Join Us!

Notifications
Clear all

XWays Forensics  

Page 2 / 3
  RSS
PaulSanderson
(@paulsanderson)
Senior Member

When I worked for Booz Allen Hamilton we got something around 500-1,000+ resumes for certain positions.

Obviously I work in a different world and I have never seen any CF positions where there are 500+ applicants for a position.

When I last worked in a management role where we got 100+ CV's then a quick read through of the summary and quals was enough to weed to a reasonable number. But that is a different issue.

I have the $3,500 - $4,000 for EnCase or FTK, but it seems crazy to buy until I get a job.

If a company was screening based on keyword searches then I prob wouldn’t want to work for them anyway ) but if you feel that spending $3.5-$4K on an encase licence in prep for an interview is a good idea go for it. Once you have a job of course then you shouldn’t need to buy your own software anyway.

Just offering my opinion, as an interviewer, that it wouldn’t impress me.

ReplyQuote
Posted : 08/08/2010 5:15 pm
Jamie
(@jamie)
Community Legend

Just offering my opinion, as an interviewer, that it wouldn’t impress me.

Nor should it and I think that's because we're discussing two different things - skillset (i.e. familiarity with Encase) and understanding of forensic issues. Presumably it's not unreasonable to expect an interviewer to be looking for both (and more likely to be impressed by the latter).

ReplyQuote
Posted : 08/08/2010 5:24 pm
PaulSanderson
(@paulsanderson)
Senior Member

Actually I was discussing the merits of spending $4K on a licence for encase in prep for an interview.

ReplyQuote
Posted : 08/08/2010 5:30 pm
Jamie
(@jamie)
Community Legend

Fair enough, and I'd agree there are probably better ways to prepare and/or spend that kind of sum pre-interview.

ReplyQuote
Posted : 08/08/2010 5:45 pm
jaclaz
(@jaclaz)
Community Legend

If a company was screening based on keyword searches then I prob wouldn’t want to work for them anyway ) …

Right! )

I don't care to belong to any club that will have me as a member

Seriously, if applications are sorted by keyword searches, the Company has a problem and you can always write "I have not a long experience with Encase" that will be picked up as well. wink

Conversely, I personally wouldn't employ an unoccupied that just spent 3÷4 K US$ in order to impress me, as - in my view - he would probably have some mental problems…. roll

If you are going to build your own freelance profession, it's allright, but buying a license for a program that will later be given to you by your employer seems to me like wasted money.

jaclaz

ReplyQuote
Posted : 08/08/2010 6:20 pm
chad131
(@chad131)
Member

Can't you find access to a dongle to prep without spending your own $$$? Lab time @ a college/university, borrow one over a weekend, apply for an EnCE and use the certification version, or have someone forward a dongle to you using USB over Ethernet?

ReplyQuote
Posted : 08/08/2010 8:26 pm
armresl
(@armresl)
Community Legend

Tap Tap Tap…

Good thoughts Paul.

Interview wise I think one would be better off learning FTK or EnCase, but XWays seems like a GREAT tool for the price.

What an odd thing to say. As someone who has been an interviewer in the past I would not really care whether you had used either of these packages - frankly you can pick up the basics in a day. I would however be very interested in what you know about file system fundamentals, the structure of the registry, meta data in world files, what sort of information is left behind by P2p applications, how you would go about determining what is left behind for an app you had never seen……

It is not what you use but what you do with it. That you had gone out and spent your own money on encase would not impress one bit.

ReplyQuote
Posted : 08/08/2010 8:37 pm
clownboy
(@clownboy)
Junior Member

If the aim is to get experience to allow you to get a job in a forensic shop then purchasing the full versions of forensic tools would not be required.

