Redefining CyberSecurity

Cyber Investigations: Methodology over Tools | A Conversation with Christopher Salgado | Redefining CyberSecurity Podcast with Sean Martin

Episode Summary

Emerging from the frontlines of cyber investigations, Christopher Salgado joins host Sean Martin in a new episode of the Redefining Cybersecurity Podcast, going straight to the heart of cyber investigations, navigating the terrain from AI tools to organic probing. Salgado reveals the unseen dimensions of cyber investigations, capturing the tension between the rigidity of operating processes and the fluidity of response, presenting an engaging listen for anyone interested in cybersecurity.

Episode Notes

Guest: Christopher Salgado, CEO at All Points Investigations, LLC

On Linkedin | https://www.linkedin.com/in/christophersalgado/

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

View This Show's Sponsors

___________________________

Episode Notes

In this episode of Redefining CyberSecurity Podcast, host Sean Martin converses with Christopher Salgado about the critical yet overlooked aspects of cyber investigations. Salgado's rich experiences, from being an insurance investigator in Chicago to working on Facebook's global investigations division and being a key player amidst the Cambridge Analytica crisis, lay the foundation for this engrossing dialogue.

Salgado elaborates on the unique challenges posed by cyber investigations—being analytical, yet organic; thorough, yet flexible—straddling between rigidity of process and fluidity of response. Pragmatism and diligent investigation are pitched alongside the usefulness of AI tools, which, as per Salgado, can be both ally and adversary.

Highlighting the importance of operating within established processes, Salgado presses on the need for standardization and streamlining, without compromising on the inherently organic nature of investigative work. He underscores how modifiable Standard Operating Procedures (SOPs) can uphold consistency and enable comprehensive learning, while staying legally sound and economically feasible.

Salgado also draws attention to the flip-side of AI-tools—potential data-leaks and the threat of manipulated AI-platforms. Corporations employing AI must weigh their usage against the risks, envisaging issues of data-privacy, information-misuse, and disinformation before rolling out (or permitting vendors to use) AI-based systems.

In a nutshell, this enlightening conversation delves into the complexities of cyber investigations, the indispensable role of AI, and the necessity of solid processes, making it a must-listen for cybersecurity enthusiasts and cyber sleuths alike.

Episode Transcription

Cyber Investigations: Methodology over Tools | A Conversation with Christopher Salgado | Redefining CyberSecurity Podcast with Sean Martin

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of Redis Finding Cyber Security here. I'm your host, uh, Sean Martin. That's still me. I'd think about it for a second. It's been a busy morning already today. And, uh, so I've been flying around and I've made it back in time for this amazing conversation and I guess my guest had a, had a journey as well to make it here.

Uh, Chris Salgado, thanks for being on the show.

Chris Salgado: I did. Thanks for having me, Sean. I appreciate it like coming in last minute effort here to from one meeting to the next, but I appreciate you being patient with me.

Sean Martin: Uh, it's very good. It's very good. This is a conversation I'm very interested in and, um, I didn't tell you this at the beginning, but, uh.

I can't tell you how many pitches I get from people. I want to tell you a story and, uh, there's some interesting things out there, but you're one of the few, and I'm, I'm talking like maybe 1% that, that shared something that, that, uh, piqued my interest. [00:01:00] So, uh, I'm, I'm thrilled to have you on. I'm, I'm glad you made it through the filter.

I'm excited to have this conversation about open-source intelligence and cyber investigations, and. I, I presume you have a lot of stories we're gonna touch on, uh, past, present, and future that, uh, will, will excite our audience and get them interested in what investigations are and, uh, how intelligence plays a role there.

But before we get into all of that, uh, two words from you, Chris. What, uh, what are you up to, maybe a, a view of kind of what led you to this point in, in life and in your career?

Chris Salgado: Sure. So I'm in Florida now, but I was born and raised in Chicago. And in Chicago. I was a private investigator for about 15 years, mostly really doing insurance work, so surveillance, SIU, accident scene, investigation, stuff like that.

And then, but, but I had a reputation in Chicago for building systems, building pro uh, processes, whether. Installing efficiencies [00:02:00] and current ones or staying up new ones. And Pinkerton got a hold of me on behalf of Facebook and they reached out and said, Hey, you know, Facebook is interested in building up their, their global investigations division.

Do you wanna be a part of that? And after my jaw hit the floor, I was like, yeah, I. I'll give it a shot and, uh, so I shout out to, yeah, so I shout out to Northern California and was really welcomed by those folks and uh, it was absolutely fantastic being over there at Facebook. 'cause I was there at a critical time.

I was there, you know, during the Cambridge Analytica. Kind of situation. And then when the, for the 2016 presidential election that had some kind of, uh, problems with, uh, you know, online kind of rumors and stuff like that, you, you've read all about it. Um, so it was really, it was really interesting for me to be there at the time that I was there.

And it was interesting because I thought I knew. Cyber investigations before I went to Facebook [00:03:00] and Facebook's like, no, Chris, you don't know anything about cyber investigations. Let's show you something. Not in those words, but it was great. It was really cool because I'm so grateful, even to this day. I was at Facebook years ago, but even to this day, I'm still really grateful for the individuals that brought me on, my director, my manager, and the team that I was part of.

'cause I'm not a prodigy. I was a member of, you know, really. Talented team that helped bring the vision together. And, uh, it was just, it was a really cool opportunity. So, um, after I did that and I kind of spread my wings with the, you know, everything that was kind of encompassed in that I left Facebook to start up my own gig.

And, uh, here I am now in Florida and, uh. It's, it's really, it's a really amazing kind of capability to offer the services to different types of individuals and entities. Um, you know, based on what we now know and how I started in investigations in Chicago, just in general, I. Uh, I [00:04:00] answered an ad for a law firm in Chicago, literally a newspaper ad, um, in, in Chicago.

And, uh, it was for like a customer service manager position. And before my stint as an investigator for now 22 years, um, I had a customer service background, so I had the interview and the manager, the general manager was like, you know what? You got the, the job, but. If you want, we've got an in-house investigator role as well, if you wanna try that out, because throughout the interview it came out that I enjoyed the law and, um, and I, I probably said something like, yeah, sure, I'll, I'll give it a try.

You know, it just kind of cavalier. Yeah. Whatever. Just if you can gimme a paycheck, why not? Right. Um, so yeah, it went really well. And, and fast forward 22 years later, here we are.

Sean Martin: And, uh, I'm curious, do you have a team that works with you now?

Chris Salgado: Yeah, so with my company, yeah. Yeah. So we have a small team here in Florida, but we're a global outfit, um, [00:05:00] with physical and cyber investigations and, um, you know, we.

In, in tandem to doing the investigations. You know, we also do seminars like this and public sessions, um, you know, at at trade shows and stuff like that. Industry, uh, events, stuff like that. So we do the investigations and offer the training to help people with their kind of. Cybersecurity or cyber investigative aperture maybe gets, you know, more efficiencies installed into your program or your scope or your SOPs, um, or really introduce you to maybe more hard-hitting engagements to get into the nooks and crannies of the internet, whether it's the surface web, the deep web, or the um, the dark web.

Sean Martin: I love it. And your, your, your, uh, early beginnings are not unlike mine, where I answered an ad in the paper and they said, can you, can you do a computer-based job estimation? I'm like, sure, why not? That's awesome. That launched my career into, uh, [00:06:00] software engineering. Funny enough. So. Nice. Um, I, I want to go back to something you said.

Around, uh, joining Facebook, um, and maybe even before that you talked about your, your work in, in Chicago looking at, uh, I, I presume it's insurance fraud. Mm-Hmm. I think you said that word. So, um, oftentimes when we look at things in the digital world driven by technology, we, we look back at the physical world and try to do a one-to-one mapping.

Mm-Hmm. Um, so is there a one-to-one. Um, Mapping between physical fraud, like, I don't know what you're looking at. People wearing neck collars saying they fell and then, and then you see 'em playing basketball somewhere. Is that the kind of stuff you're looking at? Mm-Hmm. And how does that relate to the digital world?

Because you, it sound like you had an, an, an expectation of what the scope was. For investigations that [00:07:00] Facebook then said, well, we have a little different view for you. So I dunno if you can kind of paint that picture of physical, the digital, your view of the digital to what Facebook described.

Chris Salgado: Well, yeah, and I, and I mean as far as like capabilities and skill set goes, so it wasn't quite a pivot in scope and expectations of my own.

And certainly I didn't really have expectations when I went to Facebook. I mean, it's funny because I. It is funny because when they reached out to me again through Pinkerton, um, I thought, oh wait, Facebook's a company. Like it's just an internet thing that I go to a website. Right? Um, so yeah, it was, it, it kind of took a, a stupid moment for me to realize, oh yeah, Facebook exists outside of Facebook.com.

So I didn't really have an expectation of like what they wanted more than just building the inside process. Right. Um, but comparing to what I had done in Chicago with, like you said, mostly insurance fraud, [00:08:00] um, yeah, it, it's, I mean, it's quite different with obviously the methodology, the engagements, the skills, the uh, tools that you, you utilize, but you're still kind of going through the same breath as an investigator, right?

You're still engaging, whether it's the physical world or the digital world, you're in base in. Basically engaging from kind of a leapfrog session from one cleat clue to the next, to ultimately hopefully blow open that door and kind of spot the treasure trove before you, whether it's the proverbial smoking gun or it's something where there's some smoke there, but we gotta keep looking for more fires there.

So it was, it was really different. Um, that's why I say to people like. And people ask me, how'd you land up in, in Facebook? And how are you doing what you're doing now? Much like you asked me and they hear like a, you know, insurance investigator, literally following people in the cars and maybe spiking beach balls on the, the front, the, the, the beach front and.[00:09:00]

When they're supposed to have a neck injury. And it's quite like, I get the eyebrows raised, like, I'm sorry, why did they pick you? And, and I get it, you know, but, um, I was one of the lucky ones that made it through. Like I said, I had a reputation for building systems in Chicago and they capitalized on that.

And, uh, you know, were able to take me up on that and allow me to kind of grow with my investigative skillset. Um, online, obviously primarily. But it also allowed me to really understand a little bit more intricacies in the physical world too. And that was really helpful. Uh, like I said, you know, here it is 2024 and I'm still very grateful at the folks that allowed me to, you know, do what I did over there for them.

Sean Martin: Well, I'm a, I'm a systems guy, ops guy, workflow guy. Uh, I like to nerd out on that stuff. And so that's another reason this, this intrigues me. Um. A lot of that starts with the mindset, which is what I'm hearing. [00:10:00] You had a, a way of thinking about this stuff. Mm-Hmm. That you can then translate into a set of processes that organizations can, can follow, uh, to help them streamline or at least keep track of all the stuff that's going on.

Uh, I'm wondering though, do, this is just my own ignorance. I know security ops fairly well, so you have. Security analysts and you have threat intel researchers and threat intel analysts and folks looking at cyber incidents and. I don't know. Is it, is that, is this role outside of that, this seems like it might be more business-oriented.

So it's somebody in, in retail, somebody in the banking part or the finance part, or where, where does this role sit in the organization? Is there a connection to cyber or are you,

Chris Salgado: so are you talking about where does the role of cyber investigator sit inside an organization

Sean Martin: is looking more [00:11:00] internally at incidents or internally at fraud, like you said, or is there something else?

Chris Salgado: Are you talking about when I was at Facebook? Or just in general? In general. Yeah. I mean, so I have to make the delineation all the time that I'm a cyber investigator. I'm not like cyber security. I'm not an IT guy, right? So I can't build a computer, but I can Sure dig into the nicks and crannies of, you know, the activity of it.

Right? Um, so it. It's, it's quite different. So we partner with, and, and we've partnered in the past when I was with different companies, um, you know, the IT divisions because they'll go ahead and let's say they get, uh, some infiltration, whether it's ransomware or whatever, that might look like a phishing engagement, something, a BEC, whatever it is.

And they'll go ahead and they'll trace the breadcrumbs to lead to the opening of what that was. Whether that's a bug in the system. Or bug in the human intelligence world, which is social engineering, right? They'll do what they need to do to [00:12:00] correct it, you know, build a patch or whatever it is, and then they'll say, okay, well who is this person that engaged us?

Or some entity, it could have been a bot, right? So at that point. Typically with my experience, they'll pivot and relay it to me, uh, in the organization, which is different from the IT division, right? Um, maybe you'll have a seat like mine in a SOC, a security operations center, right? And they'll, they'll pivot it over to that individual within the SOC or externally as a vendor, whatever it may be, and say, okay, we've got the episode encapsulated into our understanding of what happened and how that.

Kind of entry point. Looks like we filled the gap. Um, let's go ahead and engage this person, whether they want to do so for insurance reasons, whether it's a data leak or some kind of half involved, or they wanna flag it to law enforcement. Um, a lot of times they'll pivot it to law enforcement and have them continue their efforts and, you know.

Within their scope, which is the right thing to do. But they might also internalize the onus and be like, [00:13:00] okay, we wanna figure this out ourselves. Right? We have our capabilities. We'll let law enforcement do their thing. We're not gonna inject ourselves into their investigation and kind of make that cumbersome, but we wanna know for our benefit who we're dealing with.

So then they'll roll out a cyber investigation. That runs, uh, kind of leapfrogs from that information from it and say, okay, who is that person? And with that, within that scope, you know, you delve into the cyber investigative scope, skill, scope and skillset to be able to kind of unfurl that in for that information.

Pull back the curtain and see who's behind that. It might be, it might be an insider threat thing, it might be, um. You know, some Joe Blow, or it might be somebody out of Southwest Africa, you know, some kind of romance scam or Southeast Asia or wherever it may be. Right? But to really gain some perspective on who they're dealing with.

Because once you know who you're dealing with, you can develop [00:14:00] a threat profile and analyze, okay, how, how aggressive is this threat? Like, they engage us, they infiltrate us. I get it, but what other. What other, um, capabilities do they have? How deep does their well run? Are they well financed by maybe a state nation, right?

Or a nation state, excuse me. Um, or you know, how, you know, are they connected with this ransomware group, whatever it may be, or is it a lone actor that did our AAS ransomware as a service? Right. Um, so you wanna develop those kinds of pieces of information to really understand the scope, the comprehensive picture of who engaged you.

And that's when we fill the seat again, whether it's internally or externally as a vendor.

Sean Martin: And can you share, uh, scenario story? Certainly not named, it doesn't necessarily have to be Facebook, which would then obviously be named, but just some interesting, uh, experience you've had. Um. Either it [00:15:00] was off the wall or creative or just a real bear to, to investigate and find, find the nuggets you're looking for.

Can you still

Chris Salgado: Yeah, sure, sure. So, so one time we had an episode where a con a, um, a, a company contacted us and said, Hey, somebody's pilfering our data. It was a streaming service. Um, and. They were pilfering our data and stealing our content and releasing it to underground servers for the underground community.

Right. The hacking community and stuff like that. So we need to figure out who it was, and they gave us very little information. I think we got this a couple years ago. I think we got. Um, a username supposedly, and then maybe a location. But the sus, the suspicion off the bat was that was a VPN that they were utilizing.

The reason why I'm reaching this far back, because we do these cases all the time, the reason why I'm reaching far back to, you know, a couple years ago was this is was a pretty intense [00:16:00] case, and I said it before that I don't know everything. There's better people out there sometimes they're on our side.

Sometimes they're not. And unfortunately this was the latter. So we engaged in this person and we're trying to figure out who's behind this one username. And it was really, really intricate. It was really convoluted because I. Kind of cut to the chase a little bit was this individual ended up being a, a hacker to a very well-known hacking group that you can imagine.

