Advice on filesystem knowledge required for investigator
Potentialy i have an interview in a couple of weeks for a forensics job, The phone interview i just had with the recruiters sounded promising and while i wait to hear id like to learn as much as i can, it may come to nothing but you never know ….
Can anyone give any advice as to specific techinical skills that i would be expected to have and what i should brush up on meantime and basically offer any advice/information/links that would assist me in this interview ? I have been told that the employer is not looking for a forensics expert but someone who has a good all round technical knowledge of all types of computer systems, someone who knows filesystems and who has the potential to be trained… I have read the book Incident Response and Computer forensics and am currently reading this again for max info on the recovery and analysis side of things but this is none too specific on the information i would like to know..
On the filesystems knowledge part, how deep does my knowledge have to run in the likes of fat and ntfs, do i need to know the organization of an ntfs/fat volume for instance like the mft to an expert level, or is it enough that i know the difference between fat/ntfs filesystems and the respective features of both, also that other features like hidden streams exist within ntfs and the tools to use to show up this sort of information?
On ufs and ext2/3 in the *Unix world will it be enough that i know about inodes and link counts and that debugfs can help return a file marked for deletion, or will i have to know this filesystem structure to a very deep level as well ?
I have already spotted a doc or two on this site that will help me learn more on this stuff but id like to get the opinion of those in the know on what id be expected to know at a minimum….
Im a Solais Sys admin by day and am fairly clued up on the *nix side of things but on the Windows side of things id have to admit this not being as strong ..
Any Advice Appreciated !
Ohh and before i forget, nice site btw , i look forward to reading and learning here in the future, ohh and as this is my first post, please feel free to bump this if its in the wrong section.
It's always difficult to know what a company's really looking for, regardless of what a recruiter might say (sorry David…that's not aimed at you!) but any good outfit is probably going to be more interested at this stage in your integrity and your appreciation of the underlying principles of a forensically sound investigation than knowledge of particular filesystems (although from what I've read your knowledge is most likely more than sufficient for an entry level position). Detailed technical knowledge can be acquired through training, the personal qualities which make a good investigator can't (IMHO).
Thanks for replying to this question, if this is the case then that sounds good to me and i should probably concentrate on the finer points of forensic analysis and the procedure surounding this rather than worrying about the filesystem itself which is good as even if the interview never pans out ill still have gained out of the experience and will help me in future attempts to break in to this field..
nice one mate, appreciated..