Notifications
Clear all

Questions about working in Forensics.

Page 1 / 2
jhall236
(@jhall236)
New Member

Hello all,

My name is Jason and I will be graduating with a A.S. in Digital Forensics here soon. I am new to this forum. In my final course I am tasked with a short interview with people already in the field. If some of you would be so kind as to take a couple minutes to answer the questions, it would be greatly appreciated. If you could also leave your name and level of experience, that would be great.

Thanks in advance,
Jason Hall

Questions
1. What tools do you use most often?

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?

3. What is the most rewarding aspect of your job?

4. What personality traits and academic background are important for today’s digital forensics investigators?

5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?

Quote
Topic starter Posted : 24/03/2014 10:17 pm
keydet89
(@keydet89)
Community Legend

Questions
1. What tools do you use most often?

It really depends on the type of work I'm doing. For digital analysis of Windows systems, TSK tools (mmls, fls, blkls now and again…), LogParser, Perl, and a lot of my own scripts/home-rolled tools and processes. Much of the analysis work I do involves determining when and how something happened, so timeline analysis is a great way for me to address the goals of my analysis.

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?

None. My recommendation would be to start with whatever internal training you can get as part of your job…going to online resources is going to simply inundate you with information…one of the things I hear from folks is, "…there's so much to learn, I don't know where to start…".

If you don't have employment lined up, pick someplace to start, and focus there initially. So many folks, including seasoned professionals, seem to immediately go to the deep end and quickly get in over their heads. If you don't know what to focus on, seek out a mentor.

3. What is the most rewarding aspect of your job?

Finding stuff other folks haven't seen, or haven't admitted to seeing. Finding undeniable proof that a bad guy did what they were accused of (and denied), or finding undeniable proof that exonerates someone.

4. What personality traits and academic background are important for today’s digital forensics investigators?

I don't think that academic background plays a huge role, other than getting someone "in". Someone can be a history major and be innately curious and passionate about the work, and do a much better job (and have more fun doing it) than someone with a degree that applies more directly/appropriately to the work.

Something that many analysts seem to have great difficulty doing is putting their egos aside and asking for assistance. I've had analysts tell me that they'd rather "noodle" through something for 3 months or more, so that they could get it themselves, rather than ask for help. I've seen others spend more time than they needed to trying to figure something out when they could've simply asked.

Seek out trusted relationships in the field. No one of us knows everything, and the only way to learn is to explore and ask questions. Also, be prepared to give back…if you find something new, share it. Don't use excuses to hide. Sure, others may have seen it before…but more than likely, they haven't said anything either, so the majority of the field has little knowledge of it. You may have a new variant, which could be significant.

5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?

Yes. There a number of skills that one needs in this field, but it also important to have a degree of specialization in an area that applies directly to what you're doing, such as knowing the ins and outs of a particular tool, device or data source.

HTH

ReplyQuote
Posted : 24/03/2014 10:50 pm
jhall236
(@jhall236)
New Member

Thank you so much, I appreciate the feedback and the detail in which you answered the questions.

Thanks,
Jason

ReplyQuote
Topic starter Posted : 25/03/2014 7:37 am
Chris_Ed
(@chris_ed)
Active Member

..Finding undeniable proof that a bad guy did what they were accused of (and denied), or finding undeniable proof that exonerates someone.

Can this ever be 100% true? I think "beyond all reasonable doubt" is a more acceptable term. )

ReplyQuote
Posted : 25/03/2014 7:55 pm
keydet89
(@keydet89)
Community Legend

Can this ever be 100% true? I think "beyond all reasonable doubt" is a more acceptable term. )

It's a matter of semantics, really. From my perspective, neither "beyond all reasonable doubt" nor "undeniable proof" are absolute, and are synonymous.

Any thoughts on the content?

ReplyQuote
Posted : 25/03/2014 11:02 pm
datendrache
(@datendrache)
New Member

Okay, I'm going to come at this from a different perspective. I'm relatively new to forensics but my background seems to be a good fit. I've been in low-level infosec for most of my career. A person might note that there are many similarities between an infosec red team member and a forensic examiner- the processes and the techniques are similar in many respects.

Questions
1. What tools do you use most often?

Visual Studio, Neo Hex Editor, Google, Absolution (cuz its my baby), file carvers, data recovery tools, any other software deemed useful, and various hardware "tools" required to do work. Notable examples

a) Forensic write blockers for USB and IDE
b) A portable ITX system with an exposed PCI slot for SCSI and Fiber Channel cards
c) Adapters, adapters, adapters… and some docking stations.
d) Paperwork! Checklists for each system and each form of media, verification forms, and other things to make sure each system is collected properly with care.
e) A high resolution camera capable of making videos as well as photographs. You'll want to photograph everything.
f) A safe for keeping media
g) A fast computer system with lots of ram and drive space. Hot swap drive bays a plus.
h) A computer repair kit for opening computers
… etc etc

You get the idea – other forensic experts may also have phone forensics tools, or on device data extraction tools… All depending on their line of work. But in short, you'll need whatever tools that work for your area AND you'll want to construct the procedures you'll follow in advance before attempting anything.

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?

I belong to ISACA which is taking an interest in forensics now. I'd love to read other people's answers.

3. What is the most rewarding aspect of your job?

I don't want rewards – so let me rephrase the question. If you are asking about what motivates me, I believe someday computer forensics will help unite families of missing people faster and save lives; and that my contributions will help give people a life that would have otherwise been stolen from them. No rewards- just hoping that it happens.

4. What personality traits and academic background are important for today’s digital forensics investigators?

Based on what I've been so far intelligent, curious, detailed, logical, open minded, "good bit" enabled, and a cast iron stomach (which I don't have, unfortunately.) Academically, get a masters degree or higher in order to be able to render expert opinion as testimony in court. It may be required to get a computer forensic certification as well.

5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?

I don't know how anyone could be considered an expert witness with a knowledge of only one or two tools. All industries eventually standardize on putting low cost technicians on a device, so eventually this might be the way things become.

It's the "jack of all trades" that will always win here. Someone will need to direct the technicians anyway, and if you want a career out of this than that person is YOU. You need to learn how businesses work, how computers work at low levels, court procedures, accounting, tools, how to manage clients, etc. Lawyers are also highly educated jacks of all trades, so the more dynamic you can be with them, the better. What other way is there to phrase this except maybe be a leader.

Eric

ReplyQuote
Posted : 26/03/2014 6:43 am
jhall236
(@jhall236)
New Member

First off, I’d like to thank you both for answering my questions.
To the content (in order of post)
Keydet89,
I agree with your stance on tools, they should always be what will fit the job best rather than what is the most widely used commercial tool. This is, of course, provided that it can be proven that the tools are forensically sound.
On to the publications, this is not the first time I have heard this theory about publications. I am a big fan of mathematics, probably right after my love for forensics and technology, so I can completely see how it is akin to diving right in to particle physics without the math theories that come before it.
As far as background goes, you’re absolutely right. It does lay the groundwork for topics you’ll encounter, however passing is passing and the degrees look the same between a “C” average and an “A” average. It all has to come down to the individual but the individual on paper will always be first.
I have always tried to make sure that I learn a little of everything that comes my way, but being an “expert” in a certain thing or two, makes you valuable to anyone who sees that scenario come up.

Now in response to Eric,
I have used a lot of tools in the categories you mention, and I certainly have my favorites for each, especially Visual Studio. Paperwork and documentation is something I see a lot of students disregarding, but is probably the most critical thing you can have as an investigator. I couldn’t tell you how exactly I did something two weeks ago, but I know I can figure it out again in a few minutes but that would never hold up in court. That is just asking to become not credible as a witness.
I’ll have to see how ISACA’s forensics side pans out. I can see the importance of a society as far as being able to find someone who can do what I can’t. I am never too proud to ask for help, which as Keydet89 stated, a lot of people are. Well, maybe too stubborn at times.
I believe the question about rewarding aspects is still answered as it stands; the aspect is simply that whenever that happens, you’ll be a part of that. That someone could be saved because of your actions, your participation. That is the reward. At least that’s how I see it. My motivation is similar, righting just one wrong done to someone, as right as it can be anyway, is what I wish to accomplish. I am driven by knowledge and justice, and forensic definitely combines the two for me.
The final question, to answer it myself, should not be or but should be and. Like Keydet89 said, it’s both. I was not precise there. Broad knowledge is extremely important, but knowing the tools specific to the job you have intimately is just as much so. How different would your work be if you were only mildly acquainted with say, Absolution? I assume you are very, very well versed in that.

Again thank you both. I know that most people would not even take the time to answer one question. You both have been extremely helpful.

Thanks,
Jason

ReplyQuote
Topic starter Posted : 27/03/2014 7:55 am
Chris_Ed
(@chris_ed)
Active Member

Can this ever be 100% true? I think "beyond all reasonable doubt" is a more acceptable term. )

It's a matter of semantics, really. From my perspective, neither "beyond all reasonable doubt" nor "undeniable proof" are absolute, and are synonymous.

Well I would disagree that "undeniable proof" is not an absolute, but never mind.

With regard to the questions themselves

1. What tools do you use most often?

EnCase, X-Ways, Python, some command-line stuff as needed!

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?

Difficult question, really - because what is credible? A post on a blog? A post on FF? )
Personally if I am confronted with something new then there are three sources I would check
- This forum
- The DFIR custom google search
- The Win4n6 mailing list
Other sources might be the vendor's website - it can be surprising how much information is provided about the structure of specific files, for example.
But anything you find should then be verified and tested - especially as it is you, not anyone else, who will have to defend your findings if it comes to it.

3. What is the most rewarding aspect of your job?

Most rewarding? Getting deep into the guts of analysis (although in my position in LE this is sadly a rare occurence) and finding good evidence which might have been off the beaten track. Or thinking outside the box and having that lead to something very interesting/notable.
The other rewarding part is knowing that I am, for my small part, "fighting the good fight". This is somewhat tempered by the occasional frustrations of the English legal system, but overall it is what gets me to work every week day (and some weekends).

