General Biography

J-Michael Roberts is a highly experienced Forensic Examiner, Expert Consultant, and Expert Witness. J-Michael currently serves as a Senior Director at Law and Forensics and as the head of its New York office. His expertise lies in digital forensics, incident response, and malware reverse engineering. J-Michael has a distinguished history of providing expert testimony and forensic analysis in various legal contexts, including US District Court, State Superior Court, and international arbitrations. His contributions are significant, particularly in cases involving state-sponsored data breaches, hacking, digital fraud, and insider trading conspiracies.

Beginning his journey studying architecture at New Jersey Institute of Technology, J-Michael pivoted through information technology and server administration to cybersecurity, exemplifying a lifelong commitment to learning and adaptation. Previously, he held various roles at Stroz Friedberg, eventually becoming Vice President, where he led digital forensics and incident response teams through high-profile investigations and provided invaluable expert opinions. J-Michael’s educational background is in architecture from the New Jersey Institute of Technology, supplemented by several professional certifications and extensive training in digital forensics and cybercrime response. 

Notably, J-Michael’s contributions extend beyond his professional roles. He developed the VirusShare malware repository and the Black Harrier Linux Distribution for forensic analysis, both pivotal tools in the cybersecurity realm. During his time with Stroz Friedberg, he developed specialized hardware to enable teams to rapidly and securely stand up a portable forensic analysis network inside of a compromised client network, allowing for rapid preservation, analysis, and remediation within client environments where remote access or endpoint detection and response (EDR) was not permitted or practical, showcasing his innovative approach to tackling digital security challenges.

J-Michael holds prestigious certifications including Certified Computer Examiner (CCE), earned through the International Society of Forensic Computer Examiners (ISFCE), and the GIAC Reverse-Engineering Malware (GREM) certification from the SANS Institute, affirming his expertise in the ever-evolving cybersecurity domain. His professional affiliations with bodies like the ISFCE, the High Technology Crime Investigation Association (HTCIA), and the SANS Institute reflect his commitment to staying at the forefront of digital forensics.

Notable Accomplishments

• Developed and continues to maintain the VirusShare malware repository.
• Developed and created portable and rapidly deployable digital forensic network environments for on-site analysis.
• Provided expert testimony in multiple high-profile legal cases

Practice Areas

Digital Assets and Crypto Forensics

• Investigated the excessive access and unauthorized installation of cryptocurrency mining software by a technically adept malicious insider at a large regional bank. 
• Performed forensic analysis and reporting related to the phishing of an individual and the theft of over $650M in cryptocurrency from the individual’s custodial wallet held by an exchange. The analysis and research proved the exchange was previously aware of the same tools, tactics, and techniques used in this phishing attack for at least two years that affected several other customers, but the exchange did not implement changes to prevent future thefts. As a result of the findings, the exchange fully restored the lost funds to the affected customer. 

Digital Forensics Investigations

• Conducted forensic preservation and analysis in an international investigation, including reporting and remediation of improperly captured Wi-Fi network data across multiple countries. 
• Provided forensic analysis and expert opinion in an arbitration between a major global incident response (IR) provider and a Managed Security Service Provider (MSSP) where the IR provider was accused of having caused the breach. The analysis found a root cause was the result of the MSSP’s default server configuration, when initially deployed, being insecure and exposed to the Internet, allowing an attacker to compromise the newly deployed system and gain access to the complete network, exonerating the IR provider. 
• Led forensic analysis and report efforts pursuant to complaints made to the Federal Trade Commission (FTC) and Attorneys General that Internet-connected “smart” televisions were improperly collecting, transmitting, and storing sensitive user data and activity. 
• Commanded an incident response team investigating the significant compromise and theft of customer information from a large, multinational financial services firm. Ultimately, this investigation enabled law enforcement to identify, arrest, and prosecute the intruders. 
• Commanded the incident response team investigating the state-sponsored hacking and theft of intellectual property and material, non-public data at a notable credit rating agency. Provided regular briefings to executive management and US federal law enforcement. 
• Performed forensic analysis to assist US federal law enforcement with a state-sponsored industrial espionage investigation in the chemical manufacturing sector. 
• Performed forensic preservation and analysis to support the investigation of state-sponsored industrial espionage of medical device technology. 
• Spearheaded forensic analysis and code review in a matter involving a system misconfiguration that exposed patients’ personal health information in multiple regional medical facilities, spanning several years. 
• Supplemented the digital investigations team of a large social media platform to assist with platform enforcement, investigation, and litigation matters.

