±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 3
Overall: 27135
Visitors: 53

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Questions about working in Forensics.

Discussion of computer forensics employment and career issues.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

Questions about working in Forensics.

Post Posted: Mon Mar 24, 2014 12:17 pm

Hello all,

My name is Jason and I will be graduating with a A.S. in Digital Forensics here soon. I am new to this forum. In my final course I am tasked with a short interview with people already in the field. If some of you would be so kind as to take a couple minutes to answer the questions, it would be greatly appreciated. If you could also leave your name and level of experience, that would be great.

Thanks in advance,
Jason Hall

Questions:
1. What tools do you use most often?

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?

3. What is the most rewarding aspect of your job?

4. What personality traits and academic background are important for today’s digital forensics investigators?

5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?  

jhall236
Newbie
 
 
  

Re: Questions about working in Forensics.

Post Posted: Mon Mar 24, 2014 12:50 pm

- jhall236

Questions:
1. What tools do you use most often?


It really depends on the type of work I'm doing. For digital analysis of Windows systems, TSK tools (mmls, fls, blkls now and again...), LogParser, Perl, and a lot of my own scripts/home-rolled tools and processes. Much of the analysis work I do involves determining when and how something happened, so timeline analysis is a great way for me to address the goals of my analysis.

- jhall236

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?


None. My recommendation would be to start with whatever internal training you can get as part of your job...going to online resources is going to simply inundate you with information...one of the things I hear from folks is, "...there's so much to learn, I don't know where to start...".

If you don't have employment lined up, pick someplace to start, and focus there initially. So many folks, including seasoned professionals, seem to immediately go to the deep end and quickly get in over their heads. If you don't know what to focus on, seek out a mentor.

- jhall236

3. What is the most rewarding aspect of your job?


Finding stuff other folks haven't seen, or haven't admitted to seeing. Finding undeniable proof that a bad guy did what they were accused of (and denied), or finding undeniable proof that exonerates someone.

- jhall236

4. What personality traits and academic background are important for today’s digital forensics investigators?


I don't think that academic background plays a huge role, other than getting someone "in". Someone can be a history major and be innately curious and passionate about the work, and do a much better job (and have more fun doing it) than someone with a degree that applies more directly/appropriately to the work.

Something that many analysts seem to have great difficulty doing is putting their egos aside and asking for assistance. I've had analysts tell me that they'd rather "noodle" through something for 3 months or more, so that they could get it themselves, rather than ask for help. I've seen others spend more time than they needed to trying to figure something out when they could've simply asked.

Seek out trusted relationships in the field. No one of us knows everything, and the only way to learn is to explore and ask questions. Also, be prepared to give back...if you find something new, share it. Don't use excuses to hide. Sure, others may have seen it before...but more than likely, they haven't said anything either, so the majority of the field has little knowledge of it. You may have a new variant, which could be significant.

- jhall236

5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?


Yes. There a number of skills that one needs in this field, but it also important to have a degree of specialization in an area that applies directly to what you're doing, such as knowing the ins and outs of a particular tool, device or data source.


HTH  

keydet89
Senior Member
 
 
  

Re: Questions about working in Forensics.

Post Posted: Mon Mar 24, 2014 9:37 pm

Thank you so much, I appreciate the feedback and the detail in which you answered the questions.

Thanks,
Jason  

jhall236
Newbie
 
 
  

Re: Questions about working in Forensics.

Post Posted: Tue Mar 25, 2014 9:55 am

- keydet89

..Finding undeniable proof that a bad guy did what they were accused of (and denied), or finding undeniable proof that exonerates someone.


Can this ever be 100% true? I think "beyond all reasonable doubt" is a more acceptable term. Smile  

Chris_Ed
Senior Member
 
 
  

Re: Questions about working in Forensics.

Post Posted: Tue Mar 25, 2014 1:02 pm

- Chris_Ed

Can this ever be 100% true? I think "beyond all reasonable doubt" is a more acceptable term. Smile


It's a matter of semantics, really. From my perspective, neither "beyond all reasonable doubt" nor "undeniable proof" are absolute, and are synonymous.

Any thoughts on the content?  

keydet89
Senior Member
 
 
  

Re: Questions about working in Forensics.

Post Posted: Tue Mar 25, 2014 8:43 pm

Okay, I'm going to come at this from a different perspective. I'm relatively new to forensics but my background seems to be a good fit. I've been in low-level infosec for most of my career. A person might note that there are many similarities between an infosec red team member and a forensic examiner- the processes and the techniques are similar in many respects.

Questions:
1. What tools do you use most often?