First off you will also probably start out doing acquisitions so I would practice these and there are a ton of free and heavily used tools available (FTK Imager, versions of helix, Raptor, Caine, a new one I haven’t tested yet, Paladin, etc.) Second, if you get a job in a shop, it would be very rare for you to need your own tools on a job. Most shops will have EnCase and probably FTK . In the rare cases where you will need, or be allowed to use, your own tools you can just install the versions and use the company dongles. Third, if you buy your own tools you will end up paying a lot in yearly maintenance fees. You will save a lot of money starting off with free tools and demos.

As noted in a comment above the FTK demo version is a limited working version of FTK. With EnCase if you get the EnCase Certified Examiner study guide you also get a limited working version of EnCase v6. The benefit of the EnCase study guide is that you also get case files and instructions to work with. With both tools you can easily work on small data sets such as found on a floppy, flash drive, disk media or hdd. Put in some practice with these free tools and you can gain the experience you need to put on a resume.

I would also suggest listening to the Forensic 4-Cast podcast, episode 31, you will learn an interesting bit about getting hired in a forensic company.

If you are going contacting well, that is a different story. I contract and my main tool is X-Ways with FTK as a backup. I do acquisitions with a number of tools. I do not own EnCase and I have let my FTK maintenance lapse.

ReplyQuote
Posted : 08/08/2010 10:10 pm
armresl
(@armresl)
Community Legend

You can't get the experience you need by using only trial tools.

Think of it from this standpoint also, if you were interviewing for a job and the person said so what kind of experience do you have with FTK or Encase, Well I have encase acquisition and FTK demo and have used both a lot.

I can from my own experience and from talking to others say that while data is supposed to be "it is what it is" it doesn't always get interpreted that way by tools. Why do we cross validate, just for that reason. If x ways gets a certain result, are you going to cross validate with a trial version (this may work for just messing around with files) but if you ever had a real case, that wont fly. Also, while it may have been read that ABC software is a fully functional version with the exception of a file number, there are often other restrictions placed on software which aren't widely known.

One other thing I would say is that working on a small data set from a CD, floppy, thumbdrive, etc. is far from a good representation of what is encountered in actual cases.

ReplyQuote
Posted : 08/08/2010 11:37 pm
armresl
(@armresl)
Community Legend

Can't you find access to a dongle to prep without spending your own $$$? Lab time @ a college/university, borrow one over a weekend, apply for an EnCE and use the certification version, or have someone forward a dongle to you using USB over Ethernet?

I am not sure about how you do things, but I don't loan my dongle to anyone, and the dongle is licensed to a specific person or company, loaning it or letting someone borrow it could possibly invalidate any work done using that and for sure will be frowned upon by most in the community and by the developers of the software. What if something happens to that dongle while you have it, then the owner has to explain why it broke and how. Not worth it IMHO.

Even if you are using the dongle for prep, people in this community seem to follow guidelines and EULA's.

ReplyQuote
Posted : 08/08/2010 11:43 pm
jaclaz
(@jaclaz)
Community Legend

You can't get the experience you need by using only trial tools.

But you also cannot get it with "full" versions.

Experience is made by experience wink , it means you need to have a few months/years of work, NOT a few weeks training/studying, no matter if with the trial or with the "real" thing, what you miss are the real life cases, not the tools.

At the most you may get familiar with the specific tool's options (and this is the same, or mostly the same on any trial/limited version).

On the other hand, I presume that the job is intended towards a "junior", not a "senior" forensic examiner or whatever, and probably it will be first job, so the company cannot at the same time ask for experience AND allow a "first timer"…. roll

jaclaz

ReplyQuote
Posted : 09/08/2010 12:02 am
dietro
(@dietro)
Member

and it's less expansive )

I'm pretty sure you meant expensive, but in actuality, the typo is just as accurate. 😉

ReplyQuote
Posted : 09/08/2010 2:46 am
armresl
(@armresl)
Community Legend

I don't believe there should be a junior or a senior forensic examiner. Either you know your material or you don't, and if you know your material
then you will land a job, if you don't then it will show itself.