4. What personality traits and academic background are important for today’s digital forensics investigators?

An inquisitive mind helps, I think, and a methodical approach to analysis. Also, I feel that it's important to be open to being wrong, or to the possibility of being wrong at least. This can open more avenues for analysis, and more opportunities for learning.
I would also say that some programming experience, while not mandatory, is supremely helpful. Not only in processing files, but in giving you the mindset of how things might work.

5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?

Given the importance of verifying your findings, there will always be a "jack of all trades" aspect to the job. Depending on your role, it can be better to have a broad knowledge of investigation techniques - but on the other hand you might find it better to specialise in your job.
For example, I have a very basic knowledge of how to analyse mobile phones - but that's OK since it's not something I have to deal with (at the moment). If I was to become a specialist in XRY & analysing physical dumps then it therefore might not be worthwhile as I probably wouldn't use that knowledge very much.

ReplyQuote
Posted : 28/03/2014 4:45 pm
keydet89
(@keydet89)
Community Legend

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?

Difficult question, really - because what is credible? …

- The Win4n6 mailing list

I'm sorry, but I really have to disagree with that one…

ReplyQuote
Posted : 28/03/2014 5:16 pm
Chris_Ed
(@chris_ed)
Active Member

You disagree that I check the win4n6 mailing list? )

ReplyQuote
Posted : 28/03/2014 7:29 pm
jhup
 jhup
(@jhup)
Community Legend

I believe he disagrees, as do I, on the point that the Yahoo! Group mailing list in question is credible resource.

You cannot have it both ways in an intelligent discourse. If you go down on the path of nit-picking "undeniable proof", you must be able to sustain your "credible resource".

Live by the semantics, die by the semantics.

You disagree that I check the win4n6 mailing list? )

ReplyQuote
Posted : 28/03/2014 8:57 pm
keydet89
(@keydet89)
Community Legend

You disagree that I check the win4n6 mailing list? )

Not at all…I do not agree that it's either "credible", or a "source". When I started the group, I wanted it to become a valuable resource, but what I found is that everyone has their own idea of "acceptable behavior" for such a list.

For example, it's become something of a repository for ads for DFRWS and SANS. Then there's the members who like to "Kanye" the list by posting off topic items.

ReplyQuote
Posted : 28/03/2014 9:21 pm
jaclaz
(@jaclaz)
Community Legend

It's a matter of semantics, really. From my perspective, neither "beyond all reasonable doubt" nor "undeniable proof" are absolute, and are synonymous.

For NO apparent reason wink
http//cdn.motinetwork.net/motifake.com/image/demotivational-poster/0810/only-a-sith-deals-with-absolutes-motifakes-demotivational-poster-1225143426.jpg

jaclaz

ReplyQuote
Posted : 28/03/2014 9:56 pm
96hz
 96hz
(@96hz)
Active Member

1. What tools do you use most often?

EnCase, XWays, FTK, Cygwin, Python, SQL server

2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?

There are a number of good books out there, I would recommend a graduate read
File System Forensic Analysis - Carrier,
Forensic Computing a Practitioners Guide - Sammes, Jenkinson
Windows Forensic Analysis - Carvey
EnCE Study Guide - Bunting (although tool specific)

3. What is the most rewarding aspect of your job?

Finding answers and getting it right; and helping others understand important technically complex issues.

4. What personality traits and academic background are important for today’s digital forensics investigators?

smart, analytical, problem solvers and investigators with a technical background and a high standard of communication skills (written and verbal).

sometimes these are CS/engineering/technology graduates but equally sometimes they are not.

5. Is it prudent to specialise in one or two tools/devices or be a “jack of all trades” investigator?

I think the answer is both. At the start of your career I think it is important to become a solid generalist, later specialising. That speciality will most probably come about based on where you work and who you work with, ie. filling a skills gap, or development of advanced skills that are particularly required by your job.

ReplyQuote
Posted : 29/03/2014 2:26 am
keydet89
(@keydet89)
Community Legend

Quick question

3. What is the most rewarding aspect of your job?

Finding answers and getting it right; and helping others understand important technically complex issues.

How do you know when you've "got it right"?

This question has puzzled me for a long while. For the most part, we all work in some modicum of isolation…we're either working alone, or on a small, isolated team. What I mean by that is that, as a community, we don't share findings.

About four years ago, I was doing some host-based analysis as part of an APT engagement, and found something fascinating. Due to the logging that had been enabled on the system I was analyzing, I was able to clearly see the malware being loaded via the DLL search order vulnerability. I was sure that I was right, because I had all of the data points…the system was Windows XP, so the file system was still recording last accessed times, including when DLLs were loaded into memory. However, when I tried to describe it to other team members, I just got blank stares…most didn't even know what the DLL search order vulnerability was.

I was sure that I was right, and thought it would be a great topic to blog about, but I was told to not say anything and not share it with anyone. A couple of weeks later, something very similar was posted to the Mandiant blog (written by Nick Harbor).

Beyond that kind of validation, how do we know that we're right?

ReplyQuote
Posted : 29/03/2014 4:17 pm
Page 1 / 2
Share: