±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35875
New Yesterday: 3 Visitors: 138

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

XWays Forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5 
  

clownboy
Member
 

Re: XWays Forensics

Post Posted: Aug 09, 10 06:58

I think the level of experience required depends a lot on the focus of your job and career search. If you are going for LE/Incident Response type positions, then yes, a greater level of experience is required prior to getting a job. But at the same time in the instance above I would place less emphasis on the forensic tool experience and more on the investigative experience.

In my industry, civil litigation mainly, there is a lot of room for those entry-level or "junior" positions. In fact many companies working in this industry could only do so with the help of entry-level or junior-level people. Most of what we do, 80% or better, is acquiring data and processing it out to EDD tools. It might not be as flashy as being a highly skilled forensic examiner but it can be a decent living and you can always move up when the opportunity presents itself.

As for tools, I think they are what you make of them. For those of us that are intent on working our way into the industry free tools and training may be our only option. The FTK demo is only good for 5000 files does that mean I cannot create an interesting project? One certification training program I have taken started with a floppy disk with 11 or so files on it. I believe the second part of the training was also below the 5000 file limit. Free or limited use tools can extend forensics training opportunities, that seems pretty useful.

Finally, I also did a disservice to to free tool providers by forgetting TSK, SIFT and WinFE in my last posting and I am sorry.  
 
  

armresl
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 09, 10 07:34

Just me here, but IMHO I don't consider imaging hard drives and loading them up in EDD software computer forensic work, I think that is IT work, there is no investigation, no conclusions, no opinions. I also don't see a way to move up if the only task is imaging hard drives and loading them up. You would still lack the requisite knowledge to do anything else. If you started out working cases yes, but imaging drives, no.



- clownboy
I think the level of experience required depends a lot on the focus of your job and career search. If you are going for LE/Incident Response type positions, then yes, a greater level of experience is required prior to getting a job. But at the same time in the instance above I would place less emphasis on the forensic tool experience and more on the investigative experience.

In my industry, civil litigation mainly, there is a lot of room for those entry-level or "junior" positions. In fact many companies working in this industry could only do so with the help of entry-level or junior-level people. Most of what we do, 80% or better, is acquiring data and processing it out to EDD tools. It might not be as flashy as being a highly skilled forensic examiner but it can be a decent living and you can always move up when the opportunity presents itself.

As for tools, I think they are what you make of them. For those of us that are intent on working our way into the industry free tools and training may be our only option. The FTK demo is only good for 5000 files does that mean I cannot create an interesting project? One certification training program I have taken started with a floppy disk with 11 or so files on it. I believe the second part of the training was also below the 5000 file limit. Free or limited use tools can extend forensics training opportunities, that seems pretty useful.

Finally, I also did a disservice to to free tool providers by forgetting TSK, SIFT and WinFE in my last posting and I am sorry.

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

ehuber
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 09, 10 21:34

- sandy771
- MrWh1t3


Interview wise I think one would be better off learning FTK or EnCase, but XWays seems like a GREAT tool for the price.


What an odd thing to say. As someone who has been an interviewer in the past I would not really care whether you had used either of these packages - frankly you can pick up the basics in a day. I would however be very interested in what you know about file system fundamentals, the structure of the registry, meta data in world files, what sort of information is left behind by P2p applications, how you would go about determining what is left behind for an app you had never seen......

It is not what you use but what you do with it. That you had gone out and spent your own money on encase would not impress one bit.


I have a concurring opinion with Paul on this one. What I look for in an examiner is the fundamental forensic skill set that an examiner has built up. One of the mistakes I see people make when, for example, they are setting up a digital forensic team is to start with the question asking what tools they should get for their team?

I get this question quite a bit and while I'm always happy to talk about tools and the like with my fellow examiners, it's shouldn't be the first topic of consideration when starting up a team or hiring an examiner. The basis for building a team should be to meet customer requirements and those requirements are going to drive things like hiring decisions, process development and tool selection. Don't let the tools drive your processes or who you hire. You can always teach someone a tool, but it's harder to find people who are passionate and curious about what is going beyond the tools.

All that said, it certainly is an advantage for an applicant to be familiar with the tools that a team is already using. I'd rather not have to spend time and money teaching someone the tools, but if I'm using tools A + B primarily and I have a superstar candidate who is using tools A + C, I'll likely just make sure to get tool C (budget permitting) so my new superstar can continue on with his or her Kung Fu.

Okay, Paul. I owe you a beer. I think I just crafted the outline of a future blog post.  
 
  

PaulSanderson
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 09, 10 23:09

- ehuber
Okay, Paul. I owe you a beer. I think I just crafted the outline of a future blog post.


Ah OK - I'll settle for a beer and stop my (only just started) blog post Smile

We started yesterday immediately after posting my initial comment to this thread but not got past the first couple of paragraphs - too much programming and not enough time
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

seanmcl
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 09, 10 23:19

- armresl
I don't believe there should be a junior or a senior forensic examiner. Either you know your material or you don't, and if you know your material then you will land a job, if you don't then it will show itself.


Actually, I disagree, somewhat. A "junior" examiner may have all of the operational knowledge that is required but I believe that there are factors that distinguish senior examiners as their are in many professions. Experience teaches you many things that you can neither learn nor teach.

To draw from my experiences in medicine, a physician who has been in practice longer is almost invariably more efficient than even the brightest of inexperienced practitioners. I mentioned some of the reasons in a recent Forensic Focus column but part of what comes with experience is judgement.

I see no difference in digital forensics, in fact, an attorney with whom I have worked and I noticed that a case we just finished was far more efficient and far less expensive than almost an identical case that we had a few years ago. In the more recent case, we were able to use the knowledge and experience that we had gained working on other case to come up with a highly focused strategy for the current case that brought our clients results with far less overall effort than had been required in the past. In the process, we elected not to do things that might have been considered "standard practice" because we (correctly) believed that what we had done was compelling enough to win our case.

If you are involved in litigation, experience will also teach you how to deal with judges, juries and cross-examinations, something that is hard to learn except through experience. Learning how to read a judge or jury and how to adjust your testimony so that complex issues can be understood, simply, is part training, part innate ability and a good deal of experience.

So I do think that there is a difference between "junior" and "senior" examiners even if the names aren't, necessarily, descriptive.  
 
  

jaclaz
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 10, 10 14:02

- seanmcl
Experience teaches you many things that you can neither learn nor teach.


- C.S.Lewis
Experience: that most brutal of teachers. But you learn, my God do you learn.


jaclaz  
 

Page 5 of 5
Page Previous  1, 2, 3, 4, 5