custody and they'll come in, but we don't automatically give them the information. If it is your case, we'll say, hey, we'll get these results. So sometimes they'll come in and say, hey, I need this stat. If it's an important, not important, but if it's a very high priority issue or a crime that has happened, they'll say, hey, can you put stat on this? And that becomes our priority. But no, they don't walk in the lab as often as the crime shows, like to believe that they do. But believe it or not, on NCIS, just a fun fact, Abby, she's actually a real life forensic scientist. And so whenever she gets the script, she reads through it to make sure that it is believable and not just willy-nilly going out. So we do have guidelines and we make sure that who's in the lab has access to the lab and not just giving information to anybody. Thank you, great talk. Thank you. So in the information world for forensics, specifically with respect to court admissibility, there are some very stringent rules on who's allowed to access data. And some of this comes in the way of us doing proper forensic analysis. So for example, people who collect data are not allowed to communicate to the people who analyze data. It's just to keep you from getting prejudiced in the analysis and so on. And so the problem with IT is that either there's too much data or it's in some other place that you don't know about. And so until you do the analysis, you don't even know what data to look for. Yes. Because, and that's not allowed because there is this wall of separation. You cannot tell the data collectors. Go there and collect this data. And so this is a big impediment for us but that's how the law is written and that we have to follow. Do you have the same kind of issue in the medical side? Yes. So we, like when I worked at Quest, I had to take a drug test but I wasn't allowed to review my results of my drug test. It's immediate grounds for termination. And so they do it, it's strict but it's for your protection. It's not to hinder or hurt anything but they don't want anyone to jeopardize the evidence. So the more people well controlled, the better it is. So sometimes you can't get access to certain information and that, you know, you probably really don't even need it at some point but we often have it segmented. Like I can't see certain results because that's not where I'm working at. So yes, you know, sometimes it's an impediment for us to do our job but at the end of the day, do you really need access to that additional information? You probably don't. So I recommend just, you know, it's really nothing you can do about it. You just got to be like, okay, cool. And just take it from there but we do see it in the medical professional side as well. How you doing, Miss? Good, how are you? Quick question for you. As you begin the transition from your toxicology side to your pen testing side, have you began to go down the line of seeing any other types of devices you would like to test? Yes. At the top of this year, I took my 10 year old Dell computer and I started doing DFI R analysis on it. So I was learning some softwares I was using in case just to see what was running on it. And then most of the times I'm just reading about it just to make sure I have a very foundational understanding of what's going on because I know that, you know, information security is very big and you can get drowned into information if you're not careful. So while I do my pen testing, I'm reading about information that will help me just in general as well. So yes and no. Most of the time I'm reading about it and then oftentimes I'm actually, I have a lab set up at home because I don't work in toxic, I don't work in information security yet. So I have to spend all of my spare time learning and teaching myself. So any resources that I have, I'm always sharing as well because I feel like information should be free and it's not that hard to share the information. It doesn't do anything for me. It doesn't do any, I don't lose anything by sharing information and nobody could do you like you do you and I can't, I do me like I do me and you do you like you do you. So I share, I read and that's just what it is until I actually land my first position. Hi. Hi. How are you today? Good, how are you? My question may be one that you can't answer right away but maybe just something that everyone in the room can consider. But I was at a another conference in Atlanta and the conversation of what involvement or lack of involvement the FDA has when it comes to the ethics around medical devices, especially medical devices that are implanted in your body. As a forensic scientist, what are your thoughts and your opinions on how science and the FDA laws and the ethics around that? What are your thoughts on that? So it's kind of tricky. So it depends on what devices, I feel like certain devices have more strict regulations than others. And so sometimes it's harder to make sure those devices are working as said and update those patches and things like that. But however, I think that it is an important conversation that needs to be had and security shouldn't be at the bottom of it. And I think that the forensic professionals should be in there, telling them the risk of all of the, what these will be doing for the public and how it can hinder the public as well. So sometimes I'm reading stuff and I'm just like, man, this is crazy. But then at the same time, I feel like sometimes bad stuff has to happen for them to take action. And it's sad that it has to work that way, but it does. And now they're more welcoming to those information security professionals to say, hey, you might want to take us seriously because look what we just did. We just hacked this pump and we made it go deadly from our phone. So do you want that on your hands or do you not want that on your hands? So I think it's an important conversation. And as I continue to grow in this field and keep my love for forensics, I think it's important to have. This is more of an addition to what you were just talking about. But I think a lot of the ethics involved in the FDA kind of review process takes place at the institutional review board level. So once something is proposed as a new device to the FDA, it has to go through testing that on humans, that testing has to be reviewed by an ethics board before it commences. And I think some of the problems that we're seeing with devices that aren't secure is that at that point when the research is going through that ethics review, the people that are doing that review, and I'm one of them, don't know anything about information security. They're professors, they're medical professionals. They don't, that's not their thing. And so a lot of times it's like, is the privacy protections in place sufficient? And you kind of base it off of a checklist. And if you've got all these things, then yes. But the thing is we don't know what we don't know. And so we rely on you guys to tell us where the vulnerabilities are and what we need to be looking out for. So I think there needs to be a pairing at that level as well. Agreed. Hello everyone. Hope everybody's having a good con. We're on the halfway through. So I kind of want to follow up on that as a red teamer. I find myself doing pen testing, breaking stuff all the time, dumping rhymes, all that type of stuff. The type of stuff that you guys will need, right? But it's interesting because my customers who have medical devices, as they're called, on their network, they're not in scope. I can't touch them. Because if I do a denial of service on an X-ray machine, GE has to come out and do $25,000 a minute worth of work. And so we're in this weird situation where either A, we can't afford the tools because I can't go buy a lot of these cutting edge tools. And then we're stuck in between a rock and a hard place where we have customers but they won't allow us to touch these endpoints. So I think that there's a special opportunity here, like you talked about, where sort of like how we can hack the Pentagon now and the Pentagon had gotten hacked. It's the same way that we should be able to hack devices that otherwise are out of scope. Because as a red teamer, I'm often frustrated that it's running a web show. It has, excuse me, it's running a web server. It has FTP. It potentially has Telnet. But I can't even go and hit it with admin, admin because I'm out of scope. Technically I'm a hacker. So I just wanted to kind of make that known. Thanks. Anybody else? No? Okay, thank you so much. Thank you. Thank you.