Visual Studio, Neo Hex Editor, Google, Absolution (cuz its my baby), file carvers, data recovery tools, any other software deemed useful, and various hardware "tools" required to do work. Notable examples:

a) Forensic write blockers for USB and IDE
b) A portable ITX system with an exposed PCI slot for SCSI and Fiber Channel cards
c) Adapters, adapters, adapters... and some docking stations.
d) Paperwork! Checklists for each system and each form of media, verification forms, and other things to make sure each system is collected properly with care.
e) A high resolution camera capable of making videos as well as photographs. You'll want to photograph everything.
f) A safe for keeping media
g) A fast computer system with lots of ram and drive space. Hot swap drive bays a plus.
h) A computer repair kit for opening computers
... etc etc

You get the idea -- other forensic experts may also have phone forensics tools, or on device data extraction tools... All depending on their line of work. But in short, you'll need whatever tools that work for your area AND you'll want to construct the procedures you'll follow in advance before attempting anything.

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?

I belong to ISACA which is taking an interest in forensics now. I'd love to read other people's answers.

3. What is the most rewarding aspect of your job?

I don't want rewards -- so let me rephrase the question. If you are asking about what motivates me, I believe someday computer forensics will help unite families of missing people faster and save lives; and that my contributions will help give people a life that would have otherwise been stolen from them. No rewards- just hoping that it happens.

4. What personality traits and academic background are important for today’s digital forensics investigators?

Based on what I've been so far: intelligent, curious, detailed, logical, open minded, "good bit" enabled, and a cast iron stomach (which I don't have, unfortunately.) Academically, get a masters degree or higher in order to be able to render expert opinion as testimony in court. It may be required to get a computer forensic certification as well.

5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?

I don't know how anyone could be considered an expert witness with a knowledge of only one or two tools. All industries eventually standardize on putting low cost technicians on a device, so eventually this might be the way things become.

It's the "jack of all trades" that will always win here. Someone will need to direct the technicians anyway, and if you want a career out of this than that person is YOU. You need to learn how businesses work, how computers work at low levels, court procedures, accounting, tools, how to manage clients, etc. Lawyers are also highly educated jacks of all trades, so the more dynamic you can be with them, the better. What other way is there to phrase this except maybe be a leader.

Eric
_________________
Absolution - Open Source Forensics and eDiscovery project:

absolution.sourceforge.net/ 

datendrache
Newbie
 
 
  

Re: Questions about working in Forensics.

Post Posted: Wed Mar 26, 2014 9:55 pm

First off, I’d like to thank you both for answering my questions.
To the content (in order of post):
Keydet89,
I agree with your stance on tools, they should always be what will fit the job best rather than what is the most widely used commercial tool. This is, of course, provided that it can be proven that the tools are forensically sound.
On to the publications, this is not the first time I have heard this theory about publications. I am a big fan of mathematics, probably right after my love for forensics and technology, so I can completely see how it is akin to diving right in to particle physics without the math theories that come before it.
As far as background goes, you’re absolutely right. It does lay the groundwork for topics you’ll encounter, however passing is passing and the degrees look the same between a “C” average and an “A” average. It all has to come down to the individual but the individual on paper will always be first.
I have always tried to make sure that I learn a little of everything that comes my way, but being an “expert” in a certain thing or two, makes you valuable to anyone who sees that scenario come up.


Now in response to Eric,
I have used a lot of tools in the categories you mention, and I certainly have my favorites for each, especially Visual Studio. Paperwork and documentation is something I see a lot of students disregarding, but is probably the most critical thing you can have as an investigator. I couldn’t tell you how exactly I did something two weeks ago, but I know I can figure it out again in a few minutes but that would never hold up in court. That is just asking to become not credible as a witness.
I’ll have to see how ISACA’s forensics side pans out. I can see the importance of a society as far as being able to find someone who can do what I can’t. I am never too proud to ask for help, which as Keydet89 stated, a lot of people are. Well, maybe too stubborn at times.
I believe the question about rewarding aspects is still answered as it stands; the aspect is simply that whenever that happens, you’ll be a part of that. That someone could be saved because of your actions, your participation. That is the reward. At least that’s how I see it. My motivation is similar, righting just one wrong done to someone, as right as it can be anyway, is what I wish to accomplish. I am driven by knowledge and justice, and forensic definitely combines the two for me.
The final question, to answer it myself, should not be or but should be and. Like Keydet89 said, it’s both. I was not precise there. Broad knowledge is extremely important, but knowing the tools specific to the job you have intimately is just as much so. How different would your work be if you were only mildly acquainted with say, Absolution? I assume you are very, very well versed in that.

Again thank you both. I know that most people would not even take the time to answer one question. You both have been extremely helpful.

Thanks,
Jason  

jhall236
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 3
Go to page 1, 2, 3  Next