Forensics and the Boredom of Peacetime with Donovan Farrow (1/2)

Welcome to episode 133 of the Nerd Journey Podcast [@NerdJourney]! We’re John White (@vJourneyman) and Nick Korte (@NetworkNerd_), two Pre-Sales Technical Engineers who are hoping to bring you the IT career advice that we wish we’d been given earlier in our careers. In today’s episode we share part one of our interview with Donovan Farrow and his progression from IT generalist to someone who developed an expertise in digital forensics and entered the security industry in its early days.

Original Recording Date: 06-30-2021

Topics – Meet Donovan Farrow, Focus on Forensics, Not Quite Calling It Security, Information Security Management, Peacetime is Boring

2:38 – Meet Donovan Farrow and Alias (formerly Alias Forensics)

  • Donovan Farrow is CEO and founder of Alias, a digital forensics and cybersecurity company based in Oklahoma City.
    • Listen to Donovan’s description of all the things his company does, their size, and their biggest competitors.
    • Alias is classified as a bit of a boutique shop in terms of what they do and their attention to detail.
    • Donovan spoke at a Dallas / Fort Worth SpiceCorps meeting in 2018 on digital forensics and penetration testing.
  • How Donovan got into the industry, the real story
    • He hated school but could fix computers.
  • How moving to Oklahoma City worked out
    • Donovan mowed lawns for a while and would use the money to buy computer parts.
    • He started working for a corporation at age 18 and did not have a degree until much later.
    • People have at times called him a gunslinger.
    • The job at an insurance firm allowed him to do a lot of tinkering, but he didn’t get along with his boss and was fired.
  • Teaching and not making people feel stupid
    • At his next job, Donovan progressed to a leadership position after coming in with no certifications (only experience). If people wanted to learn, he would teach them.
    • He wanted other people to know he loved the work.
    • Others in his past had made him feel stupid, and Donovan did not want anyone else to feel that way.
  • Getting fired, contract work, and catching full time work
    • Donovan got interviewed by many companies, including Chesapeake Energy and decided to work for a contract company.
    • Contracts were often sat on site and expected to "do work," performing whatever task needed handling at the time.
    • Donovan did work for energy companies, a bank, a manufacturing company, and others.
      • The things he learned in this role were out of necessity and to keep getting work.
    • He was later hired by an oil field company to learn everything and move everyone out.
      • The company later changed their minds about moving others out and gave Donovan a full-time job instead of a contract position. • Donovan was given every opportunity and never turned anything down, learning a ton in the process.
  • First forensic case
    • This was around 2004, and Donovan’s boss asked him to investigate possible misconduct of field workers, working with the global head of HR as part of the assignment.

17:26 – The Focus on Forensics

  • Forensic Focus forums early member
    • Donovan had never heard of forensics before the above assignment.
    • He mentioned having knowledge of McAfee ePO.
    • At smaller companies, the Systems Administrator ends up being the one to dive into any kind of forensics projects out of necessity.
  • Some of the pitfalls
    • Donovan has worked about 2500 forensics cases at this point. An attorney probably works around 25-30 cases per year.
    • There are a number of gotchas and ways to get yourself into trouble if processes are not followed or things are done incorrectly in a case such as being held personally liable.
    • Many times Donovan and his team have to testify in court. The longest amount of time Donovan has spent on the stand testifying was 12 hours.
    • Flashing back to this first forensics investigation, Donovan had to document the chain of custody for the hard drive, did a forensic image, and then did an investigation. After that, he did not really know what to do.
      • Unknowingly Donovan protected himself from getting into trouble in his thoroughness of taking multiple copies of the hard drive (tips he received from the Forensics Focus forums).
  • Being given more security work under the app/network security flag
    • Donovan’s boss started to send all kinds of projects his way, including one for managing a Blackberry Enterprise Server.
    • The security focused work wasn’t called security so much at that time.
  • Physical port security
    • Donovan learned to turn off physical network ports in offices to present people from plugging in their personal computer at work.
    • He was doing security stuff and didn’t realize it.

27:16 – Not Quite Calling It Security Yet

  • Donovan started getting into servers and networking as well as Active Directory.
  • It started as a joke, kind of a look what I can do with these tools.
    • Listen to Donovan describe exposure to early trojans like Sub7 that was transmitted via e-mail.
  • AD based pranking and the connection to hacking
    • Donovan shares the story of a prank he pulled on his teammates, which wasn’t so different from what hackers did to Sony.
  • Other forums Donovan used and forum credibility
    • There were some security news groups Donovan was a part of in addition to Forensics Focus.
    • A hackers elite forum was also a great place to get help. Participation was a chance to gain credibility in what was (at the time) kind of a niche area.

31:40 – Transitioning to Information Security Manager

  • Conversation with the manager which led to applying at an energy company
    • Donovan called his manager’s bluff on being encouraged to apply for the job if he wanted more money.
  • He started in at the company as a contractor but moved into a forensic analyst position without a degree.
    • The company couldn’t find anyone with experience in this area until Donovan applied. They relaxed the degree requirement for him.
    • There was no special security clearance required. He worked with security teams to determine how to hunt down malware as well as on forensics investigations.
    • There was a lot of great talent at the company during this time.
  • Donovan outgrew the role eventually and set up forensic and security labs elsewhere.
    • Donovan has a great story about meeting and stopping Sean Satterlee during a penetration test Donovan didn’t know was happening.
    • Blue team / purple team is where Donovan started. He refers to Sean as a red teamer.
  • The first ransomware incident
    • Server teams back then wanted minimal software on the servers to prevent performance issues. And then ransomware hit, but no one truly knew what it was and expected Donovan to fix it.
      • The ransom was around $40K at the time, and the attackers knew very little about what they were attacking.
      • No one knew which of the 5000 machines were infected. Listen to the strategy for making sure the environment was clean after discovering this threat.
    • Donovan works well under pressure and enjoyed the pressure of these types of situations.

40:17 – Peacetime is Boring

  • Donovan is a serial entrepreneur with a total of 5 businesses in his career. Once things are running well inside a company, he doesn’t like it.
  • Moving to NTT Security incident response
    • There were 6 companies compromised that Donovan needed to handle when he started.
    • This is the place where Donovan learned about penetration testing.
  • Starting Alias and deciding to commit to it
    • The role at NTT involved a great deal of travel, and Donovan had a family he wanted to see more often. He jumped in with both feet to get it off the ground.
    • Donovan was doing contract work which eventually turned into Alias.
      • It was a fun hobby, a side gig.
  • Proving innocent people innocent using data
    • Donovan has been able to prove at least 4 people were innocent, effectively saving those people from going to jail for life.
      • Donovan shares one specific example that is open record.
      • "The best witness is the data." – Donovan Farrow

Contact us if you need help on the journey.

Leave a Reply

Your email address will not be published. Required fields are marked *