Heather Mahalik

To say that digital forensics is central to Heather Mahalik's life is quite the understatement. Heather has worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden's media. She has helped law enforcement, eDiscovery firms, and the federal government extract and manually decode artifacts used in solving investigations around the world. Heather began working in digital forensics in 2002, and has been focused on mobile forensics since 2010 - there's hardly a device or platform she hasn't researched or examined or a commercial tool she hasn't used.

More About Heather


These days Heather is the Senior Director of Digital Intelligence at Cellebrite. At the SANS Institute, Heather the DFIR Curriculum Lead, fellow instructor, author, and the course lead for FOR585: Smartphone Forensic Analysis In-Depth. As if that isn't a full enough schedule, Heather also maintains www.smarterforensics.com, where she blogs and hosts work from the digital forensics community. She is the co-author of Practical Mobile Forensics (1st and 2nd editions), currently a best seller from Pack't Publishing, and the technical editor for Learning Android Forensics from Pack't Publishing.

Heather is passionate about digital forensics because she loves always having to learn something new. "This field moves so quickly. It is literally impossible to get bored," she says. "If you find yourself bored, branch into another realm of digital forensics. The possibilities are endless and so is the fun! I love digging for artifacts and solving the puzzle."

Heather particularly likes working on mobile and third-party applications, a focus of her work. "I love cracking and hacking into apps that are supposed to be secure," she explains.

She cites her role as a SANS instructor as one of the most fulfilling achievements of her career. Heather loves it when students reach out to tell her that, thanks to her course, they put a criminal away for many years. As she says: "Nothing compares to knowing that the effort you put into writing and maintaining a course makes the world a better and safer place. SANS gives me the opportunity to share that with others."

Heather's background in digital forensics and e-discovery covers smartphone, mobile device, and Windows forensics, including acquisition, analysis, advanced exploitation, vulnerability discovery, malware analysis, application reverse-engineering, and manual decoding, as well as instruction on mobile devices, smartphones, and computers covering Windows, Linux and Macintosh operating systems.

What's her favorite topic to teach from that impressive résumé? "Decrypting and decoding the unparsed data!" she says. "I spend almost 90 percent of my day job trying to crack into the tough stuff, and my experience naturally flows into the classroom."

Heather previously led the mobile device team for Basis Technology, where she focused on mobile device exploitation in support of the federal government. She also worked as a forensic examiner at Stroz Friedberg and the U.S. State Department Computer Investigations and Forensics Lab, where she handled a number of high-profile cases. She has also developed and implemented forensic training programs and standard operating procedures.

Outside of work, Heather puts her passions into being a mom, cooking, reading, traveling, and drinking fine wine and bourbon.

Hear Heather talk about proper handling of devices in an investigation here:



How To Secure Remote Workers For The Long Haul: Protecting VPN, RDP, Webcams and Beyond

How Are Remote Workers Working? A SANS Poll

SANS Women in Cybersecurity Forum

Women in Cybersecurity: A SANS Survey Panel Discussion

Women in Cybersecurity: A SANS Survey

Skip this Webinar - It's just everything you need to know about smartphones

No tool fits all – Why Building a solid Toolbox Matters

iOS 11 isn't all fun and games. What we know so far and ways to handle unsupported data sets

A glimpse of the NEW FOR585 Advanced Smartphone Course

Phoning it in: Heather talks about smartphone forensics


The 5 Most Dangerous New Attack Techniques and How to Counter Them, RSA 2020

They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto - SANS DIFR Summit 2019

Breaking into DFIR

Using Apple "Bug Reporting" for Forensic Purposes

View all the Ask the Expert with Heather Mahalik here.


Cyber Security Interviews, Episode #080 - Heather Mahalik, Earn the Tool

Behind The Incident - Episode 8 Heather Mahalik

Security Weekly #478 - Heather Mahalik, SANS


  • iOS_sms_parser - Parses iOS11 messages and handles the 18 digit timestamps. Will parse older iOS versions as long as iOS 11 was installed.
  • apple_cloud_notes_parser - Parser for Apple Notes data stored on the Cloud as seen on Apple handsets
  • iLEAPP - iOS Logs, Events, And Preferences Parser
  • ALEAPP - Android Logs Events And Protobuf Parser
  • DFIR-SQL-Query-Repo - Collection of SQL query templates for digital forensics use by platform and application.
  • 4n6-scripts - Forensic Scripts


Heather was named as a 2020 Key Influencer in DFIR by Pro Digital 


You can read Heather's blog here.