You Can’t Delete This: Inside Digital Forensics with Jason Jordaan Artwork

The Entropy Podcast

The Entropy Podcast is a cybersecurity, technology, and business podcast hosted by Francis Gorman.

Each episode features in-depth conversations with cybersecurity professionals, technology leaders, and business executives who share real world insights on cyber risk, digital transformation, emerging technologies, leadership, and the evolving threat landscape.

Designed for CISOs, IT leaders, founders, and professionals navigating today’s digital economy, The Entropy Podcast explores how organizations can adapt, innovate, and build resilience in an era defined by constant change, disruption, and geopolitical uncertainty.

The name Entropy reflects the growing complexity and unpredictability of cybersecurity and technology ecosystems and the strategic thinking required to thrive within them.

To summarise the show in a nutshell it’s: Genuine conversations with unique minds on the threats, complexity and geopolitics shaping our world

Topics include:

Cybersecurity strategy, risk, and resilience
Post Quantum readiness
Emerging technologies and innovation (AI etc).
Business leadership and digital transformation
Cyber threats, regulation, and geopolitics
Lessons learned from real-world experience

New episodes deliver practical insight, expert perspectives, and actionable knowledge so you stay informed, strategic, and ahead of the curve.

Buy Our Swag:

We now have some slick new swag you can purchase through our Esty store.

https://theentropypodcast.etsy.com

Watch and Subscribe

You can also watch full episodes and exclusive content on our YouTube channel:
www.youtube.com/@TheEntropyPodcast

Achievements

The Entropy Podcast delivered strong chart performance throughout 2025, demonstrating consistent international reach and listener engagement.

Regularly ranked within the Top 20 Technology podcasts in Ireland.
Achieved a Top 25 placement in the United States Technology charts, holding the position for one week.
Charted internationally across multiple markets, including Israel, Belgium, and the United Kingdom.

This performance reflects sustained global interest and growing recognition across key podcast markets.

Audio Quality Notice
Some episodes may feature minor variations in audio quality due to remote recording environments and external factors. We continuously strive to deliver the highest possible audio standards and appreciate your understanding.

Disclaimer
The views and opinions expressed in The Entropy Podcast are solely those of the host and guests and are based on personal experience and professional perspectives. They do not constitute factual claims, legal advice, or endorsements, and are not intended to harm or defame any individual or organization. Listeners are encouraged to form their own informed opinions.

All Episodes

The Entropy Podcast

You Can’t Delete This: Inside Digital Forensics with Jason Jordaan

April 21, 2026 • Francis Gorman • Season 2 • Episode 15

0:00 | 46:24

In this episode of The Entropy Podcast, host Francis Gorman speaks with Jason Jordan about the reality of digital forensics, cybercrime investigations, and the evolving role of AI in evidence and incident response.

Jason shares his journey from police detective to global forensic expert, unpacking how modern investigations work from reconstructing deleted data to testifying in court. The conversation dives into why AI can’t be blindly trusted in legal contexts, how digital footprints are nearly impossible to erase, and the psychological toll of confronting the worst of human behavior in cybercrime.

Key Takeaways

Digital forensics is still built on fundamentals
Despite AI and automation, everything comes back to understanding data structures at a low level.
AI is powerful but dangerous in legal settings
If you can’t explain how an output was produced, it won’t stand up in court.
You can’t truly hide in the digital world
Like physical forensics, digital interactions always leave trace evidence.
Incident response ≠ forensic investigation
One stops the attack; the other explains how and why it happened.
Human error is often the weakest link
Many breaches aren’t technical failures they’re failures in monitoring or behavior.
Bias is controlled through process, not perfection
Documentation, peer review, and validation are critical to staying objective.
Cybercrime is increasingly sophisticated and organized
Attacks now involve long-term planning, insider access, and complex technical setups.
The job comes with real psychological cost
Exposure to extreme content and consequences requires resilience and support systems.
Passion and curiosity are essential
This field isn’t just technical—it’s investigative, relentless, and deeply demanding.

Soundbites

“In forensics, if you can’t explain it—you can’t use it.”
“AI can’t testify in court. A human has to.”
“You don’t stop being a forensic scientist—it’s who you are.”
“Every interaction leaves a trace—digital or physical.”
“We don’t just catch bad guys—we make sure it’s the right one.”
“Pull the plug or preserve evidence? That’s the real-world trade-off.”
“Cybercrime today is organized, patient, and highly engineered.”
“You only get to make one big mistake in this field.”
“If you love puzzles, this is the ultimate career.”

Francis Gorman (00:03.982)
Hi everyone. Welcome to the Entropy podcast. I'm your host, Francis Gorman. Before we dive in, if today's conversation challenges you, sparks a new idea or sharpens how you think about the world, don't keep it to yourself. Subscribe, leave a review and share this episode with someone who enjoys staying curious. Today I'm joined by Jason Jordaan, the principal forensic scientist and founder of DFIR Labs. As a recognized polymath, he is considered by his peers internationally to be a leading specialist in the fields of digital forensics, instant response,

cybercrime investigations, and cybersecurity forensics engineering. He was one of the early pioneers in digital forensics in South Africa with his interest and activities in the field beginning in the mid 1990s. Not only does Jason lead DFIR labs, but he remains actively involved as a practitioner in these fields and regularly testifies as an expert witness in them. Jason, it's my absolute pleasure to have you with me here today.

Jason Jordaan (00:56.984)
Thanks, Ron. This is absolute pleasure to be here. I've been looking forward to this for quite a while now.

Francis Gorman (01:02.092)
I've been looking forward to it too, Jason. You know, it's, an angle we don't cover in depth a lot on this show, but it's also an angle of intense interest to me, especially for the way the world is now so connected. You know, we've got IOT, we've got software defined networks, you know, we've got all of these treasure troves that, you know, you can, you can hide information in and then need to kind of crawl through to find those, those breadcrumbs. And you've been at this since, since the early nineties.

And if I'm right, you started off in the police in the police in South Africa. Is that correct?

Jason Jordaan (01:36.879)
Yeah, that's correct. I started off as a police officer. I suppose, you know, I always sort of describe myself as I used to be a geek with a gun. Now I'm still a geek, I still have a gun, but obviously I don't carry a badge anymore. But fundamentally, that's where I started off. I hadn't planned on becoming a police officer. It's just one of those things that kind of happened as a young kid and having to do national service, I ended up becoming a cop.

and found out that I was kind of had a knack for doing investigation work. So I ended up being posted to a fraud squad as a probationary detective, becoming a detective. And, you know, with cyber and fraud kind of interrelated to each other, I was the guy that would eventually be called upon to do cases involving, you know, there was a computer involved in this case. Jason, you you that nerd person that knows computers. you know, we're to give this to you because we don't even know how to type, you know. So that was the kind of environment I grew up on.

And it was, well, he has computers, we've got to figure out how to get evidence from them. But back in the days, was basically just me and a hex editor, me and my peers around the world around about the same time, basically us with hex editors kind of figuring out how things worked essentially.

Francis Gorman (02:53.248)
That is fascinating for me. I did my in college. One of my papers, I did it on forensics where I went out to eBay and somebody second hand sites and bought hundreds of hard drives, you know, and then ran them through autopsy and other tools. But, know, went through the chain of custody, like right blocking at first and then, you know, pulling the image, you know, the amount of stuff I found on old hard drives that, you know, people had resold was was kind of terrifying.

Jason Jordaan (03:05.038)
Bye y'all.

Jason Jordaan (03:13.73)
Mm.

Francis Gorman (03:22.786)
but also highly interesting and kind of reconstructing that data and seeing, you know, well, first pass wiped a bit of it, but it's there. And then when you're talking about hex editor and looking at it from that lens in the nineties, a lot has changed. What's the most fundamental difference between the hex editor then and the tools now with AI and all of these kind of extrapolations on top?

Jason Jordaan (03:28.792)
Mmm.

Jason Jordaan (03:42.21)
Well, so I think at the end of the day, everything we do still fundamentally starts at a hex level and understanding data structures. So think one of the big differences nowadays is we have tools that effectively know how to read the data structures of different artifacts. So back in the day, we used to have to manually parse out everything ourselves by hand. Now we have tools that do us for us. So the good old fashioned hex skills are usually used for

validation of the tools rather than actually doing it manually anymore. But obviously if you sort of expand that to that next level, we've got all these AI engines and everything starting to come into play as well, which has a big impact on the field. it's kind of like the Wild West out there. I had a guy reach out to me not so long ago about this. They've got this amazing AI tool that could do this type of forensics and that type of forensics. And as I started to dig in, asking questions, suddenly they...

back door for back door for back door for back door. Because I think there's a lot of marketing hype with it. But the fundamental principle in digital forensics still remains the same. Can you access the data? Do you understand the data structures? And can you then interpret what that actually means, you know, to address some kind of legal or investigative question?

The new technologies we have make it quicker and faster and easier for us to do the job. But that same fundamental skill set still needs to be there. We need to understand how everything works essentially.

Francis Gorman (05:11.298)
Makes a lot of sense. Yeah, it is interesting, the AI marketing machine that is out there. I found it myself at the moment. Builded an ecosystem and using Optus 4.6, extended as the kind of underbelly. know, it's such a convincing liar and hallucination engine that I found myself using other models to cross reference data sets and then identifying very quickly unless the data sets are properly labeled and you have that lineage.

Jason Jordaan (05:25.603)
Hmm.

Jason Jordaan (05:34.819)
Yeah.

Francis Gorman (05:41.123)
You know, actually, as a human trying to reconcile problem A with statement B is extremely difficult and actually far more time consuming than it would be if you just read the stuff on day one and got a pencil and took some took some notes. So, yeah, when you talk about it in forensics, like forensics have to be robust. have to be methodical. They have to be sound. You can't risk hallucinations like you could send someone off for a

Jason Jordaan (05:51.918)
Did it yourself.

Jason Jordaan (06:01.262)
Mm.

Francis Gorman (06:06.742)
a pretty long sentence, you know, off the back of something that's fundamentally not sound. So I do think AI has a role to play, but it's interesting when you said that.

Jason Jordaan (06:10.093)
Well, you Yeah, I mean, if you think if you I mean, look, let's be honest, like any technology, any new technology, embracing it is always a good thing. And embracing AI is not a bad thing. You know, I suppose, again, as a computer scientist as well, you know, a of people are making a big hype about AI. But the reality is, we've been working machine learning models that going back decades already. I mean, this is that none of this for us in the field is this new

It's new at a sort of consumer level, if I can put it that way. But for the real computer scientists, we've known about this stuff for while. It hasn't been commercially mature, but it's still a thing. And if you think about the problems of how AI is utilized, a lot of it comes down to a lack of understanding how the models work, a lack of understanding about the machine learning that goes behind it and the deep learning that goes behind it. So if you take an LLM system, if you give it

two identical inputs, you are never gonna get two identical outputs. And that's the problem, it's because the system is designed with that tokenization and randomization process to give the approximation of human response essentially. So from a digital forensics perspective, if I put one and one plus, one and one equals two, it should always come out one and one equals two, but not with an OEM system because that's not what it's designed to do.

So I think if we use the correct AI systems for the correct thing, so for example, in incident response, I see a big place potentially for AI systems in incident response, we're doing threat detection and immediate alerting, you can scale that kind of threat detection alerting much more efficiently through an AI system.

But the moment that becomes regulatory, legal or anything along those lines, then you can't allow that AI system anymore. Because at the end of the day, a human being has got to go stand up in a court or stand before a regulator and say, well, this is exactly what happened. if the AI black box doesn't give me the step by step process, I can never verify that. So even if the output looks good, if I can't explain to the court,

Jason Jordaan (08:29.687)
how that output got there, that evidence is always gonna be brought into doubt as well. it's interesting, know, the courts have tended to, from what I've seen around the world at the moment, have been sort of pushing back on AI generated content. So I think the judges, know, different restrictions around the world are a bit sort of on the ball as far as that's concerned. But it's a changing dynamic. Like who knows what it's gonna be like in five years time, 10 years time.

20 years time. It's interesting. All I know is I'm still going to be looking at Hex, I'm still going be looking at Bits and Bytes and I'm still going be catching bad guys. So I think I'm okay.

Francis Gorman (09:09.964)
I think you're going to be perfectly fine, Jason. Let's talk about catching bad guys. You know, it's such a fascinating world when you're getting into digital forensics, especially when cybercrime or other crime is being the kind of core focus. What's the most interesting case you've worked on that you can talk about over the years?

Jason Jordaan (09:21.644)
Mmm.

Jason Jordaan (09:31.149)
So obviously I've worked on lots of cases, some cases I can't ever talk about, which was actually kind of sad. I always joke with my family that some of the best forensic work I've done I can never talk about. But there is one case that I really enjoyed working on. This is a couple of years ago now, but it was quite a complicated sort of organized crime hacking case where we had...

Essentially a group of hackers infiltrating essentially our state information technology agency, which basically supplies IT service to the entire national and provincial government in South Africa. And with the sort of guys that they planted or they recruited within that organization, they were able to basically set up a scheme essentially where they defrauded four particular government departments in one provincial area in South Africa.

of several, if I converted to euros, it would have been several million euros, 20, 30 million euros at that, from an exchange rate point of view. And the whole setup to the crime, took three, four months of setup, it was really deep and intricate and there was hacking into mainframe servers and setting up sort of fictitious client systems. It was really a complicated scheme.

And when we did the investigation, the investigation itself took well over six months of actual man hours in terms of actually investigating the case. And once we caught the main guy behind everything, he got 25 years direct imprisonment, which still holds a record in South Africa for the longest jail sentence for the crime of hacking. So he still has several more years in South Africa's finest custodial facility.

before he's gonna get out. But that was a really, really nice case, very complicated. The forensics was really, it really detailed forensics. I'll just give you an example of one of the things we had to do in the case. The principal suspect, he kind of got a clue that we were onto him and he basically went, took his hard drive and he reinstalled windows on top of it. So basically did a drive format.

Jason Jordaan (11:54.625)
Reinstalled Windows on top of it and he thought you want the evidence was was gone So, know in this instance what had happened was when you reformatted it obviously it changed all the NTFS file system metadata structures Create, you know lay down new ones lay down the Windows operating system But understanding how drive geometry works and how you know NTFS works at a file system level

we knew where to find the data. So even though the new most file table had overwritten some of the existing most file table data, we were able to manually carve out the individual most file table records. So basically every 1024 bytes, we were carving out chunks of records to reconstruct the entire system that he was using. I mean, that data itself took almost two months of solid investigation work to rebuild the system.

But once we put everything together, from a court perspective, we were able to reconstruct step by step how the crime was committed. So literally on the day that they actually did the financial transactions, we reconstructed that almost 48 hour period for the court. The guy is still sitting in court. He leaned over to his advocate, his legal representative, was like, were these guys spying on me? Like literally they knew exactly what I did and what I type.

