Skip to content

J-Michael Roberts

Senior Director

Biography

J-Michael Roberts is a court-tested forensic examiner and expert witness who has testified in the matters that define the field: an international hacking and insider-trading conspiracy prosecuted in the District of Massachusetts (USA v. Klyushin), data-breach claims spanning multiple Linux servers in an international arbitration before the ICDR, and a Rhode Island federal case in which his analysis of multiple digital devices proved the willful destruction, manipulation, and forgery of evidence and false testimony, leading to summary judgment against the perpetrators. As a Senior Director at Law and Forensics and head of the firm's New York office, he brings findings that hold up under cross-examination in US District Court, state court, and international arbitration alike.

What sets J-Michael apart is the rare combination of a builder's instinct and an examiner's discipline. He created and still maintains VirusShare, one of the most widely used malware repositories in the security community, and built the Black Harrier Linux Distribution for forensic analysis. At Stroz Friedberg, where he rose to Vice President of Incident Response, he engineered specialized, rapidly deployable hardware that let his teams stand up a secure, portable forensic network inside a compromised client environment, enabling preservation, analysis, and remediation where remote access or endpoint detection and response was neither permitted nor practical. That engineering depth lets him not only examine evidence but interrogate the tools that produce it. In one mobile matter he identified a flaw in a commercial forensic tool whose antivirus engine failed to flag dormant ransomware, clearing an accused individual of viewing prohibited content.

His casework reaches the highest-stakes corners of digital conflict. He commanded incident-response teams investigating the state-sponsored theft of intellectual property at a credit-rating agency and the compromise of customer data at a multinational financial services firm, the latter leading to the arrest and prosecution of the intruders, and briefed executive leadership and US federal law enforcement throughout. He has assisted the Department of Justice in prosecuting the administrator of a dark-web marketplace on the Tor network, teamed with Microsoft's Digital Crimes Unit on the coordinated takedown of the Zeus and Citadel botnet command-and-control infrastructure, and traced the phishing and theft of more than $650M in cryptocurrency from a custodial wallet, proving the exchange had known of the same attack techniques for years, a finding that resulted in full restoration of the customer's funds.

J-Michael's path to forensics ran through architecture at the New Jersey Institute of Technology and more than a decade of senior systems and IT administration before he turned to malware reverse engineering and digital investigations, a foundation that informs how he reads systems under attack. He holds the GIAC Reverse-Engineering Malware (GREM) certification from the SANS Institute and the Certified Computer Examiner (CCE) credential from the International Society of Forensic Computer Examiners, and is a member of the ISFCE and the High Technology Crime Investigation Association. He also teaches what he practices, lecturing lawyers on digital forensics through the Legal Cyber Academy.

Notable Accomplishments

  • Developed and continues to maintain the VirusShare malware repository.
  • Developed and created portable and rapidly deployable digital forensic network environments for on-site analysis.
  • Provided expert testimony in multiple high-profile legal cases.

Practice Areas

Digital Assets and Crypto Forensics

  • Investigated the excessive access and unauthorized installation of cryptocurrency mining software by a technically adept malicious insider at a large regional bank.
  • Performed forensic analysis and reporting related to the phishing of an individual and the theft of over $650M in cryptocurrency from the individual's custodial wallet held by an exchange. The analysis and research proved the exchange was previously aware of the same tools, tactics, and techniques used in this phishing attack for at least two years that affected several other customers, but the exchange did not implement changes to prevent future thefts. As a result of the findings, the exchange fully restored the lost funds to the affected customer.

Digital Forensics Investigations

  • Conducted forensic preservation and analysis in an international investigation, including reporting and remediation of improperly captured Wi-Fi network data across multiple countries.
  • Provided forensic analysis and expert opinion in an arbitration between a major global incident response (IR) provider and a Managed Security Service Provider (MSSP) where the IR provider was accused of having caused the breach. The analysis found a root cause was the result of the MSSP's default server configuration, when initially deployed, being insecure and exposed to the Internet, allowing an attacker to compromise the newly deployed system and gain access to the complete network, exonerating the IR provider.
  • Led forensic analysis and report efforts pursuant to complaints made to the Federal Trade Commission (FTC) and Attorneys General that Internet-connected "smart" televisions were improperly collecting, transmitting, and storing sensitive user data and activity.
  • Commanded an incident response team investigating the significant compromise and theft of customer information from a large, multinational financial services firm. Ultimately, this investigation enabled law enforcement to identify, arrest, and prosecute the intruders.
  • Commanded the incident response team investigating the state-sponsored hacking and theft of intellectual property and material, non-public data at a notable credit rating agency. Provided regular briefings to executive management and US federal law enforcement.
  • Performed forensic analysis to assist US federal law enforcement with a state-sponsored industrial espionage investigation in the chemical manufacturing sector.
  • Performed forensic preservation and analysis to support the investigation of state-sponsored industrial espionage of medical device technology.
  • Spearheaded forensic analysis and code review in a matter involving a system misconfiguration that exposed patients' personal health information in multiple regional medical facilities, spanning several years.
  • Supplemented the digital investigations team of a large social media platform to assist with platform enforcement, investigation, and litigation matters.

Expert Witness Testimony

  • Provided written testimony in US District Court regarding the forensic analysis and findings for multiple digital devices and proving willful destruction, manipulation, forgery of evidence, and false testimony, which led to summary judgments against the perpetrators. The United States District Court of Rhode Island, Atalian US New England, LLC v. Navarro et al. (Case No. 1:20-cv-00133-JJM-LDA)
  • Provided expert testimony in a criminal matter involving international hacking and insider trading conspiracy. February 2023. The United States District Court of Massachusetts, USA v. Klyushin et al. (Case No. 1:21-cr-10104-PBS)
  • Provided declaration and expert testimony in an international arbitration regarding data breaches involving multiple Linux servers. 2021-2022. International Centre for Dispute Resolution. (ICDR Case No. 01-18-0004-1446)
  • Provided a written declaration addressing multiple allegations of hacking in a civil litigation. September 2022. The Circuit Court of the 11th Judicial Circuit in and for Miami-Dade County, Florida, International Commercial Arbitration Court, Turchrome Krom Madencili Sanay Ve Dis Ticaret Limited Sirketi Turkey v. Cevik et al. (Case No. 2019-9205-CA-47)
  • Provided a declaration regarding the analysis and validation of network captures related to accusations of click-fraud against an online advertising network. August 2016. The United States District Court for the Central District of California, Western Division. Criteo S.A v. Steel House, Inc. (Case No. 2:16-cv-4207-SVR-MRW)

Incident Response

  • Leads rapid and effective incident response to breaches, developing comprehensive plans for a range of threats, with strong leadership and coordination skills in crisis situations.
  • Coordinates teams effectively during cybersecurity incidents, ensuring swift operational recovery.
  • Led an incident response investigation where a cyberattack and the destruction of data was directly impacting a multinational automotive parts manufacturer's business operations. Through data recovery, forensic analysis, and open source intelligence, proved the perpetrator was a disgruntled former technology-support employee attacking the company via the company remote access software from his residence.
  • Commanded efforts to investigate the state-sponsored compromise of an international non-profit activism organization's network through the on-site and remote analysis of their geographically distributed environment. Consulted with the organization's technology partners to assist in the planning and execution of rapid containment, remediation, and continued monitoring efforts while minimizing the impact on global business operations.

Mobile Forensics

  • Conducted forensic analysis, testing, and code review pursuant to an FTC inquiry of an alleged vulnerability of a mobile application to determine if personally identifiable information and other sensitive data was being improperly collected, stored, and transmitted.
  • Performed mobile device and mobile malware reverse engineering in a matter where an individual was accused of downloading and viewing prohibited content on the mobile device. Proved the prohibited content was contained within dormant ransomware-type malware that was not opened or viewed by the accused, leading to a favorable outcome for the accused. This matter also identified process issues affecting a mobile forensics analysis tool that led to the failure of the tool's antivirus engine to identify the malicious nature of the malware.

Network and Server Forensics

  • Forensically preserved and examined many Synology and QNAP branded network-attached storage (NAS) devices in response to inquiries of unauthorized access, misuse of resources, and to provide data recovery.
  • Performed forensic analysis of a Linux server to assist the US Department of Justice with the prosecution of an individual who created and administered a dark-web marketplace on the Tor network.
  • Teamed with Microsoft's Digital Crimes Unit, in coordination with law enforcement, to perform forensic collections and capture network traffic as part of the coordinated seizure and take-down of command and control servers for the Zeus and Citadel botnets.
  • Supplemented a central bank's national incident response team with the investigation of server intrusions made by an international hacktivist group through the exploitation of a system vulnerability. Determined the scope and breadth of the systems affected, the initial vector of compromise, malware utilized, and the scope of exposure of personally identifiable information and other confidential information.

Reverse Engineering

  • Led the investigation and analysis of a malware outbreak affecting the production lines of a smart-appliance manufacturing facility.
  • Reverse-engineered the digital audio format from a legacy PBX system and developed a repeatable process to recover and efficiently convert thousands of recordings to a readily playable format to support e-discovery efforts pursuant to litigation.

Professional Credentials

Certifications

  • GIAC Reverse-Engineering Malware (GREM), SANS Institute, 2016
  • Certified Hadoop Administrator, Cloudera, 2009
  • Certified Computer Examiner (CCE), International Society of Forensic Computer Examiners (ISFCE), 2008

Projects

  • Black Harrier Linux Distribution (2012)
  • VirusShare (2011)
  • Network Equipment and Support Tools (N.E.S.T), (2015)
  • CleanSlate (2014)

Lectures and Presentations

  • Cracking the (Digital) Case: Digital Forensics for Lawyers, Legal Cyber Academy (October 2023)

Memberships

  • Member, International Society of Forensic Computer Examiners (ISFCE)
  • Member, High Technology Crime Investigation Association (HTCIA)

Background and Education

  • Corvus Forensics: Principal Consultant (2018 – Present, Brooklyn, NY)
  • VirusShare Malware Repository: Creator and Malware Zookeeper (2011 – Present)
  • Stroz Friedberg, An Aon Company: Vice President, Incident Response (2011 – 2018, New York, NY)
  • Collective Media: Information Technology Manager / Lead System Administrator (2007 – 2011, New York, NY)
  • New York University: Technology Consultant (2007, New York, NY)
  • Insurance Archaeology Group: Information Technology Manager (2006 – 2007, New York, NY)
  • Highland Associates: Senior System Administrator (1999 – 2006, New York, NY)
  • New Jersey Institute of Technology: Architecture (1991-1996)

↑ Back to top

More from the panel