Um, and they utilized this username throughout the team, their kind of social network. So you would engage this username on, you know. Forums, I won't say certain platforms, on certain forums, right? You say, oh, okay, this makes sense. This fits the pattern from what we understood this person to be, right, who they were and kind of what they're all about.

And then that same username would take on a different kind of persona within the context of the writing. We say, hold on [00:17:00] here. This person used to post evenings right? On weekends for weeks, and then now they're posting morning times Monday through Friday. Right? Or every Wednesday. That doesn't jive with what we knew the person to be, who we knew the person to be.

That personality, that kind of interest, and it would really. Imbalance, our understanding of the situation at hand. Um, that was terribly frustrating. And then we found out that that username was being purposely utilized among the team of the social network that they engage in this hacking group. Right?

They did that purposely so they would throw off. Any investigation into them. Um, that was done very, very well by them, and it took a while for us to figure that out. They dropped so many red herrings on that. Within that case, it was a really, it was a pretty difficult one to unravel, but fast forward to the end, uh, we just kept being merciless and we just kept being diligent with our investigation.

Thankfully, he, we had a [00:18:00] very, a very understanding client to say, Hey, you know, we need time. How much time? I don't know, but we're gonna continue on. I'll feed you updates. And they were copacetic with that. So fast forward to the end. Like I said, we're able to really attain, uh, you know, the, the identity of this person because somewhere in the confines of the internet world buried pretty well was a single PDF.

To a, it was a customer, it was a new application for a new customer, for A, It was such a small niche. It was Vietnam soap, opera channel streaming service. It was so just this tight niche of content and literally we saw this person's real name affixed to the username. Credit card address. It was right there.

Wow. Now I say that summing it [00:19:00] up, but it was a lengthy and, and just there, frustrating. Yes, exactly. Frustrating investigation. But we were able to wrap our heads around it. And, uh, it was, it was pretty intense. And this guy, it was, it was a male, this guy he handed. He had a fantastic professional life. He was an IT expert.

Um, he worked for a company that we all know and, um, he just did a really good job of keeping a one arms distance from his hacker profile to his personal profile. I mean, he had a family. I mean, it just was like. You would look at this person on paper, LinkedIn, whatever it may be, and say, okay, you, you did good.

Right? And then you look at their hacker profile, his hacker profile, and be like, okay, this is a bad person right here. You wouldn't really pair them up together. I. But it just goes to show you, with me doing investigations for a while, you just never know. You know, there can be two sides to individuals and I don't wanna paint it [00:20:00] that you can't trust anybody.

That's not what it's about. It's just when you develop these, these conclusions, you can say, wow, that's, that's absolutely fantastic. But you can kind of be prepared for something like that because you don't wanna second guess yourself. Oh, I landed on Mr. Jones or whatever, and he's this aspiring it person at this very well-known company.

It can't be him. No, no, no. You gotta listen to the evidence and you can't let your, you can allow your mindset to kind of check what you're going through and have those kind of, um, uh, kind of mental checkpoints on what you're doing to really balance out the information, the evidence that you're unfolding.

Go with that. That's valuable. Don't dismiss it because you're staring at the profile of someone that's well respected and has earned their place in life. Um, you know, because of where they're at now.

Sean Martin: Yeah. So I wanna talk to you about that, what you're describing there. 'cause there's the mindset, there's, there's the gut.

I'm sure you start to get [00:21:00] emotional to an emotional attachment to the case. Um, and then you have all the data. That clearly was being manipulated as well. So what's true, what's false? And you have all the tools that I'm, I'm, I'm certain or you're feeding the data into, to help you come out with some, some things to some areas to look into or some conclusions that might, that might be made that.

It's easier to do with a tool than maybe with somebody's brain sometimes. Mm-Hmm. So I wanna talk about, I wanna talk about kind of that relationship of all that stuff. 'cause ultimately we're gonna get to kind of the role of tools, but the role of methodology and, and how those things balance out. And is there, do you need an, an imbalance?

Purposefully. So talk to me about the, the relationship of emotion and, and data and all that stuff. First, though.

Chris Salgado: Sure. So, so I, I appreciate the [00:22:00] kind of imbalance between methodology over tools and, and what does that look like with, with the data that you're talking about? I mean, when you engage on something as a cyber investigator, you wanna just cast a wide net as wide as possible.

I tell people all the time that. I wanna net in all the information. I wanna stare at it, and I wanna ascertain or identify, you know, what's relevant and what's not. You know, sometimes your, you know, your department chair or client can come to you and say, okay, this is the information that I, that I have. I want you to focus on that.

Okay, that's great. I never like reinventing the wheel, but let me ingest that and also go ahead and extrapolate the additional information that might be out there that you don't possibly know about. We just said that not everybody knows everything that's included in a scenario, right? Um, you think you know everything and maybe.

Mo know most of it, but you know, you bring on an investigator, whether that's internal or external, to, [00:23:00] to develop the additional information that you need. And with that kind of open mindset, you can ingest that information from the department chair or your boss or whatever client, and you can go ahead and try to explode that.

