±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36096
New Yesterday: 7 Visitors: 115

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Advanced forensics concepts

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6  Next 
  

sgware
Member
 

Re: Advanced forensics concepts

Post Posted: Oct 29, 13 22:36

I am hesitant to jump into this as i classify myself, based on this thread, as intermediate. I hope to be an expert at some point. I think time and experience with a variety of situations and challenges will be required for me to hit the "expert" mark.

I am not going to drop names, but there are a few experts, in my estimation, in this forum although they will say they aren't. That's fine as well. If we are learning from them and advancing our skill set based on their tutelage, then, I have no problem hanging that label on them.

But, isn't expert relative? A person just entering the field might consider me an expert because I managed to obtain a degree and a cert. Although I most certainly am not, imo.

This is how I would rank knowledge in terms of beginning, intermediate, and expert;

1. Beginner. Starting to understanding and learning the basics of digital forensics. This includes (not exhaustive) identification, preservation, acquisition, analysis and reporting. Also includes, in the US, knowledge about Federal Rules of Evidence, what is an expert witness, chain of custody, basic forensic science (Locards exchange principal), file system forensics, basic network forensics, knowledge of operating systems, and skills to analyze data such as binary math, hexadecimal math, and basics of how storage devices work as well as all the basic tools to needed to conduct the analysis. A good foundational knowledge of the criminal justice system.

2. Practicing the skills above while learning real life nuances and how to respond when the basics don't quite work the way they were taught in a classroom or cert program. This step requires a significant number of years in the field.

3. Expert. Self explanatory. To the beginners and intermediate examiners, you are a content expert. Some who teaches, sets examples, has been there and done that with difficult circumstances, network acquisitions/investigations, investigating across borders/jurisdictions.

Most importantly, there is no (imo) clear ranks of knowledge.. I think we are always in transition from one to the other depending on how much time we spend keeping caught up.
_________________
Scott Ware
MSDF, CFCE 
 
  

jhup
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 30, 13 00:00

I want to make it clear that I am not attempting to classify individual persons' qualification or expertise.

I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.  
 
  

jaclaz
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 30, 13 00:07

I will risk Shocked to introduce the concept that while seniority is often (actually almost always) a requisite for experience, seniority in itself ONLY means seniority and not necessarily ALSO experience.

I mean that while it is obvious that someone dealing in the matter since a few months cannot event think of "competing" with someone that has worked in the field for years, the usual "been there and done that", but it is not so straightforward that "Listen, son, I have worked in this field since before you were born" actually means "experience" in the "better" sense I attribute to the word.

But to me at least the concept of experience is about having learned from experience and project these learnings (and adapt them) on new cases, findings etc.

Equations (VERY rough):
seniority+continuous will/drive to learn and experiment=expert
seniority=seniority
first job or recent job+continuous will/drive to learn and experiment=intermediate
first job or recent job="nothing" as below, possibly evolving into "trained monkey"
college+continuous will/drive to learn and experiment=beginner*
college=college (nothing but a lot of talk and a badge Wink )

*in theory

But here we are not talking of expert vs. intermediate vs. beginner (as people), we are talking about the topics, we could draw a line saying that anything that is known, documented and taught in college is "basic", that anything that is fully documented and verified and part of an established procedure (or taught in the various post graduate or vendor courses) is "intermediate" and anything that is not obvious or a simple derivative of known approaches, procedures and documented (and verified) theories is "advanced".

Then maybe we could change the term from "advanced" to "innovative" or anyway use this latter as a synonym.


jaclaz

P.S.: Ooops, cross-posting with Jhup
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

sgware
Member
 

Re: Advanced forensics concepts

Post Posted: Oct 30, 13 01:07

Isn't "advanced" or "intermediate" really dependent on the aptitude, drive, and experience required to master the topic? That is where I was going, albeit not clearly, in my post.
_________________
Scott Ware
MSDF, CFCE 
 
  

joachimm
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 30, 13 02:38

- jhup
Hope this bolsters my point.

jhup thanks for the elaboration.

- jhup
It appears that you consider none as such.

You're interpreting me incorrectly here, saying that there is no different levels of expertise in digital forensics.

If you ask me to sum up in a couple of sentences what the basic qualifications a digital forensic analyst should have (at every level) is:

* an understanding of fundamental concepts of computer or digital systems
* understand the importance and aspects of data (facts)/evidence preservation
* understand the relevance of digital data (facts) in and outside their context
* understand the relevance experimentation & validation of methodology and tooling
* critical thinker to interpret results

What you dubbed as "advanced" I think are the core fundamentals of digital forensics.

Most of these are "thinking skills" nothing to do with the digital realm. I guess most of the other forensics sciences, at least the ones I know of, is getting a full degree in that science e.g. psychology with additional training in forensic science and thus acquiring these thinking skills.

I've learned most about the thinking skills from non-computer science fields and it is these skills what help me in complex cases. Not those from my computer science education. But applying them both in cases is what I think makes one a digital forensic expert or not.

- jhup
We all start in the center (black area), with little knowledge.


So my point is not to teach people facts, about a certain technology, but teach them how to think for themselves. Think how to evaluate their findings, their hypothesis, their methods. IMO this is what is forensic science is about. Not the in-and-outs about a file format, if that is information readily available then we should teach them to find it and how to use it. If it is not, we should teach them how to obtain it. Don't get me wrong here the information about the file format is still very valuable but if I'm not working with e.g. PST why should I bother understanding the PST format in much detail. Now when I need to work with it, having this knowledge can be very useful.

- jhup
https://drive.google.com/file/d/0B0JkL5jnd0q4VjRUOV9xbEd3dTQ/edit?usp=sharing


You only define factual knowledge here. I can search on the Internet for those and become sufficiently knowledgeable about the subject in a day; only because I have an understanding of their fundamentals. The only term here forensic related is "Anti forensics"

- jhup
As time goes on, most of us become advanced in a specific sub-areas of our field.


So what? Does all this digital knowledge make me digital forensic analyst? If I'm a programmer, network admin, systems admin, I'm also getting involved in these areas. And I'll also get more "advanced", a better term is "experienced", over time. But this does not make me digital forensic analyst.

- jhup
No one is an expert, and advanced in all areas of digital forensics.


True, so what we need to teach people is fundamentals and thinking skills. So that if they are not sufficiently expert in one area, that they can get sufficiently up to speed. IMO the fundamentals don't change that much.

- jhup
I disagree. I believe there are forensics investigators that have the knowledge in basic concepts, intermediate concepts, and advanced concepts.


Let's start here: What are the basic concepts in your opinion that makes someone a "digital" forensics investigator and not a system administrator for that matter?  
 
  

joachimm
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 30, 13 02:58

- jhup
I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.


As the discussion and other people have pointed out this will be very subjective Wink  
 
  

jhup
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 30, 13 16:51

There is nothing wrong with subjective.

As we all know, with statistics, sufficient amount of subjective material becomes objective. Mr. Green

- joachimm
- jhup
I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.


As the discussion and other people have pointed out this will be very subjective Wink
 
 

Page 4 of 6
Page Previous  1, 2, 3, 4, 5, 6  Next