That was the level of depth we went into the investigation, which was super cool. It's very nerdy. I love it.

Francis Gorman (13:19.47)
I know I know why you say geek with a gun. is that is quite a sentence you got at the end of it. So, Jason, that's no, it's when you when you break it down and you know, the level of granularity you have to go through, but also the level of discipline and understanding. Do you find it hard to stay completely objective as an expert witness when you spent months in growth in a case and kind of rebuilt?

Jason Jordaan (13:23.67)
Yeah.

Jason Jordaan (13:36.172)
Mm.

Jason Jordaan (13:44.02)
It's always difficult to be completely 100 % unbiased. Obviously as a forensic scientist, you strive to be as unbiased as possible, but we're human and humans do develop their own sets of biases. So what we do to try and avoid that is we literally document every decision we make. Look.

Generally IT people, think we hate documenting things. So if anybody doesn't like documenting, forensics is definitely not the field for you, because we document everything to within an inch of our lives. Every decision we make, everything we look at is documented, because ultimately we've got to go back and defend ourselves with that. So one of the things that we do specifically at work at the moment, you may have a lead investigator or lead forensic scientist working on a case.

But on a weekly basis, we do case reviews where other members of the team will actually look at this evidence with fresh eyes and say, Jason, did you think about this? Or did you think about this? We had a case just to kind of illustrate that that happened a couple of months ago. So I had a different, you know, another member of my team working on a case. And all of the evidence objectively pointed to a particular person being identified as the suspect.

When I, so I was one of the guys doing the case review for this particular case, there was one or two small little things that I picked up on the system and said, something's a little bit off here. It all had to do with timing. Timing was when certain emails were sent. And I said, I think you need to go and look at something else. Go and look here, go and look here. And the analyst went and looked at it came back to me and said, Jason, you're actually right. This guy didn't do it.

And we started to dig into the evidence. So I think that checks and balances of keeping each other honest is a good thing. At the end of the day, I know it sounds weird, I like catching bad guys, but I like to catch the right bad guys. The last thing I could ever see myself being comfortable with is having an innocent person go to prison because I made a mistake. That would literally break my soul, literally it would crush me.

Jason Jordaan (15:53.837)
So I think that checks and balances process is really important to try and avoid bias. And again, it all comes down to your professional ethics and your professional integrity, understanding that we actually work for the court. Even now that I'm in the private sector, I may be appointed by a client to do work, but while the client may pay me, every bit of work that I do is actually for the court. And we've had cases where we've

we've gone against our client essentially because the narrative that they were trying to portray was not the actual facts at hand. In fact, I've got a fairly, I don't want say too loudly, but there's a case that I was involved in involving some very, very high profile law firms where the one law firm that appointed me fundamentally lied and didn't provide all of the evidence to me. know.

It's those type of things that you've got to be honest to your discipline, you've to be honest to your integrity because at the end of the day that's actually all you have.

Francis Gorman (16:57.216)
In the world we live in, is it inevitable we leave behind a digital breadcrumb or is there ways around that? Are we completely exposed no matter what we do now?

Jason Jordaan (17:07.262)
I think if you look at the nature of world, so maybe it comes down to a fundamental aspect of science. So before we even talk about the digital world, let's talk about the physical world. So in the fundamental process of forensic science, there's something we've always referred to as the Lacard principle or the Lacard trace principle. Basically says that whenever two objects come into contact with each other, there's reciprocal transfer of information. So if you and I had a nice hearty handshake,

process of shaking each other's hands would rub epithelial DNA from our hands onto each other's heads. Everybody runs off to the bathroom to go wash their hands after that. But that physicalness, as you move through the world, you are shedding off skin cells, you're leaving fibers, your movement through nature leaves a trace. Even though it might be difficult to find or even infinitesimally small,

but it happens in the physical world. And when you move that into a digital environment, the reality is exactly the same principles applies in the digital environment. In fact, I would say it's probably even more prevalent in the digital environment than it is in the physical environment because of how all of these systems are interlinked. The fact that we're doing this interview at the moment, the process of doing this interview is generating digital artifacts that places me

behind this keyboard essentially. It places you behind your keyboard, not just on our own computers, but if you look at the studio that we're using and the software that we're using and data that's been streamed, the ISPs that we're connecting to, the mobile phones that are sitting next to us, all of this integrated data is a trail that's incredibly difficult to get by. And you ask the question of, it possible to avoid it? I don't know.

The island's got some beautiful isolated spots. Find some place with no electricity and no technology. I think that's literally the only way to avoid it. And then unfortunately you've got satellites. So that maybe also doesn't help you very much at the end of the day.

Francis Gorman (19:20.558)
the way the fuel prices are going fine and somewhere with no electricity in Ireland mightn't be too far away. We'll have to watch that one and see where we go. Yeah. Jason, no, that's that's incredible. I think when you put the analogy of the physical world and the imprints we leave, however small and then then relate and the digital world, I think that really does bring it to to life.

Jason Jordaan (19:24.715)
Hahaha

Yeah, that's true.

Francis Gorman (19:45.427)
I want to talk a little bit about your passion to kind of train others and uplift others in the skills. You've trained FBI, US Secret Service, US Special Operations Command. How did that happen? How did you fall into that world of elitism?

Jason Jordaan (20:01.044)
So, it's kind of weird. obviously besides doing work for my own company, I'm also principal instructor for the Sands Institute. know, it's a bit of a shout out from that perspective. But I'd always been involved in training of young detectives, you know, going back to my police career, I just sort of had a knack for.

teaching and then again it's something that I didn't plan to do I just kind of fell into it we literally by my inspector Kate we the one that said by the way we need somebody to go to the police college to give a lecture on fraud you're it. I was was volunteered for it if I could put it that way I actually found that I really really enjoyed it you know then you know when I would be testifying in court especially in the early days of the computer stuff you know having to try and teach a judge that

literally didn't even know how to use a mobile phone. I learned to communicate fairly well. So I got into teaching during my law enforcement career and ironically when I was still in law enforcement and I did my first SANS course and SANS basically approached me during the course and said you actually you're probably going to make a good teacher one day would you like to give it a try?

And that's kind of how I started. So I ended up teaching for SANS, obviously with the work that SANS does around the world, I got involved with trading, like I said, the FBI and the Secret Service and Scotland Yard. obviously I was in Ireland a few weeks ago, essentially doing trading there. Trading the British military chain, trading the Australian military, literally law enforcement around the world. And it's something that I've become really passionate about because I was kind of lucky

as it especially as a young police detective, you know, I had an inspector that took me under his wing. You know, this, I was thinking of this like, like, you know, Arthur was this grizzled old veteran, you know, like, you know, this, this, you think of this, this sort of grumpy inspector that knows everything about everything. And he took me under his wing and he taught me and he mentored me and he, he helped sort of mold me into the detective that I eventually became. And I think, I think there's a

Jason Jordaan (22:16.395)
there's almost a duty, a responsibility for us, especially as we get older in the world, to pass that knowledge on to the newer generations and to help mentor the newer generations. Because that's how you make the world a better place. You share that skill, you share that expertise. And the more I do it, the more I've actually learned in the process. And by engaging with other instructors that teach at that sort of elite level, I've been upping my own skills. So it's become a...

like a really interesting dynamic engagement. mean, the other day I posted a thing on LinkedIn, you know, I mean, I get a lot of people that are interested in doing mentoring with me and things along those lines. And I was, you know, I just put it out there saying, Hey guys, you know, if we do like a Q and a mentoring type session, you know, is there anybody interested? I was, I mean, blown away by the response of people who just want to do.

mentoring just to be able to sit down with somebody and say, hey, I've got career questions. You who can I ask? think last time I checked, I was sitting on something like over 14,000 hits. I'm just a kid from South Africa. Like, I still see myself as this little kid from, you know, a small city in South Africa. And people are really interested. They want to learn. They want to be guided.

And if I can do that with my life and I can help the next generation to make the world a better place and a safer place, then one day when I shuffle off this mortal coil, I think my family can be proud of what I've done.

Francis Gorman (23:51.531)
I think it's a no brainer. You have this natural warm enthusiasm that kind of draws people in. I can see why people would like you to mentor them down this path, especially with the years of inherent knowledge that you have. It's so valuable, Jason. So I totally get why there was such a strong response to that. Can we talk about instant response at the moment? And when I look at instant response teams across the world, and I deal a lot with different organizations,

Jason Jordaan (24:18.985)
Mm.

Francis Gorman (24:20.854)
I get the feeling they're not at the races a lot of the time and that, you know, the aspect that you come in after is after the crime. know, it's it's it's was that properly managed? Was it handled? Was the was the evidence protected in a way that, you know, we can testify to in a court of law? Is there a lot of crime flying under the radar because incident response teams aren't geared up to catch the incident properly?

Jason Jordaan (24:28.895)
Yeah.

Jason Jordaan (24:36.778)
Mmm.

Jason Jordaan (24:48.03)
Yeah, I think, you there's been a lot of debate over the last couple of months within the community about the concept of DFI or, you know, digital forensics incident responses, the same thing as a different, you know, all those types of things. And I think there is a big difference. know, when I think, and I'll sketch it from my perspective, when I moved from law enforcement to the private sector, I got to do a lot of incident response work. And I used to get incredibly frustrated with the clients that I was working with because in my mind,

I wanted to figure out what happened, what went wrong, can I catch somebody? But for the business owner whose incident-tower is responding to, they didn't care about catching somebody. They wanted to have business continuity. They wanted the problem to go away. So for me, when I think of incident response, I'm thinking of responding to an incident as it's ongoing. So in other words, the threat is still there, the threat is still ongoing. I'm effectively the firefighter coming to put the fire out.

