Hi there,
I've had an interest in computer forensics for a few years now and I've been following this forum for a good portion of that.
I've been working in IT for 2 years now as a desktop administrator and currently self-studying forensics using books and blogs on the internet, whilst studying for my MCSA Security as part of some work-related projects.
I turned down an interview a year ago for a entry-level forensics position as I didn't feel I had enough experience/knowledge to really be a good candidate.
I see that a lot of people on here started off as software developers, system administrators, law enforcement officers but I was wondering when in your career you made the transition to forensics from those roles or what made you choose forensics?
Thanks,
Marl
Mine is actually easy, I got laid off. p
Seriously though, I got "the bug" for forensics about 5-7 years ago, when the company I was working for at the time was in trouble with the DOJ (prior to my start there). So I was managing the computer images we were supplying to the DOJ and our attorneys. Later on I had to print out evidence for the DOJ for the case (at their offices), and then I was subpoenaed to testify (but once I showed up I didn't have to). After that I was able to take a CHFI boot camp course.
So when I got laid off I decided to invest in a Guidance Software training passport, and within about 5 months or so took almost all of their course offerings. Even met my boss for the next company I went to in one of the classes.
So that's really how I got into it. And I started purchasing a lot of my own personal equipment to play around with and do research on, that's the fun part. p
Tom
I got 'recruited' in the late 80's. I am LE and at that time our agency and our US counterpart were developing joint training in the field. I was 'chosen' as I had demonstrated an affinity for computing and electronics (my father was an electronics engineer with the Dept of Defence up here so I grew up around PCBs and solder, I also had been playing with computers since '81 and that was well known to my superiors). After passing a level two programmer aptitude test I was in, trained at FLETC, in house with our agency up here, and also went back to university and obtained an MSc in Information Security.
I was wondering when in your career you made the transition to forensics from those roles or what made you choose forensics?
Personally, after nearly a decade in various IT / support roles. I wanted to progress my career into something a little different (and with less dealing with password reset requests wink ). I had experience of security/defence/legal workplaces through these jobs and like you, had been interested in CF for years.
You say you've been in support 2 years - presumably you had some experience / aptitude with IT before that to get the job in the first place? From what I can tell genuine technical experience, interest in computers and familiarity with CF terminology will get you quite far. MCSA is worthwhile, maybe look into one of the shorter academic courses in forensics as well. Good luck!
Thanks guys, it's good to hear other people's experiences, hopefully it'll help people who are in a similar situation to myself.
CdtDelta, sounds like you were in the right place at the right time! The training passport from GS looks really good and a great way to learn, unfortunately i'm short of a budget, but it's something i'll keep in mind. Part of my own route was to buy some equipment to play around with too, what software did you start out with?
Beetle, it's good to see your agency were able to train you, it really proves that you have to work for your position as well, I see alot of people on forums who aren't willing to put in the time you did and just expect to jump into an investigator type role.
redcat, I'm like yourself in wanting to do something different. Sounds like you had some good experience to make that jump especially the security and defence work. Yeah I had a strong interest, got some CompTIA certs in my spare time and got a job from that. When you say academic courses, do you mean Encase, FTK courses or say the open university course? How long have you been in CF?
Thanks once again guys.
My experience is probably a little different to most in that forensics was part of my first 'real job' in IT. Of course that is changing now with most major Universities offering forensics courses - especially in the UK.
I was lucky enough to get a scholarship at uni in Australia with a massive multinational IT company. It basically involved working at the company as part of my uni course, including doing a semester full time in my final year. I started off working in a IT Security Administration team that managed the accounts for the remote access solution. My manager in that team heard about a new area starting up doing work for a bank on their cyber security. Mostly it involved shutting down phishing sites and malware analysis of Internet Banking Trojans, but there was also a small investigation and forensics aspect to it.
My manger somehow got me over to work in that team and I absolutely loved it! I was lucky enough to stck with them for the rest of my time at uni and also got a grad position into the company with that team.
I was then able to move over to work for another bank doing the same kind of thing, but took more of an active role in the forensics and investigations work. About 9 months ago I relocated to the UK and have since been working here solely in a forensics role.
In terms of what training I've done I was lucky enough to be able to do most of it on the job. The guys I worked with had done some training so taught me the basics and also our manager was an ex detective from a fraud and forensics background so was able to drill in the importance of chain of custody and the methodology side of things. I then was able to do FTK, EnCase and Nuix training as well as some other investigation courses.
My experience has been a little odd. Fresh out of high school I went to college for criminal justice. Being about 20 and smarter than everyone around me, I quit. After working as a laborer for 10 years (until getting hurt and losing my job) and dabbling in law enforcement, i went back to school. Being unemployed and 35 years old was not a good situation. I decided to go back to school but has no idea what for. I decided that the computer field would be a good one to get into so I went on a trip to the local community college. While there I heard of this thing called computer forensics. At that time I knew very, very little about computers. After talking to the professors I decided to dual major in networking and CF. I graduated in May of this year but have heard how hard it is to get hired, especially with only an associates degree so now I'm finishing my B.S.. In the meanwhile, I started my own CF/Data recovery business. I have gotten a little work but haven't marketed myself due to my workload at school. After next week my courseload will lighten substantially so I plan to hit the job market to see what I can find.
Any takers??? lol
I'm like yourself in wanting to do something different. Sounds like you had some good experience to make that jump especially the security and defence work. Yeah I had a strong interest, got some CompTIA certs in my spare time and got a job from that. When you say academic courses, do you mean Encase, FTK courses or say the open university course? How long have you been in CF?
Yes, my IT background has been an asset but not essential IMO - most employers will want to test and gauge your technical ability anyway. I was referring to academic rather than vendor courses - I did a one year MSc. - but there's nothing wrong with the vendor courses if you can afford them. I have been in CF about 3 months now since completing the course.
CdtDelta, sounds like you were in the right place at the right time! The training passport from GS looks really good and a great way to learn, unfortunately i'm short of a budget, but it's something i'll keep in mind. Part of my own route was to buy some equipment to play around with too, what software did you start out with?
Yeah, overall (considering the US job market) I was EXTERMELY lucky (of course I just got laid off again a few months ago, so the luck seems to come and go. p
I had the advantage of a severance at the time to use for the passport, otherwise I may not have done it. I also made friends with another forensic examiner who suggested that was the route to go (either AD or GSI). And then networking has been a BIG help as well. Twitter especially.
In terms of tools, my first hardware write blocker was a Disk Jockey Pro (forensic edition). It's about $500 but the least expensive one at the time I could get. Now you can get a Weibetech ultradock for less than that (I have two of them now).
Software wise, there's the SIFT workstation, Simple Carver Suite, Helix, I bought a copy of F-Response Field edition, X-Ways (which I worked my way up to and started with WinHex). I think that's what I started out with. But more of the cheaper priced tools that at least I could play with. VMWare (or something like it) is a good investment because you can play around with multiple OS installs and use one piece of hardware. So you can do a lot of imaging that way.
Tom
I also have the weibetech ultradock. In school we were using the Fastbloc system but they were old and we were having a lot of trouble with them so they bought the Weibetechs. They seemed to work very well so I bought one for myself to use. ~$270 for the Weibetech and another $50 for the 2.5" SATA adapter. I also have a legally licensed copy of FTK 1.6, and DiskExplorer for FAT and NTFS. These tools plus the few free ones out there will go a long way if used correctly.