Actually you can get more experience on "full" tools where functionality has been shut off for those full tools. If you've never examined a specific mailbox type and in the trial version that feature is shut off then you will never gain experience unless you have a full version or another tool.

As far as the not missing the tools idea, you do miss the tools, especially if you go to a shop which only uses a specific tool and then guess what you don't know how to validate with any other tool, or you run into a piece of data which your shops tool wont read.

This is not the type of business to be frugal on, and while buying a tool unnecessarily is not a great idea, being a one trick pony is equally as bad.

You can't get the experience you need by using only trial tools.

But you also cannot get it with "full" versions.

Experience is made by experience wink , it means you need to have a few months/years of work, NOT a few weeks training/studying, no matter if with the trial or with the "real" thing, what you miss are the real life cases, not the tools.

At the most you may get familiar with the specific tool's options (and this is the same, or mostly the same on any trial/limited version).

On the other hand, I presume that the job is intended towards a "junior", not a "senior" forensic examiner or whatever, and probably it will be first job, so the company cannot at the same time ask for experience AND allow a "first timer"…. roll

jaclaz

ReplyQuote
Posted : 09/08/2010 4:00 am
clownboy
(@clownboy)
Junior Member

I think the level of experience required depends a lot on the focus of your job and career search. If you are going for LE/Incident Response type positions, then yes, a greater level of experience is required prior to getting a job. But at the same time in the instance above I would place less emphasis on the forensic tool experience and more on the investigative experience.

In my industry, civil litigation mainly, there is a lot of room for those entry-level or "junior" positions. In fact many companies working in this industry could only do so with the help of entry-level or junior-level people. Most of what we do, 80% or better, is acquiring data and processing it out to EDD tools. It might not be as flashy as being a highly skilled forensic examiner but it can be a decent living and you can always move up when the opportunity presents itself.

As for tools, I think they are what you make of them. For those of us that are intent on working our way into the industry free tools and training may be our only option. The FTK demo is only good for 5000 files does that mean I cannot create an interesting project? One certification training program I have taken started with a floppy disk with 11 or so files on it. I believe the second part of the training was also below the 5000 file limit. Free or limited use tools can extend forensics training opportunities, that seems pretty useful.

Finally, I also did a disservice to to free tool providers by forgetting TSK, SIFT and WinFE in my last posting and I am sorry.

ReplyQuote
Posted : 09/08/2010 7:58 am
armresl
(@armresl)
Community Legend

Just me here, but IMHO I don't consider imaging hard drives and loading them up in EDD software computer forensic work, I think that is IT work, there is no investigation, no conclusions, no opinions. I also don't see a way to move up if the only task is imaging hard drives and loading them up. You would still lack the requisite knowledge to do anything else. If you started out working cases yes, but imaging drives, no.

I think the level of experience required depends a lot on the focus of your job and career search. If you are going for LE/Incident Response type positions, then yes, a greater level of experience is required prior to getting a job. But at the same time in the instance above I would place less emphasis on the forensic tool experience and more on the investigative experience.

In my industry, civil litigation mainly, there is a lot of room for those entry-level or "junior" positions. In fact many companies working in this industry could only do so with the help of entry-level or junior-level people. Most of what we do, 80% or better, is acquiring data and processing it out to EDD tools. It might not be as flashy as being a highly skilled forensic examiner but it can be a decent living and you can always move up when the opportunity presents itself.

As for tools, I think they are what you make of them. For those of us that are intent on working our way into the industry free tools and training may be our only option. The FTK demo is only good for 5000 files does that mean I cannot create an interesting project? One certification training program I have taken started with a floppy disk with 11 or so files on it. I believe the second part of the training was also below the 5000 file limit. Free or limited use tools can extend forensics training opportunities, that seems pretty useful.

Finally, I also did a disservice to to free tool providers by forgetting TSK, SIFT and WinFE in my last posting and I am sorry.

ReplyQuote
Posted : 09/08/2010 8:34 am
Page 2 / 3
Share: