Questions about int...
 
Notifications
Clear all

Questions about intrustion analyst (DFIR) career

4 Posts
4 Users
0 Likes
340 Views
(@wellhowdy)
Posts: 1
New Member
Topic starter
 

I've worked in information security for 12 years, and I have the CISSP and SANS GCIH certifications. I've found that being a generalist puts one at great risk of being pushed into management, which is not for me.

I'm considering getting some training so I can get a job specializing in so-called DFIR (digital forensics and incident response). It looks like there is a growing job market for intrusion analysts these days. "Intrusion Analyst" may or may not be the right terminology here. Whatever you call it, I want to focus on "how the system got hacked". I've done plenty of post-mortem investigations into hacked systems, but, increasingly, it seems silly to me that proper forensic techniques, tools, and procedures, are missing from my, and many infosec people's skillsets.

My questions are

1. Would you agree that this is a growth area?

2. Are the major employers mostly just consultancies?

3. Is it realistic to think that, working in this branch of forensics, I would be unlikely to have to encounter CEM images?

4. Is this branch of forensics *also* 90% Microsoft Windows?

Thanks in advance!

 
Posted : 22/06/2014 12:38 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

My questions are

1. Would you agree that this is a growth area?

Yes.

2. Are the major employers mostly just consultancies?

Yep.

3. Is it realistic to think that, working in this branch of forensics, I would be unlikely to have to encounter CEM images?

I have no idea what "CEM images" refers to.

4. Is this branch of forensics *also* 90% Microsoft Windows?

Well, from my perspective, IR is not a branch of DF…it's more the other way around. IR encapsulates DF work. But yes, I would agree that this work is predominantly Windows-based. That's likely due to the volume of those systems out there.

 
Posted : 22/06/2014 3:38 pm
(@athulin)
Posts: 1156
Noble Member
 

3. Is it realistic to think that, working in this branch of forensics, I would be unlikely to have to encounter CEM images?

Haven't encountered that abbreviation. I'm assuming something related to child exploitation.

I have been involved with sufficiently many instance of employee misbehaviour to know that company equipment is used/misappropriated for just about any purpose imaginable. If that involves CEM, you (as investigator) is probably the person most likely to encounter it of those involved with the incident investigation.

However, I never had to do any investigations where that particular stuff turned up myself, though I've had some where there was considerable fear of it, and usually where an IS or IT manager needed to be able to show that they had acted responsibly to such fears.

You'll run into a lot of fear of worst case situations, some of which involve CEM. And one day the worst case will be real. Prepare for it – check frequency of local cases in relation to number of city inhabitants, or something on those lines, to get an idea of probability. But if you don't want it ever to become real … prepare for that situation instead.

 
Posted : 22/06/2014 10:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I had the impression (possibly wrong) that as soon as a NLEITE (Non Law Enforcement Information Technology Expert, an acronym I just put together for the fun of it wink ) finds *any* evidence of any CP (or IIOC) see
http//www.forensicfocus.com/Forums/viewtopic/p=6561830/#6561830
should simply stop immediately whatever he/she is doing and call the Police or whatever Government Agency is designated by local Laws to deal with the matter, at least in most countries. ?

jaclaz

 
Posted : 22/06/2014 11:08 pm
Share: