Heather Mahalik Barnhart

To say that digital forensics is central to Heather Mahalik Barnhart's life is quite the understatement. Heather has worked on high-stress and high-profile cases, investigating everything from child exploitation, homicides to Osama Bin Laden's media. She has helped law enforcement, consulting firms, and the federal government extract and manually decode artifacts used in solving investigations around the world. Heather began working in digital forensics in 2002 and has been primarily focused on mobile forensics since 2010 - there's hardly a device or platform she hasn't researched or examined or a commercial tool she hasn't used.

More About Heather


These days Heather is the Senior Director of Community Engagement at Cellebrite. At the SANS Institute, Heather the DFIR Curriculum Lead, faculty fellow instructor, author, and the course lead for FOR585: Smartphone Forensic Analysis In-Depth. As if that isn't a full enough schedule, Heather also maintains www.smarterforensics.com, where she blogs and hosts work from the digital forensics community. She is the co-author of Practical Mobile Forensics (1st -4th editions), currently a best seller from Pack't Publishing, and the technical editor for Learning Android Forensics from Pack't Publishing and SQLite Forensics by Paul Sanderson. Heather is featured in Women Know Cyber as one of the 100 fascination females fighting cybercrime.

Heather is passionate about digital forensics because she loves the challenge.. "This field moves so quickly. It is literally impossible to get bored," she says. "If you find yourself bored, branch into another realm of digital forensics. The possibilities are endless and so is the fun! I love digging for artifacts and solving the puzzle. I feel like I learn something new every day."

Heather particularly likes working on smartphone and third-party applications, a focus of her work. "I love cracking into and decoding apps that are supposed to be secure," she explains.

She cites her role as a SANS instructor as one of the most fulfilling achievements of her career. Heather loves it when students reach out to tell her that, thanks to her course and research, they put a criminal away for many years or exonerated the innocent. As she says: "Nothing compares to knowing that the effort you put into writing and maintaining a course makes the world a better and safer place. SANS gives me the opportunity to share that with others."

Heather's background in digital forensics and e-discovery covers smartphone, mobile device, and Windows and Mac forensics, including acquisition, analysis, advanced exploitation, vulnerability discovery, malware analysis, application reverse-engineering, and manual decoding, as well as instruction on mobile devices, smartphones, and computers covering Windows, Linux and Macintosh operating systems.

What's her favorite topic to teach from that impressive résumé? "Decrypting and decoding the unparsed data and writing SQL queries!" she says. "I spend a good chunk of my day job trying to crack into the tough stuff and help validate artifacts of interest of high-profile cases, and my experience naturally flows into the classroom."

Heather previously led the mobile device team for ManTech and Basis Technology, where she focused on mobile device exploitation in support of the federal government. She also worked as a forensic examiner at Stroz Friedberg and the U.S. State Department Computer Investigations and Forensics Lab, where she handled a number of high-profile cases. She has also developed and implemented forensic training programs for the U.S. military and standard operating procedures. Heather is a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition.

Outside of work, Heather puts her passions into being a wife, mom, cooking, reading, traveling, and drinking fine wine and bourbon.



The DIGital FORensics Series

How To Secure Remote Workers For The Long Haul: Protecting VPN, RDP, Webcams and Beyond

How Are Remote Workers Working? A SANS Poll

SANS Women in Cybersecurity Forum

Women in Cybersecurity: A SANS Survey Panel Discussion

Women in Cybersecurity: A SANS Survey

Skip this Webinar - It's just everything you need to know about smartphones

No tool fits all – Why Building a solid Toolbox Matters

iOS 11 isn't all fun and games. What we know so far and ways to handle unsupported data sets

A glimpse of the NEW FOR585 Advanced Smartphone Course

Phoning it in: Heather talks about smartphone forensics


RSA 2023


RSA 2022


RSA 2020

The 5 Most Dangerous New Attack Techniques and How to Counter Them, RSA 2020

Building a Pattern of Life – Leveraging Location and Health Data- SANS DFIR Summit 2022

They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto - SANS DIFR Summit 2019

Breaking into DFIR

Using Apple "Bug Reporting" for Forensic Purposes

View all the Ask the Expert with Heather Mahalik here.

View Tip Tues with Heather Mahalik here.


Blueprint LIVE at SANSFIRE 2022


Carved From Unallocated

Cyber Security Interviews, Episode #080 - Heather Mahalik, Earn the Tool

Behind The Incident - Episode 8 Heather Mahalik

Security Weekly #478 - Heather Mahalik, SANS


ArtEx – Parses iOS extractions, backups, and connected devices. This is an comprehensive tool that simplifies iOS forensics.

• Mush – Simple BPList viewer

iOS_sms_parser - Parses iOS messages and handles the 18 digit timestamps introduced in iOS 11. Will parse older iOS versions as long as iOS 11 was installed.

apple_cloud_notes_parser - Parser for Apple Notes data stored on the Cloud as seen on Apple handsets.

iLEAPP - iOS Logs, Events, And Preferences Parser

ALEAPP - Android Logs Events And Protobuf Parser

DFIR-SQL-Query-Repo - Collection of SQL query templates for digital forensics use by platform and application.

4n6-scripts - Forensic Scripts created by Adrien Leong.


Heather was named a Top 10 Influential Women Leader of 2023 by Mirror Review Magazine

Heather has received multiple Forensic 4:Cast awards for her DFIR work

Heather was named as a 2020 Key Influencer in DFIR by Pro Digital


You can read Heather's blog here.

Heather was featured on NewsNation with Chris Cuomo discussing the Gilgo Beach Murders.