I'm not gonna get this, oh wait, the building's on fire, let's wait till the building burns down and then I'll come and do an investigation to see why the fire started. That doesn't help. But if you think about that firefighter analogy, once the firefighters have put the building out, then the fire inspectors or the fire investigators come along to figure out what caused it. Now for me, a lot of people merge the incident response roles with the incident remediation and incident response into kind of one thing. I actually see them as two separate

roles. There's the incident remediators that are managing the incident that are trying to stop the building burning down, so to speak. And then there's the incident responders who might be doing the investigation, the incident investigators. And I think there is a room for both of those two fields to exist simultaneously. Again, it makes no sense for an organization to prioritize forensics where they try to save their system.

Somebody asked me the other day, Jason, if you're responding to an incident, you see systems being, the ransomware has hit the system, you see the encryption happening in real time, like what are you gonna do? I'm gonna pull the plug on everything. Yeah, but you're gonna destroy evidence. Well, of course I'm gonna destroy the evidence, but what is my option having no systems that I can work with at all? So there's a bit of a of a decision management process that you've got to go through.

Jason Jordaan (27:12.53)
And I think the problem is there's a lot of people that are in that incident remediation, threat detection, sock type role that is responding to incidents. They're not necessarily trained to do digital forensics. They train to do incident remediation versus incident response, is root cause analysis focused. So you may mention about the fact that.

One of the areas that I've been doing a lot of work on is in cybersecurity forensic engineering. this is an incident has happened and a regulator calls us in to come and investigate the incident because the regulator wants to know whether the company security posture was appropriate, had they be negligent or not. So it's incident response, but it's a completely different process because now it's about, did you screw up or not?

And I know that's a harsh thing for a lot of companies to sort of think about, but with the increasing regulatory environment we find ourselves in the world, I think we're going to see more and more of that kind of activity. So I think, for me, you made the mention about, you know, incident response teams not being at the races. I think a lot of that is true. You know, lot of people are quite capable of doing that sort of incident detection, responding to things in real time, but that true in-depth

root cause analysis, I think that's a very different skill and not as easy to develop over time, unfortunately.

Francis Gorman (28:47.598)
That's really interesting. And the piece you touched on there about the regulator and the post incident, you know, was the company in and of itself negligent aspect. Is there is there patterns there that you see? You know, have you got a framework at hand now around the don't be negligent framework? Are there certain things that from a basic hygiene factor that are not in place that allowed this to happen?

Jason Jordaan (29:05.13)
So, yeah, so obviously it depends from jurisdiction to jurisdiction. So obviously in Europe, you guys have got to deal with GDPR and things along those lines. And, you know, it sets out the minimum security standard. Well, I mean, doesn't say doubt, shalt comply with ISO 27, whatever, but it does, it does set out a requirement for organizations to have appropriate security in place. And we've got something very similar in South Africa. So the process really comes down to this is you investigate the incident.

Part of the investigation is what caused the failure, what caused the failure of security essentially. So if you think about a traditional incident response, what would be a traditional incident response is figuring out what happened. The cyber security frenzy, the engineering framework was figuring out how it happened and what facilitated it happening essentially. And.

And when you start to look at organizations, when you're looking at the security, you're looking at the architected security environment, you're looking at the implementation of the security, you're looking at training around security. I've got two incidences that I can talk about the kind of illustrates. So in one case that I worked on for our local regulator in South Africa, our information regulator.

There'd been a massive data breach with Experian and it's in the public domain. So don't mind talking about it. And the regulator was looking at the first case to test the new legislation. And she approached us and said, look, Jason, can you go and investigate this? The police are already investigating the crime, but we want you to investigate it from a regulatory perspective and say, did they mess up? And we did a...

very thorough investigation, working with Experian in the US and in the UK, which was a really enjoyable experience. And at the end of this intensive investigation, we gave them a clean bill of health. They had all the steps in place. They didn't fail anything. There was a human error that allowed the fraud to be facilitated, but it wasn't through an inherent failure in the cybersecurity engineering of Experian.

Jason Jordaan (31:18.473)
And the regulator obviously gave them a clean bill of health. There's another case that I worked on. Unfortunately, never ended up going to the regulator. But if it had gone to the regulator, it would have been somewhat different for it. In this instance, we had an organization, a fintech organization that got heavily hit by ransomware. Essentially, they were hit by a third party vendor, or from a third party vendor.

these guys effectively wanted to sue their EDR and security, their managed security service provider because the tools that they'd implemented hadn't picked up the malware. But when we did the investigation, we actually found out that the tool had been functioning absolutely perfect, but the attackers had been refactoring the malware until eventually it passed through the behavioral detections.

And the problem was nobody was monitoring the system internally within the organization. So if they'd literally been monitoring the logs of the alerts, they would have seen the actions and could have literally built new detection alerts from it that would have actually stopped the case. So ironically, if somebody had gone and sued them for the data loss, they would have lost. They would have lost big time. So it's that kind of scenario.

Francis Gorman (32:31.49)
really insightful. There's one thing that you're talking there that is running through my mind. And, you know, we've talked a lot about the kind of audit trail at a server level or across the OS or mobile devices in close proximity, et cetera, as markers. What about random access memory or cloud forensics? Does that change the playing field to some extent?

Jason Jordaan (32:43.241)
Mm.