The value and ascertain the, the additional information out there, responding to that data. But again, being, maintaining the power seat of looking at all that information, analyzing it, converting it into intelligence, and saying, okay, this is related. This is not, this is related, this is not. And you have to be able to back up what you're saying too, because it could be critical at that stage that you could be casting out a piece of information or multiple pieces of information.

That are relevant to your situation at hand or the subject that you're trying to track down. But on the surface it doesn't look like it. Right? Um, so you have to be able to kind of speak to that and tuck it away kind of on a back burner, but still leave it within an arm's reach because of something comes up where [00:24:00] you're like.

I've been chasing a red herring from the get-go. You can pivot back to that back burner and say, let me reinvent that, or let me reintroduce that and see what we're going on. Okay, now I have the experience. Now I have the information of knowing what's out there, what I thought wasn't out there. Now I can look at it through a different lens and you can look at it from that.

New kind of old intelligence that you developed earlier, but you kind of cast it aside again, that can be really detrimental to your investigation. And some people do that. Um, they have, they have this kind of vision of who this subject is. They have this vision of, you know, what the entry point is, what tool they used, how they got there.

And that's great to have as a kind of, um. Uh, prediction, I suppose, into the investigation. Um, 'cause we all wanna live. We all wanna benefit from our own experience and we bring that to the table regardless of where we come [00:25:00] from. Um, but you have to be able to check that, you have to be able to look at the evidence that hopefully is as impartial as can be, but you've got disinformation and misinformation.

We can talk about that later. But, you know, you have to be able to check, to re to recognize that you could be wrong. With your gut. It's great to have those capabilities, those mental checkpoints, but you have to be able to stand it down, and I've met too many investigators to say. You know that they just, it's a hard habit to break.

You know, they've been in the scene for decades, law enforcement for 20 years, PI for 10 years and stuff. And this is no knock on law enforcement. I've never been law enforcement. There's no knock against 'em. But, you know, regardless of your background, you're really kind of. Ingrained into your kind of philosophy and what you come to the table with.

Again, use that as a value. That's great stuff, but don't be kind of chained to that. If evidence dictates. [00:26:00] Otherwise, follow the evidence. And if it ends up being a red herring or misinformation, or disinformation, you can go back to what you started with, but at least chase that down. I mean, investigators.

Inherently, you know, leapfrog from one piece of evidence to evidence to the next. I mean, if you knew it all at the onset at looking at, we wouldn't be needed, right? Um, so you gotta be able to maintain your kind of composure to say, okay, I've got an idea. Let me go ahead and exercise that, see if that's legit here or relevant here.

But if it's not, then I'm gonna go back to the drawing board. And I'll keep plugging away. It's just another obstacle and whatever it is, getting a new job, you know, going out there and finding another person on a date, we all have obstacles that we have to overcome. Personal or professional. This is just one of those and you have to be able to pursue it and just kind of plow through any obstacle that comes through that might show that, hey, you were wrong, and that's okay as long as you get to the end, [00:27:00] um, efficiently.

Sean Martin: Yeah, so I'm, uh, thanks for that. By the way. I'm, I tend to look at things, uh, like,

like a

project. I've been a program manager for years and years and years, which has some, some resemblance of, of some milestones. And so I'm wondering if this looks like that with, with an end game. And within that, do you. Do you have to attain certain things or collect certain things or reach a certain point be before you move beyond a certain milestone?

That's, uh, maybe one thought and then, yeah, we'll start with that. Have a gazillion question.

Chris Salgado: So, yeah, no, I, we share a similar mindset, so I love. Processes. I love engaging projects through processes. Ad-hoc is great and sometimes you need to do that. You don't have a time for a process, but if you can benefit from.

Employing a process that you've already carved out, [00:28:00] you've already tested it to be, you know, true, um, to the majority of cases, or, you know, a large number of cases. Um, why not? Right? So, you know, whenever we get a case, a situation at hand, I really like to apply a process. Okay? First we're gonna do this, then we're gonna do that because.

It not only allows me to really be as efficient as possible, and like I said, just weed out the tools that work and that don't work, but it also allows me to have the conversation more intelligently with the client to say, this is what we're gonna do. Right? Rather than, Hmm, interesting. I have no idea.

I'll let you know in a couple weeks. Right? And sometimes you even have to have that conversation, but if you can minimize the time that you can do that. And, you know, clients like, or bosses, directors, whatever, they like to be in your chair, right? They like you to talk to 'em and say, okay, this is what I found out.

And allow them to think that they ran the case because they're understanding it so seamlessly through your process, not only the [00:29:00] results, the process, explain the process to them. 'cause that allows them to have the proper expectations, um, with, you know. Current engagements rolling into a future conclusion or understanding how it took you this long, whether it was one minute or 10 months to run an investigation, they feel more, um, in control of the situation.

Um, so yeah, anytime you can apply a process, you know, I think that's hugely advantageous. You know, when I was at different companies installing systems, I would say, okay. And to whatever company that's, that's asking me the question, I would say, okay, well it's more important. It, it's just as important as you laying down SOPs as it is to work those SOPs.

So for instance, I'm in Florida s so P is what, uh, standard operating procedure. Excuse me. So, so basically I'm in Florida, if you've got a fortune based company that's like, hey. We want to have an investigative team or we wanna build out an investigative [00:30:00] department, right? I'll say, I'll say, okay, I, I can do that for you, but.

Also, you wanna make sure that your guy or gal in London, or Thailand, or Australia or Los Angeles, right on the opposite coast of the States, knows how to deploy in that regard too. So if you've got a, I don't know, an insider threat prospect here in Florida, maybe I'll handle it. But if it's in la, maybe it makes sense to have the LA investigatory handle it.

Now we've got two different mindsets. We come from two different backgrounds. Doesn't matter what title we call ourselves, it's the same. We come with two different visions. So we wanna make sure that we engage upon the same situation from different geographies and different mindsets in the same regard.

One, right? They, they talk, uh, one voice, right? One company, one voice, right? And then with that, by installing those, those SOPs as a system and not just put Chris in Florida, put. Whatever [00:31:00] John Smith in, in, uh, Los Angeles, they'll run investigations. Well, hold on. You wanna invent a system so Chris knows what John's gonna do.

John knows what Chris is gonna do, and it also bolsters the value because it's teachable, right? So the idea is that you're gonna grow the division. You could grow the division, um, and anything that you do, anything that Chris or John does on both coasts. Can be taught to new people coming on board, right?

Whether it's a new person, fresh to investigations or someone that has 20 years experience of investigations on the private sector or public sector, whatever it may be. Because when we come into the doorstep, when we, when we come into the, the building of the corporation as employees, none of our past matters.

Our past got us here, right? But I can't do investigations. From this company's, from my experience with this company, I have to do it with the expectations of my current employer. So it's really advantageous for us to kind of sing from the same song book [00:32:00] within our investigative division. Also, in addition to all of that, it can help the company, uh, avoid liability.

So for instance. If I'm in Florida, John's in, in Los Angeles, right? I think I said his name was John. Um, you know, and we engage on a situation, let's say it's a supply chain issue. Let's say that a, um, some bad actor infiltrated the supply chain and stole, I don't know, a truckload of widgets, right? Um, in Florida.

Or at least within my scope, maybe we'll separate at the Mississippi East and West. Um, and, um, you know, I'll engage on it. I'll roll out a, an investigative agenda, A through Z, find the culprit, flag it over to my team and my head and law enforcement done deal, end of story. Now that similar situation arises in Los Angeles, or at least within John's scope, and John does something like.

Roles on investigative agenda A through M, roughly [00:33:00] halfway. Right. And has a lot of conjecture in that. I think it's this person. We talked about old habits dying hard, right? I think it's this person. Here you go. I'm pretty sure it's him. Well, hold on now, wait a minute. You know, with, with the world that we live in these days, if I develop a suspect that's of a certain race and ethnicity.

John develops a certain suspect that has a different race and ethnicity. You could paint a picture. A lawyer can paint a picture saying Your whole system is biased because you went full throttle on my client, but this person only went halfway. Why did you drill down in onto this or flip it, John, why did you stop there and just say it's this person?

Typically your people, Chris investigators, they go A through Z. Why'd, you stop at M? How do you know it's my client here? Right. Are you profiling him? So it can really help the companies negate liability inside the courthouse. So there's [00:34:00] so many different pieces of. Of, of value within installing systems.

It's great to know the, the, uh, the world of investigations, know the methodology, know the tools, and engage sweet stuff. But you have to do it from a system. You have to do it from system to be a. Um, consistent for your own purposes, install efficiencies because what gets measured gets, gets tweaked, right?

Um, and then also teachable moments to the client or your director and so forth, and also teachable moments to those others. Onboarding, uh, in the same role. And then also negating liability as much as possible, right? You can't negate everything. Um, so it's really, really critical to have your mindset, Sean, of looking through things through a project-based mentality, installing processes as much as possible.

Sean Martin: Uh, I I have a feeling I could talk for hours on this, um, because we don't have time in this one episode. Um, [00:35:00] let me go with this because. The, the liability piece, well, let me, let me go back a little bit more A to Z or A to M. In cybersecurity, there are frameworks and standards and, and regulations and, and all kinds of things to help guide those teams.

And then if something bad happens in that world, they oftentimes bring in legal counsel to ensure that they have client. Uh, yeah, client, uh, privilege there. So is it similar in the investigative realm as well? Are there standard operating models that organizations can follow to your point so that they, they have that set and does legal get involved so that they, they can kind of manage things in that, that way as well?

Chris Salgado: Sure. So the [00:36:00] short answer is yes. I mean, investigations is organic by nature, right? Even if you do just, I don't know, you do. Um. Uh, thefts, right? At a retail environment, you're still going to, I mean, your, your scope is threats. Your industry is retail. You're an investigator or asset protection person, whatever it may be, but you're still gonna engage on that investigation through an organic.

Way, which is weird 'cause that's contrast to what I'm saying. I'm saying install processes, rigid systems, so you can go A, B, C, D and so forth like that. All the way to C. But hold on, Chris is talking about being organic. That's different, right? That's anti-rigid, right? That's anti-process kind of. You can make an argument that isn't, but, um, so how do they kind of benefit from one another?

So how they do that is you have to have a system that you can kind of springboard from, right? You can [00:37:00] kind of jump from knowing that you have a strong foundation, but still nonetheless treating the issue at hand. Organically enough to respect all the different details inside of that scenario, not just the different names.

