I am planning on starting my own forensic business. I am seeking advice, business tool recommendations (hardware and software), general training recommendations and things of this nature from folks willing to share their knowledge and experiences.
I have worked in computer security for over 15 years prior to retiring. I have obtained the SANS GCFA Gold certification and I'm attending college to acquire my BS in Computer Forensics.
I believe in Open source but understand the importance of using tools that have been vetted by legal system.
Additionally, I believe in constant practice analyzing images and data with new techniques. I was also curious if the community thought a site of this type would be worthwhile. Something along the lines of the DFRWS 2006 and 2005 challenges?
One thing I've seen, as a consultant, is that forensics doesn't stand on its own as a business…its usually included as an additional service.
First off, what's your market? If you're targeting small businesses, you may want to consider going with something a little more general (sysadmin, or whatever you did before) and including a suite of security services (vulnerability assessments, system scanning, etc.) along with forensics.
Whatever you decide to do, you need to network in the field, and get your name known and out there.
Regarding getting set up, I'd recommend a couple of workhorse laptops (I got a D820 from the refurbished shelf at Dell…spec'd out, it was over $4000, but I got it for $2000), external drives, write-blockers, etc.
For imaging software, FTK Imager is free, as is dd (both Windows and Linux variants). For analysis, I'd suggest going with ProDiscover and TSK (TSK is free, and you can install it on Windows, if you need to).
> Additionally, I believe in constant practice analyzing images and data with new techniques.
Two thoughts
1. If you're working, when do you have time to practice? 😉
2. Where do these 'new techniques' come from?
Starting your own forensic business is a ton of work, as I'm finding out. The main problem I'm running into is one of education - most potential clients have no idea what "digital forensics" is, let alone why they need to pay somebody to perform it for them. This includes the legal community.
Good idea on having other services to offer until CF pays the bills.
Get a lab setup with the hottest computers you can afford. It takes a fair amount of horsepower to process stuff so that it finishes during your lifetime! Start imaging and erasing and analyzing any media you can possibly find. Practice makes perfect. Have a wife with a real job so you can put food on the table for a while …
Well, I just happen to be retired and do not need to worry about putting the meat and potatoes on the table. However, I would like to earn enough money to fund my continued college courses and any special training, equipment (aka toys) and make enough money to be able to buy or build a small cottage on the coast for vacations.
I do understand the irony of working and finding time to practice my skills. I am quite lucky in several regards; one - I'm quite use to working 12+ hours days, two - I do not care for most TV and movies. Actually, I find working with my computers while listening to my music to be quite relaxing. Yeah! I've heard all my life that I'm quite dull and boring -so what?
Personally, I learn more from research and practice than any other way. I lurked on this forum for a year before registering. I monitor numerous mailing lists and forensic sites for tidbits.
Since you mentioned TSK - Brian Carrier's utilities? Any feeling on Autopsy? I'm working on several mods to Autopsy incorporating directory use for Know good files and Alerts Hashsets, modifications to hfind to allow parameter value to set the field position of the hashvalue in lookups, plus incorporating mysql database datasets.
I'm playing with the idea of implementing a DBM structure for hashvalues for string lookups.
The old sysadmin/programmer in me wants to modify some of the utilities. I've like using Helix with GRAB for imaging - more reliable at identifying devices, disks and partitions than most DOS imaging tools.
Keydet89/OldDawg - know much about those hardware based disk imaging devices? Not the write-blockers but devices like Logic Cube's Forensic Talon device.
> I would like to earn enough money to fund my continued college courses
Some things to consider
- Since you like to practice, develop a methodology/testing scenarios, and write product reviews for a publication
- Write articles for publication, where someone is willing to pay you
- Write a book…not a lot of money there, but maybe enough to support your other interests
Network through your local chamber of commerce, and get in touch with other IT professionals, or company owners (everyone uses computers these days) - find out what their pain is, and what keeps them awake, and see what you can do to help alleviate that…even if it's initially general IT stuff…config management, scanning, etc.
> Any feeling on Autopsy?
Funny you should ask. I've worked with the installation guide for installing TSK/Autopsy on Windows via Cygwin, and have pinged Brian about a version native to Windows. He's released Win32 versions of the TSK tools, but I, for one, would like to see something like a native Win32 version of TSK/Autopsy (or even PyFlag). I'm writing my second book now and even though I have a license for ProDiscover, I'd like to see something out there that brings suitable functionality to the freeware space without requiring Linux (or .Net). I'd be willing to assist, either as a beta tester, or as a developer.
> I've like using Helix with GRAB for imaging
FTK Imager is free, as is linen, etc.
I'd suggest looking at what's out there, and bringing something new to the table.
Thanks for the advice!
Does anyone have any thoughts on professional liability insurance and the amount?
You would want to look into E&O Insurance
KeyDet - FTK Imager is free? Where? It's $89 on ADs site.
A
A demo version can be obtained from
I do not know if the Demo version 2.5.1 has any limitations?
I could not located the supposely free version of 2.3.
The free version of FTK Imager is only available to LE.