Jason Jordaan (32:54.803)
Well, it changes in a sense around the volatility. So for example, stuff that is in RAM obviously is inherently volatile. you know, there are pros and cons. So obviously the pros are you see attackers these days using in-memory malware only. So in other words, the malware never hits the disk. It basically gets run executed directly in memory.

we can find that with the right forensic tools, which is absolutely awesome. So they think they're hiding for us, but we still find it. But then you have challenges from the manufacturers as well using things like address randomization in memory and protected enclaves in memory and things along those lines are starting to complicate things. So that then becomes a challenge. Looking at devices like Mac OS, the new Mac OS devices.

We currently as digital forensics practitioners have no way to get to that memory at this point of view. So as the technology changes, there's changes. Same thing when it comes to cloud forensics. There's so much data out there, but there's what can you access, what can't you access. If you wanna have the really, really cool logging stuff, you've gotta pay extra to your service provider to get that level of logging. Even though...

Technically, they still in many instances, logging it anyway, but you got to pay to access your own logs. It gets really, really interesting. And then the other problem when it comes to cloud issues is the jurisdictional one. Where do you legally get the data from? Like, I need to get this data from Amazon. So which data center am I serving the subpoena on to get access to the data?

It gets kind of crazy. It's an interesting time. It's a brave new world.

Francis Gorman (34:47.362)
much so and it's getting more complex with all of the different technology sets we're seeing come out of the woodwork at the moment. Just one thing that strikes me like this is more than a job for you, isn't it? It's a passion. Do you find it hard to switch off?

Jason Jordaan (34:59.315)
Mmm.

Yeah. So I know a lot of people say I should get a life. You can see my bookshelves behind me. I mean, literally live, eat, breathe, sleep, forensics. This is not just my job. It's literally, it's my hobby. It's my passion. So, you know, for me to relax, I'm reading law books or I'm reading, you know, Windows system internals or something like that. You know, it's it's, it's, it's,

part of who I am. And I know it seems very strange, but I've always kind of equated this to like an old school tradesman in a sense, you know? you know, as a kid, I loved fantasy novels and, you know, Lord of the Rings and The Hobbit and all that kind which is why I absolutely adored going to Ireland, you know, a few weeks ago. I did a tour throughout Ireland. was like, all the fairy stuff and the magic stuff was absolutely freaking amazing. But for me, you know, if I think back to those sort of fantasy type

books and novels, if you were the blacksmith and somebody came up in the middle of the night and their horse had thrown a shoe or whatever, you as the blacksmith, you're just like, I'm sorry, it's after hours. You went and you went to your forge and you took your hammer out, you did your thing and you helped the guy out because you were a blacksmith. You didn't stop becoming a blacksmith when the sun went down, you were a blacksmith. You were a farrier, you were whatever. That was who you are.

For me, that's kind of how I see myself. I see myself as a digital forensic scientist. It's not all of me. Obviously I have other interests and things along those lines, but it is a huge part of me. So what I do is not a job, it's actually a profession. Think of it as a calling almost. And they always say that if you love what you do, you never work a day in your life. I'm, I think 54 years old now.

Jason Jordaan (36:58.417)
And I don't feel 54, like I feel like on top of the world, because literally I love what I do. I really, really, really love what I do. And people laugh at me in the lab when I'm working on a case and they're like, hell yeah, like I've got that smoking gun piece evidence and you can't beat that level of excitement. And it's like, got this case now.

Francis Gorman (37:22.83)
That's amazing. you can tell you can tell that it's it's it's far more than just a job. It's it's a passion. Before we finish up, Jason, for someone looking to get into this field, have you any advice for them?

Jason Jordaan (37:35.859)
So I think, again, I have a lot of young people coming up to me saying they want to get into forensics. And the first question I always ask them is, do you want to do forensics or do you want to do incident response investigations? Because the two are not the same. If you wanted to go down the investigation route, know, threat hunting or that, awesome. Are you curious? Are you passionate about technology? Do you like solving puzzles?

great, that's the kind of thing for you. But if you want to go down the forensic route, that's a whole different level of ball game because it is fundamentally a lifestyle. You get scrutinized for every little thing that you do. You're always held to the highest standards, the pressures are extreme. I always joke with my team members, like we're in the kind of job that we get to screw up once. Now if I'm on the witness stand and I screw up badly, that's it, it's game over.

My job is done, my career is done. Then I need to go to another aspect of cyber security or something because I can't work as an expert with this anymore. But that's the thing is find out which area you really, really feel interested in. And from an advice point of view, be a generalist. I know this is going to sound really weird, but when you're starting out, learn a little bit about everything. I see a lot of people try to, they want to specialize like...

too quickly too soon and you know and I you know I look at my myself even though there are areas of specialization I look at how I got into computing I was a child of the 80s and I grew up with I mean the other day I was showing my son there was a YouTube video on the Sinclair ZX81 I was like hey my boy look this is what my first computer looked like and he was like quite shocked and perturbed about it but

But that's how I grew up. I grew up learning how computers work, how networks work. We figured it out as we went along. I find a lot of youngsters, I feel like really old when I say youngsters, but I see a lot of people coming to the field these days that they almost like hyper-focus. Like I wanna be a pen tester, I wanna be a forensics person, I wanna be a network engineer. Get the basics, get that core fundamental technological understanding, be comfortable in the technology and then grow from there.

