Just trying to construct a list of what fundamental skills are needed for a junior analyst / technician.
I was thinking (non-exhaustive) the following, but would really welcome additions/suggestions
1. File Identification (signatures etc)
2. File Recovery (carving)
3. Imaging
Attention to detail - especially when it comes to chain of custody and evidence handling!
Great, evidence handling and Chain of Custody….passed me by that one, scary 😯 😯 lol ….It will go on the list!
I think that you’re already overlooking the fundamentals. A surprising number of junior people in this industry (or those that want to be junior people) seem to have no ability to work with technology. Can you pull a hard drive out of a laptop with confidence? Do you understand the basics of how popular operating systems work, networking fundamentals and so on?
If it sounds trite I apologise but I’ve spoken to lots of people who have no interest in tech and think digital forensics would be a good job for them. To me, that’s like wanting to be a mechanic but not liking engines, or a medic with no interest in human biology. If you love tech and work hard you don’t need much more than an understanding of ACPO guidelines (or whatever your local standard is), write blocking, hashing and chain of custody. You can learn the rest on the job if the desire is there and you get into a decent role.
I was thinking (non-exhaustive) the following, but would really welcome additions/suggestions
1. File Identification (signatures etc)
2. File Recovery (carving)
3. Imaging
I'd like to see the ‾ of the T. That is, I'd like to see the wide-ranging, though shallow, knowledge of the area. The competence, not the deep and narrow expertise. I'd like to see someone who has most of the jigsaw puzzle pieces, but perhaps is not able to put them all together yet.
File Identification … I'd want to see basic understanding of the problems of file identification. What does identify a file? How can we know? Far too often it seems that some hazy notion is enough, that the first four bytes (or eight or twelve) somehow always point the finger, and that file(1) is all you need to know as far as tools go. Whoever the junior is, he/she should be able to write a basic file-interpreting program in programming language of choice. (And the 'senior', of course, should be able to evaluate the attempt …)
File Recovery … this is an expert area. It's impossible to have this unless file system basics is covered first (a la Carrier), as well as some basic knowledge of software operation coupled with a fairly deep knowledge of at least one important file format to get familir with the theory. Without that knowledge, file recovery is not possible. (Tools? Pfui!)
Imaging … basic stuff. More or less the standard SANS imaging stuff. The 'beginners' stuff.
Like redcat, I would put an accent on the character/attitude before anything else, someone with
1) curiosity
2) ingenuity
3) an inquisitive mind
and some passion for the technology will be good or become good in little time.
jaclaz
Like redcat, I would put an accent on the character/attitude before anything else, someone with
1) curiosity
2) ingenuity
3) an inquisitive mind
and some passion for the technology will be good or become good in little time.jaclaz
Fully agree. A proactive, investigative mind is often overlooked and is crucial to being a good investigator, instead of just someone who is purely technical and process driven.
Following up on what Jaclaz said
4. Tenacity. Keep diging until you find what you are looking for.
5. Patience. Learn to wait…
Just trying to construct a list of what fundamental skills are needed for a junior analyst / technician.
Depends on what you call "junior" and what you think an "analyst" should be.
I don't agree with a lot of what's listed here.
I also don't qualify for a lot of the "junior analyst" positions that are currently listed to day…I simply do not have the 'required skills'.
I don't agree with a lot of what's listed here.
Harlan, that's really interesting to hear you say (I suppose technically that should be be see you print?) - would you care to elaborate as to precisely what it is that you disagree with?
Is there perhaps a difference between the perceived required 'junior level' skills depending upon the remit of the role (e.g. incident response/digital forensics/cyber-security etc.)? I'm aware of the prevailing/conventional wisdom that these are opposite sides of the same coin, so the required skills are often considered to strongly overlap/be the same.
What to people think? Is it time that we reconsidered this viewpoint?