'cause that's gonna change, that's obvious unless you've got a habitual offender. Right. Um, but you've got different intricacies that can intro, that can, um, introduce caveats that can throw off your system, whatever that might look like. It surely can depend, can be different on the different industries that are being serviced by this.

So the short answer is, yeah, there's a system that companies can adopt on a routine basis to. Inject all that value that I talked about by having proven systems in there. Again, tweaking it to be better tomorrow than it is today. And, but there's also a need, a great need to maintain this kind of [00:38:00] fluid motion inside the investigation.

Um, and how you describe that inside of your kind of SOP. Tack on being fluid tack on being organic. Kind of good luck with that. But you know, the idea is that you can teach investigations to people, teach them to follow the process, but look outside the margins of the situation to ingest all that other detail that might very well throw off.

The SOP or just might call you to do another, to pull in another step and voila. From there you might be like, you know what? I didn't think of that when I wrote out the SOP six months earlier, or whatever it may be, two years earlier. This makes sense kind of on all of our investigations or a large majority of them.

We're gonna inherit that into our SOP, structure it out, update it, and then teach the rest of the investigative team on how to do that. It's, it's about engaging today. But being better tomorrow. And that's what I try to tell people all the time, whether it's [00:39:00] corporates or corporations or individuals, is, you know, you've got a situation at hand here.

Engage, do what you gotta do again, legal and ethically, right? Um, but answer the call for that, but. You know, don't let a, I, I forgot the terminology, how it really works, but don't let A, sorry, Sean. What is it? Don't let like a, a disaster go to waste or something like that. I'm really screwed this up. Yeah. So learn from the situation at hand so you can go ahead and, um, you know, engage on the situation at hand.

But benefit from it. Allow your system to benefit from that potentially new piece of education. Um, and as far as like partnering with, um, legal, you know, that really through my experience, that really depends on the makeup of the company, how broad it is, how finite it is, and even if it's a big company, you know how, you know, how kind of pigeonhole some [00:40:00] divisions are, such as security investigations and stuff like that.

So some. Some divisions, some investigators can kind of run their own ship, Hey, I got this budget. This is what I'm expected to do. But they're like, here, here's some money. You engage in our problems for us. I'm ordering it down, but that's, you know, basically what it can be versus another one where it might be so tight with processes or, um, uh, kind of, I don't wanna say micromanaging, but making sure that I.

Things are in order in the, at the institution or the corporation, whatever it may be, um, where you have to check everything with legal or department head or maybe HR to make sure that you're treating employees fairly, whether it's a contractor or a real employee. Um, because there's certain things that you wanna do.

There's certain things that you don't wanna do when you're in. You know, kind of in-House investigator with a corporation and HR can help guide your hand with that and certainly so can legal. So it really depends on the makeup [00:41:00] of the company, what their kind of vision is for that, um, that cyber Investigations division.

Um, but yeah, sometimes they can partner up and benefit from that kind of value, those perspectives, and you can tweak your system to answer the call for that. And again, help. Your company, your employer, your client, whatever it may be, with really staying up a robust system as much as possible and forecasting as many problems as possible, not gonna forecast everything.

Um, and then stand up a system that is most rigid and, um, uh, promising to really answer that call.

Sean Martin: I love it. And in, in the spirit, uh, we're coming up on time here, so I'm gonna get this, this last. Question in, in the spirit of being better tomorrow. There, there are things we need to be prepared for and of, of course, I think we went all, we went this entire time without mentioning the two-letter, uh, thing that everybody talks [00:42:00] about, but it's a reality.

Um, I'll, I'll lead it in with. Misinformation and disinformation. Um, more of that coming, I presume. What other things might we expect that can impact the, the cyber investigator role and, and the tools and the methodology perhaps?

Chris Salgado: So, you know, a AI is, is critical a. It's a critical topic. I'll say. I won't go so far as to say it's critical to ingest in your, your method.

I, I've got so opinions may vary, right? Skynet, here we come. Right. Um, so. So there's something to be said about incorporating AI into your skill set or your tools as a cyber investigator. And honestly, we've been using AI for years, just didn't really know it a lot of times because that wasn't the focus of it.

Oh, I just go to this website. It pumps out information. Well, it technically, that's machine learning, that's ai. Right. So we're just [00:43:00] kind of being aware of it. A lot of us are becoming aware of it because it's. On mainstream radio. It's on mainstream television. It's everywhere, right? Oh, wow. ai. Yeah. Actually, you've been using AI for a long time now.

Where there's a benefit, there's a disadvantage. Right? So our, the good and the bad is that we are going to continue to be busy with what you and I do because there's bad actors out there. And when you find something interesting, when you make money from something, when you, um, showcase something that is a benefit to society.

You're gonna have people that put a spin on that negatively. So you're gonna have people that encapsulate AI and regenerate it or tweak it into this intense evil entity that can engage on Chris and his family and his past and all this stuff. I mean, you've got, you know, chat, uh, chat GPT, you've got fraud GPT now, right.

You had, um, and you still do [00:44:00] Dan do anything now, right? As an AI service, I mean. Really, whatever's out there that can make coin, um, you know, bad actors are going to find a way to reinvent that for their purposes. Usually it's equating to money or intelligence, money, power, right? Which ultimately leads to money.

Um, and that's, that's. That's really disappointing. Um, I would love to not have job security and do something else because we ran out of people to engage. Right? Um, I would love to do that. Um, but that's not gonna happen anytime soon. It's only gonna get worse. We're gonna see more and more. Pointed attacks that are super refined by these bad actors engaging us.

In addition to that, and I think more so not spoken about is these companies and you know, my company, uh, you know, whatever other company, fortune based companies out [00:45:00] there. When they utilize ai, you know, they utilize chat GPT or whatever it is to, I don't know, develop a logo for the marketing arm, right? A new logo for the company or your graphics company.

And you wanna benefit from using AI for your clients when you've got, um, legal, you know, writing contracts. Maybe they'll reach out to chat GPT. This sounds like, no, no one's gonna do that, Chris, but Sean. People do that. People do that, and then when you're doing it as an investigator, you're incorporating that powerful technology for a win for yourself, whether it's a company or you as a vendor, but you're giving a third party proprietary information.

You're giving a third party confidential information, or at an absolute minimum you're giving a third party. Information about yourself, right? Or your agenda, your methodology, whatever it is. You [00:46:00] leave the names out, phone numbers and stuff like that, you're still giving information out. Believe me, I springboard from nothing into something.

I know it's, I'm talking about as far as leaning in on that. So people have to, and companies have to have that at the um, at the foresight. Because they're like quick to say, okay, marketing or whatever division it is, investigation, security, whatever it may be, let's utilize this AI tool, and it's purposeful and it's well intended.

But it can be turned against you. I think 2024 and onward, we're gonna see more data leaks, and this is speculation is my opinion. We might see more data leaks from A.I kind of platforms, from A.I tools, and they're learning, and then we're gonna see what they're learning from and maybe depending on what information was fed to them.

Maybe you'll have your confidential investigation on the deep web or the dark web or the surface web. You know, I mean [00:47:00] it is, so you have to be careful with that, and that's, that's talking about problems that can exist when you utilize a vetted AI program. We're taking that for granted. There's still another problem we haven't talked about.

There's people that try to use chat GPT or some other AI component. I. They try to download on their phone bad actors, they mimic that stuff, so they. Do a good job of making you believe that you're going to whatever AI.com is, right? They'll develop a watering hole and direct your traffic to it. You plug in all your information, you hit the download button, you install that executable file, you're like, Hey, I'm, I'm rocking and rolling here.

But you're feeding that information. And if it's a good, bad actor, if it's, which is weird, if it's a skilled, bad actor, I'll say, um, they're not gonna say a damn thing. They're gonna let you plug away. They're gonna get all your information that you're plugging into. They're gonna act [00:48:00] as a Trojan horse, ingest all of your information, and then they're gonna show their colors.

They're not going to lock your system down into ransomware, although that's an attack too. But they'll go ahead and ingest all the information possible. 'cause guess what? They don't just care about your engagement to that program that they built, right? Or rent it out. Ransomware as a service, software as a service, whatever it may be.

Um, hacker as a service, right. Um. They want just as much information as possible. We talked about in the beginning that I like to do that as an InvestGare. Open up this wide net, pull it in. I ascertain this and understand what's relevant. They wanna do the same thing. They want to capitalize on their ROI to make it from $500 to a $10 million heist.

Whatever it may be. So you have those two really detrimental problems that are living in our age these days, and it's really critical because companies are just kind of taking it for granted that, you know what, [00:49:00] if I use ai, I'm gonna benefit from it. You could. You can also inherit a problem that is more nightmarish than the ones that you had before.

The AI kind of evil right Now. I'm not saying AI is bad, I'm not saying chat GPT is bad. I'm just saying these are the considerations that you have to have before you tell your division, Hey, we're gonna start using AI before you tell your vendors you can use it. ai. It's okay. You just have to be in the know with those problems.

Once you understand them, you can say, okay, I'm good to go. I'm copacetic. I understand the risk. I'm gonna go with it. That's okay. That's your call. But you might look at that landscape and say, wow, this is heavy stuff. We're not gonna go this way. We're gonna pivot and go this way. And intelligence is key.

Intelligence is valuable. You wanna make sure that you ingest that.

Sean Martin: Yep. I love it. And, uh, I can feel my co-founder Marco pulling me off with the cane. I have, I have too many [00:50:00] questions in my head, so you're gonna have to come back. Chris, we're gonna have another chat. Sure. I have insider threat, I have whistleblowers.

I have, I. Well, what, what kind of cases have you seen on ai? Uh, so much, much more. Maybe we'll have another chat in a few weeks and, uh, keep digging deeper. But I wanna thank you for, uh, joining me today. Certainly helped me accomplish my goal, which is to get people to think I'm, I'm thinking and hopefully the audience is as well.

And of course, will, uh, any resources you think would be helpful. Uh, we'll include those in the show notes so people can continue reading and learning more. And, uh, yeah. Chris, thanks a million, man. Appreciate it.

Chris Salgado: Yeah, I absolutely, I appreciate it. Thanks for having me. It's great talking to you, Sean, and I hope that, uh, I installed a little bit of value.

Um, you know, I appreciate the time.

Sean Martin: Yep. Absolutely. And thanks everybody for listening. I appreciate all of you and watching for those, uh, checking this out on YouTube. As I say, please subscribe and, uh, share with your friends and [00:51:00] enemies and, uh, we'll see you on the next one. Cheers. I.