Jason Jordaan (39:58.385)
I think that's probably the best advice that I have for youngsters. Be passionate, be hands-on with the technology. Don't be scared of it. And also don't bind to this thing that you've got to have like a million certifications and things along those lines. Look, I mean, I have certifications and I've got degrees. But at the end of the day, if somebody comes to me and says, Jason, I want to come and work for DFR Labs, the first question I'm going to ask them is what have you done?

Like literally what have you done? So they say, I'm interested in digital forensics. So what have you researched about it? What do you know about forensics? I'm gonna ask questions because I wanna see whether the person is genuinely interested. One of the questions I asked prospective candidates is, Jason, we love forensics. Okay, so what are the last five books that you read? So you don't read any books?

No, I don't like to read. Well, you don't like to read. You're probably not going to be cut out for forensics because you need to read a lot when you're doing forensics. You know, it's little things like like that. Do you have the right aptitude for the work, essentially? And if you do, this is this is probably one of the most amazing careers to have. You know, if I look back in the 30 odd years I've been doing forensics now, I couldn't imagine doing anything else.

And my life has been a real blessing as far as that's concerned. I've seen some of the worst things that humanity can throw at each other, but I've also seen some of the most noble things amongst humanity through the work that we do. it's very rewarding, it's very enriching, but it also does, you have to face the reality that it also exposes you to some really, really nasty stuff that.

You need to a good, strong support system and good resilience in place to cope with it.

Francis Gorman (41:53.571)
Let's actually touch on that for a second, because no one ever talks about the. Well, how would I put this, the bad side of humanity, you you obviously get on cases where you see things that no one should should see. How do you compartmentalize that in a way that it doesn't leak into your personal life? you have you a way to kind of segment?

Jason Jordaan (42:02.279)
Mm.

Jason Jordaan (42:13.513)
I was pretty good at it for a while. So before I became a father, so one of the cases that you, especially working law enforcement, you end up working on CSAM cases, child sexual abuse material cases. And it was easy for me to compartmentalize those kinds of cases. I wasn't a dad. But I remember one particular case, my son was about six months old.

And I'd literally been working at the office, working on a case, and it just happened to have, you know, CSAM material in it, specifically focusing on little boys. And when I got home after that day at work, and you know, I got home, my wife was washing my son, you know, so in the bathtub and giving him a wash. And I walked in and one of the images, one of the videos that I just...

been experiencing during that day while I was documenting everything in the lab just flashed in my head. And it was almost as if the case that I'd working on overlaid onto my side. And I literally collapsed in the bathroom, of literally crawled up into a fetal position and I just started sobbing. And my mom was like, what's wrong? said, I can't tell you. And it's that type of thing. you know,

Luckily, we have psychological support systems in place and things along those lines. I went through a process of having to learn to compartmentalize myself better, especially being a father. But it is hard. It's important to talk to people about it. One of the problems we have in South Africa, and I don't think it's just a South African problem, but if you're a guy, cowboys don't cry. We've always been tough and strong and whatever.

But this stuff does break you and you do need to have a good support system to talk to. And you know, it's not just, it's easy to think of it in terms of cases like that, but it's a ransomware threat actor group that freaking hits a hospital, for example, so people sitting on ventilators die. There's a lot of evil in the world. And unfortunately, when you're dealing with cyber crime and these types of things, you are dealing with evil people doing

Jason Jordaan (44:26.445)
Evil things, unfortunately, you it's like, you know, when I was a kid growing up and you think about the early day hackers and I'll count myself in that category. We hacked out of curiosity. We hacked because it was fun. There was no malice in it. But but nowadays it's become mainstream. Now it's like any other human activity. You the bad threat actors, the criminals, the the malcontents, the the deviants.

They're all engaged in this kind of activity and it's people like us that ultimately have to deal with it at some level.

Francis Gorman (45:01.656)
Jason, that is fantastic. thanks for being vulnerable, insightful and just genuinely brilliant for the whole conversation. We respect what you do. It's a real honor to have had you on the show and I think the listeners are going to get a lot out of it. So thanks for joining me today to talk all things forensics.

Jason Jordaan (45:18.991)
No, it's a pleasure Francis. I think it's important that we have these sort of honest conversations. What we do is important, the world needs us. I know people would prefer us not to be around, I think, in the grand scheme of things. It's kind of weird that there has to be a certain level of chaos and evil in the world for people like me to exist. But what we do is important and being able to share this with the broader communities I think helps.

We're human, we have our flaws and our weaknesses, but we do have a calling. I think we play an important part of the overall security cog and the societal cog of trying to keep things safe.

Francis Gorman (46:03.631)
absolutely do and it's amazing work and it's been an absolute pleasure to speak with you today. Thank you.

Jason Jordaan (46:09.201)
Thanks Francis, really appreciate it.

Francis Gorman

Host

Jason Jordaan

Guest