Hello all,
Its my first post here and I can guarantee, won't be my last. Basically I'm just after some advice, no matter how small or large, all is appreciated.
Okay so basically I'm on a 3 year sandwich course studying digital forensics at Sheffield. Currently I am on a placement year with a very reputable company. I am really, really enjoying this year and have found that it has completely refocused me about my future career. The only unfortunate end is that I am doing general IT support, as I'm sure many of you are aware, getting a placement in the forensic industry when you aren't qualified is 99% impossible.
I find myself often quite bored on a night time finding little projects to do. Im living in Bedfordshire and find that there often isn't too much happening. Ive started to read research papers and play around but nothing too strenuous. I guess here is where you guys could help me. Obviously because I'm not at Uni at the moment I don't have access to my Encase software. Im just wondering what you guys recommend in possibly free software or even projects I could use. I have the usual Virtual Machines, SANS, SIFT, BackTrack and CAINE but dont really feel that these offer anything in the way of real forensics (Please feel free to tell me if I'm mistaken here).
So yea, any advice on projects i can take up or get involved in would be muchos appreciated!
Thanks
Chris
I think the folks behind SANS, SIFT and Caine would have someting to say about not them being "real forensics".
This very site lists a whole load of test images and forensic challenges. http//www.forensicfocus.com/images-and-challenges
Once you've completed them you could maybe visit the list I've together of 100 free forensic tools at http//
Thank you Jonathan for your response!
I think the folks behind SANS, SIFT and Caine would have someting to say about not them being "real forensics".
I think your right, perhaps its just my ignorance that I haven't really looked too much into them and that I'm just comfortable with Encase, the software I know how to use. Thats probably a good starting point, researching more into these and learning how to use them. Do you have a favourite, or should I say advice on each of these as to which one I would perhaps benefit from learning about first?
As for the advice on how to pass my evening's thanks for that! Ill give them little challenges a go!
Again, thanks
Chris
The SANS SIFT Workstation, CAINE, BackTrack, DEFT and so on are all Linux Live CDs/DVDs. Each one contains a mix of tools that can perform a variety of tasks depending on the tool you use. While there is some crossover of tools among the various environments, each has some unique tools that are useful for specific purposes.
Hey,
I assume that when you return back to University in September? you will have to complete a dissertation. I found that it was extremely beneficial during my placement year to get some research done into the area I wanted to focus my dissertation on. It allowed me to be sure that my project would work and be good.
There always seems to be a rush on these forums around September/October time of students asking for Forensic dissertation ideas…
Are you planning on doing a research based project or writing your own tool? Reading papers is certainly beneficial and will get you into the style of writing required in a large project.
How about placing the information you find doing smaller research projects online in a portfolio or blog? Who knows, if you stumble upon something truly interesting you might make a small name for yourself in the industry before you even graduate!
Good Luck
Bithead, thanks for that. I think its defiantly time to learn about these tools.
N1XY thanks a lot for that advice! Invaluable bit of advice there. I do return back to uni in September. Ive been researching a lot into iOS forensics as of late, and it would probably be good to get going on some Android books. I think ill be doing a research orientated project next year. I think ill find that much more beneficial to myself.
Brilliant advice guys, thank you!
Chris
Hi Chris,
I originally wrote this for another post (didn't get any feedback) so figured I'd see if it helps here. Not sure if I should have linked it rather than replicated it? Anyhoo here is a re-edited version just for you 😉
I am not currently in the DFIR industry but I am currently trying to get in. So take all of this with a grain of salt.
In general, I think it's easier to land a Digital Forensics job if you already know somebody in the industry.
I have found that blogging about my research/self-learning has resulted in a quite a few helpful contacts coming forward / responding to my enquiries. There's quite a few people in the DFIR community who are willing to help out but I think you first have to show that you're already making an effort/have a basic understanding.
Some suggested reading (in case you haven't heard of these)
Harlan Carvey's "Windows Forensic Analysis" series of books
Cory Altheide/Harlan Carvey's "Digital Forensics with Open Source Tools" (this can be used really well with SIFT)
Brian Carrier's "File System Forensic Analysis"
Andrew Hoog's "iPhone and IOS Forensics" and "Android Forensics"
Also, play around with SANS SIFT Workstation. It has heaps of open source tools already installed and it's free (unlike Encase/FTK). I write about SIFT quite a lot in my blog and I think it has quite a large user base.
You can start with the M57.biz case from http//
Its in EnCase format but you can still mount it with SIFT. I documented my experience with this on my blog but had to take down the results section as it's still in use by students. I still have a "how to set it up" post though which might help you.
With your free time, I'd recommend just learning about topics that interest you and blogging away. It doesn't matter if no one reads at first, the point is to build up your skills (in both forensics and written communication). As you develop your skills, you are bound to solve a problem that others will find helpful.
Eventually you can get a following of sorts and that makes it easier to reach out for advice/employment.
I think knowing how to program is another skill well worth developing - you can't rely on someone else to solve every possible forensic problem out there. And you can also save yourself time by writing some simple batch scripts (eg in Perl or Python).
It probably depends on the employer but I think having existing skills/experience (especially in commonly used tools eg RegRipper) will outweigh a Postgrad qualification (for entry level anyway). Being able to think/solve problems independently is what all those Uni degrees are supposed to be for anyway.
The cool thing is, you can use your blog as evidence as to how you think/solve problems.
Hope this helps,
Cheeky
I'd also start off looking at YouTube. There are lots of tutorials out there on how to use many different tools of the trade (from F-Response, to EnCase, to FTK, and so on…). Even if you don't have a copy of the tool, you can start learning about what it can & cannot do. Knowing which tool to use is just as important as knowing how to use the tool.
If you're looking to learn more about EnCase, then you can do some of their online training courses. http//
Good luck with your search. There's lots of free information on the net. Just start reading.
On a side note, your IT education is still perfect for a foundation in forensics. I promise it will come in handy in the future for you.
Cheers,
> …I have the usual Virtual Machines, SANS, SIFT, BackTrack and CAINE but dont really feel that these
> offer anything in the way of real forensics…
That still cracks me up! Particularly since it follows, "…I don't have access to my Encase software."
> I find myself often quite bored on a night time finding little projects to do
I totally understand. If you don't have access to Brian Carrier's book, find some articles online that describe the MFT, then open an MFT in a hex editor, copy out one MFT record, and then sit down with a pen or a couple of highlighters and walk through parsing and understanding the different attributes.
A lot of books and resources have been recommended to you…at some point, that can be overwhelming. I'd suggest starting with one thing…the Windows Registry, Linux file systems, something…and start there. A journey of 1000 miles starts with a single step…but you can't finish it unless you start.
Let's say you were interested in Windows stuff…there are images you can download for learning purposes, and you have your own system to work with. Pick one small thing at a time, and learn all you can about it.
Bithead, thanks for that. I think its defiantly time to learn about these tools.
N1XY thanks a lot for that advice! Invaluable bit of advice there. I do return back to uni in September. Ive been researching a lot into iOS forensics as of late, and it would probably be good to get going on some Android books. I think ill be doing a research orientated project next year. I think ill find that much more beneficial to myself.
Brilliant advice guys, thank you!
Chris
As Cheeky4n6Monkey mentions, Andrew Hoog's book "Android Forensics Investigation, Analysis and Mobile Security for Google Android" provides and excellent introduction to Android and covers some basic techniques. It talks about the file system and important files.
Thankfully the Android operating system hasn't changed in structure much since the book was written, even with the release of Ice Cream Sandwich.