If you are in college for CF then there is a strong chance that this will be the field that you will go into.
Pony up the money for the FTK class and for the software. You can not go wrong with either and with 2.0 inevitable, you will have a dongle upgrade for one year.
You add up the credit hours and some of the classes which end up being nothing more than time fillers with as people have said very little real world application, then you will find that having the FTK class on your CV as opposed to a certain college class, using the software, as well as everything associated with it will be far worth your time.
Hawkwind,
> (Perhaps you could write a book that is aimed at teaching Forensics skills
> with a list of the free tools available and how to use them)
> I'm sure a resource like this would be welcomed by a lot of lecturers…
Dude, that's pretty much what my new book is all about!! 😉
The DVD that accompanies my new book includes all of the Perl code I mention using in the book (Perl == free), as well as standalone EXE versions of all but a very few of the scripts. I also include sample files for folks to use, so you can be sitting on a plane or in the airport, and have all you need right there to play with, with no need for Internet access.
Give the book a shot, I'm sure you'll find it useful.
Harlan
Thanks to all who responded with suggestions. They are all excellent.
ddow hit the nail on the head. I came to this with a certain background (not network/security). We focus (maybe too much!) on LE and are trying to branch out more to the corporate setting.
There are far too many constraints to list here, but a few are time (one or two people trying to run an entire program), facilities (the lab we were promised is at least 1 year away), uncooperative IT people (you want me to install what?! ), administrators who don't understand what we do, etc.
I know that everyone else deals with similar issues so there is no use in whining about it. I will take all of your advice and try to push forward through the barriers.
Again, thanks.
cfprof,
I think you have an awesome opportunity here to be on the leading edge of a coming wave. Due to increases in sophistication of cybercrime, as well as challenges such as increased storage space and full-disk encryption, live response is going to be necessary…not having this in your toolkit is going to leave you unarmed. Law enforcement specifically needs to have people with this kind of training available.
It doesn't take a lot to get set up with what you need…
Good luck
H
Increased storage doesn't mean that LR will be necessary, full disk encryption can be in several different flavors and that being said could render LR useless.
IMHO the community will stay in two factions IR and CF, while some people will dabble in both or be an expert in one and somewhat knowledgeable about the other, I could hardly say that it will be necessary.
This topic even breaks down the community more because IR most of the time is going to be criminal or at least could be considered for criminal for prosecution purposes. Most civil cases people know will be coming, there will be a set time and place to show up where both sides will image and then go back to their caves and do the work. Size there wont matter because you will have the appropriate equipment with you from the information which was previously given to you. Encryption is a you get it or you don't get it situation, If someone goes to the trouble of encrypting their drive on the fly then you will have serious problems. If the time and place for imaging was prearranged then you will most likely be dealing with an already powered down machine so memory analysis is not an issue.
I have created disk images to use in training, and it is tediuos work. Particularly in making a complete image that will seem real for training, all the while keeping it small so that searches can run in a reasonable time. My suggestion is to put your class outlines together first, then work on the image making sure you have all the artifacts you will need. You'll probably need a good 3 gb to do it right. Give yourself a little time each day over a couple of weeks.
Getting the file count below 5000 is another matter altogether. Are you trying to use the FTK demo version in the class?
I've been putting off for some time now putting a class together and have mulled the option of what to use. Winhex maybe? Not free, but not too expensive either.
WinHex is good, especially if they'll transition into the forensic version. I also like Hex Workshop as it's cheaper and a little easier for beginners.