Expert Witness Testimony

• Provided written testimony in US District Court regarding the forensic analysis and findings for multiple digital devices and proving willful destruction, manipulation, forgery of evidence, and false testimony, which lead to summary judgments against the perpetrators. The United States District Court of Rhode Island, Atalian US New England, LLC v. Navarro et al. (Case No. 1:20-cv-00133-JJM-LDA)
•  Provided expert testimony in a criminal matter involving international hacking and insider trading conspiracy. February 2023. The United States District Court of Massachusetts, USA v. Klyushin et al. (Case No. 1:21-cr-10104-PBS)
• Provided declaration and expert testimony in an international arbitration regarding data breaches involving multiple Linux servers. 2021-2022. International Centre for Dispute Resolution. (ICDR Case No. 01-18-0004-1446)
• Provided a written declaration adressing multiple allegations of hacking in a civil litigation. September 2022. The Circuit Court of the 11th Judicial Circuit in and for Miami-Dade County, Florida, International Commercial Arbitration Court, Turchrome Krom Madencili Sanay Ve Dis Ticaret Limited Sirketi Turkey v. Cevik et al. (Case No. 2019-9205-CA-47)
• Provided a declaration regarding the analysis and validation of network captures related to accusations of click-fraud against an online advertising network. August 2016. The United States District Court for the Central District of California, Western Division. Criteo S.A v. Steel House, Inc. (Case No. 2:16-cv-4207-SVR-MRW)

Incident Response

• Leads rapid and effective incident response to breaches, developing comprehensive plans for a range of threats, with strong leadership and coordination skills in crisis situations.
• Coordinates teams effectively during cybersecurity incidents, ensuring swift operational recovery.
• Led an incident response investigation where a cyberattack and the destruction of data was directly impacting a multinational automotive parts manufacturer’s business operations. Through data recovery, forensic analysis, and open source intelligence, proved the perpetrator was a disgruntled former technology-support employee attacking the company via the company remote access software from his residence. 
• Commanded efforts to investigate the state-sponsored compromise of an international non-profit activism organization’s network through the on-site and remote analysis of their geographically distributed environment. Consulted with the organization’s technology partners to assist in the planning and execution of rapid containment, remediation, and continued monitoring efforts while minimizing the impact on global business operations. 
•  

Mobile Forensics

• Conducted forensic analysis, testing, and code review pursuant to an FTC inquiry of an alleged vulnerability of a mobile application to determine if personally identifiable information and other sensitive data was being improperly collected, stored, and transmitted. 
• Performed mobile device and mobile malware reverse engineering in a matter where an individual was accused of downloading and viewing prohibited content on the mobile device. Proved the prohibited content was contained within dormant ransomware-type malware that was not opened or viewed by the accused, leading to a favorable outcome for the accused. This matter also identified process issues affecting a mobile forensics analysis tool that led to the failure of the tool’s antivirus engine to identify the malicious nature of the malware. 

Network and Server Forensics

• Forensically preserved and examined many Synology and QNAP branded network-attached storage (NAS) devices in response to inquiries of unauthorized access, misuse of resources, and to provide data recovery.
• Performed forensic analysis of a Linux server to assist the US Department of Justice with the prosecution of an individual who created and administered a dark-web marketplace on the Tor network. 
• Teamed with Microsoft’s Digital Crimes Unit, in coordination with law enforcement, to perform forensic collections and capture network traffic as part of the coordinated seizure and take-down of command and control servers for the Zeus and Citadel botnets. 
• Supplemented a central bank’s national incident response team with the investigation of server intrusions made by an international hacktivist group through the exploitation of a system vulnerability. Determined the scope and breadth of the systems affected, the initial vector of compromise, malware utilized, and the scope of exposure of personally identifiable information and other confidential information. 

Reverse Engineering

• Led the investigation and analysis of a malware outbreak affecting the production lines of a smart-appliance manufacturing facility. 
• Reverse-engineered the digital audio format from a legacy PBX system and developed a repeatable process to recover and efficiently convert thousands of recordings to a readily playable format to support e-discovery efforts pursuant to litigation. 

Professional Credentials

Certifications 

• GIAC Reverse-Engineering Malware (GREM), SANS Institute, 2016
• Certified Hadoop Administrator, Cloudera, 2009
• Certified Computer Examiner (CCE), International Society of Forensic Computer Examiners (ISFCE), 2008 

Projects

• Black Harrier Linux Distribution (2012)
• VirusShare (2011)
• Network Equipment and Support Tools (N.E.S.T), (2015)
• CleanSlate (2014)

Lectures and Presentations

• Cracking the (Digital) Case: Digital Forensics for Lawyers, Legal Cyber Academy (October 2023)

Memberships

• Member, International Society of Forensic Computer Examiners (ISFCE)
• Member, High Technology Crime Investigation Association (HTCIA)

Background and Education

• Corvus Forensics: Principal Consultant (2018 – Present, Brooklyn, NY) 
• VirusShare Malware Repository: Creator and Malware Zookeeper (2011 – Present)
• Stroz Friedberg, An Aon Company: Vice President, Incident Response (2011 – 2018, New York, NY)
• Collective Media: Information Technology Manager / Lead System Administrator (2007 – 2011, New York, NY) 
• New York University: Technology Consultant (2007, New York, NY) 
• Insurance Archaeology Group: Information Technology Manager (2006 – 2007, New York, NY) 
• Highland Associates: Senior System Administrator (1999 – 2006, New York, NY) 
• New Jersey Institute of Technology: Architecture (1991-1996)