getting experience ...
Clear all

getting experience on actual computer forensics?  

New Member

Hi, I'm working on my AA in Computer forensics at a local college. I've read
Guide to Computer Forensics and Investigations, Bill Nelson
File System Forensic Analysis, Brian Carrier
Windows Forensic Analysis, Harlan Carvey (currently reading)

With only one class left for me to take (security+), I still don't feel very confident in performing a forensic investigation. I would like a lot more hands on exercises but unfortunatly in class with so many students its hard for the teacher to get going sometimes because a lot of students aren't ready for the content in the class and hold the rest of the class behind. I would like practice at home on my own time, but don't have access to FTK
at home.

Any advice on getting more hands on experience?

Posted : 10/10/2008 9:20 pm
Junior Member

Hi Drew

FTK is free if you examine less than 5000 items, so you could download it and use it at home. That would let you get a feel of the application.

Not sure about the experience tbh. I have a masters in forensic IT, but we did very little hands on forensic work on the course also.

are their many forensic companies in your area?


Posted : 10/10/2008 9:28 pm
Community Legend


Do you want to learn forensic analysis, or do you want to learn FTK?

My book and blog are great places to start when it comes to learning analysis. There are lots of free tools out there that you can use…even images you can download off of the Internet for use.

If you understand the basics and the background of what goes on "under the hood", you don't need FTK or EnCase necessary to conduct a thorough examination.

Posted : 11/10/2008 12:19 am
Senior Member

WinHex is a free download, as is The Sleuth Kit, Helix and many others …

Like Tom says, you can also get limited versions of FTK and EnCase for "evaluation" that would allow you to do some training - the EnCase ENCE book comes with both the software, and some sample cases & the training in the book.

Posted : 11/10/2008 1:18 am
Junior Member

Drew, you might be in Can't-see-the-forest-for-the-trees mode. Forget about individual programs instead go for fundamentals. I personally stick to Linux since it requires more knowledge to even get going. The learning curve is steep, initially, but smooths out soon enough. The problem with Windoze-based products is they are all point and click.

Set up a Linux machine on your own. The most minimal hardware is all you need, a garage-sale type computer, or even just a second hard disk on your dual-boot PC. Then find a distribution. You can download a distro for free but that is time-consuming and inconvenient. Buy one of the lower-level dstros such as Slackware. Think the price is $60 but for that you get six CDs. Start poking around, get the hacker mindset, understand how file systems are organized.

You might want to start attending local LUG meetings. Get into the tech scene, develop contacts, find out what these actually talk about.

My $0.02. That is just how I did it. Good luck.

Posted : 11/10/2008 2:06 am
Active Member

Try completing the challenges on http// or better yet, setup your own honeypot and do a forensic analysis on it.

Posted : 11/10/2008 2:24 am
Active Member

Before I had the opportunity to work on real cases with expensive case tools, I used ftk Imager, Helix, simple hex editors and FTK demo version to examine computers that I either found on the street (which used to be common up to a year or so ago) or bought used disks at computer fairs.
It is really amazing how much data can be restored on formatted used disks if you know how.This is a great way to get a sense of achievement and develop a passion for forensic computing. This will also give you a good foundation in the basics as you will have little choice but to examine the file systems at a basic level using simple tools. Expensive case tools do a lot of work for you and this is a good thing but only if you really understand what it is they do and how.

Posted : 11/10/2008 4:08 am