Join Us!

Clear all

XWays Forensics  

Page 3 / 3

Interview wise I think one would be better off learning FTK or EnCase, but XWays seems like a GREAT tool for the price.

What an odd thing to say. As someone who has been an interviewer in the past I would not really care whether you had used either of these packages - frankly you can pick up the basics in a day. I would however be very interested in what you know about file system fundamentals, the structure of the registry, meta data in world files, what sort of information is left behind by P2p applications, how you would go about determining what is left behind for an app you had never seen……

It is not what you use but what you do with it. That you had gone out and spent your own money on encase would not impress one bit.

I have a concurring opinion with Paul on this one. What I look for in an examiner is the fundamental forensic skill set that an examiner has built up. One of the mistakes I see people make when, for example, they are setting up a digital forensic team is to start with the question asking what tools they should get for their team?

I get this question quite a bit and while I'm always happy to talk about tools and the like with my fellow examiners, it's shouldn't be the first topic of consideration when starting up a team or hiring an examiner. The basis for building a team should be to meet customer requirements and those requirements are going to drive things like hiring decisions, process development and tool selection. Don't let the tools drive your processes or who you hire. You can always teach someone a tool, but it's harder to find people who are passionate and curious about what is going beyond the tools.

All that said, it certainly is an advantage for an applicant to be familiar with the tools that a team is already using. I'd rather not have to spend time and money teaching someone the tools, but if I'm using tools A + B primarily and I have a superstar candidate who is using tools A + C, I'll likely just make sure to get tool C (budget permitting) so my new superstar can continue on with his or her Kung Fu.

Okay, Paul. I owe you a beer. I think I just crafted the outline of a future blog post.

Posted : 09/08/2010 10:34 pm
Senior Member

Okay, Paul. I owe you a beer. I think I just crafted the outline of a future blog post.

Ah OK - I'll settle for a beer and stop my (only just started) blog post )

We started yesterday immediately after posting my initial comment to this thread but not got past the first couple of paragraphs - too much programming and not enough time

Posted : 10/08/2010 12:09 am
Senior Member

I don't believe there should be a junior or a senior forensic examiner. Either you know your material or you don't, and if you know your material then you will land a job, if you don't then it will show itself.

Actually, I disagree, somewhat. A "junior" examiner may have all of the operational knowledge that is required but I believe that there are factors that distinguish senior examiners as their are in many professions. Experience teaches you many things that you can neither learn nor teach.

To draw from my experiences in medicine, a physician who has been in practice longer is almost invariably more efficient than even the brightest of inexperienced practitioners. I mentioned some of the reasons in a recent Forensic Focus column but part of what comes with experience is judgement.

I see no difference in digital forensics, in fact, an attorney with whom I have worked and I noticed that a case we just finished was far more efficient and far less expensive than almost an identical case that we had a few years ago. In the more recent case, we were able to use the knowledge and experience that we had gained working on other case to come up with a highly focused strategy for the current case that brought our clients results with far less overall effort than had been required in the past. In the process, we elected not to do things that might have been considered "standard practice" because we (correctly) believed that what we had done was compelling enough to win our case.

If you are involved in litigation, experience will also teach you how to deal with judges, juries and cross-examinations, something that is hard to learn except through experience. Learning how to read a judge or jury and how to adjust your testimony so that complex issues can be understood, simply, is part training, part innate ability and a good deal of experience.

So I do think that there is a difference between "junior" and "senior" examiners even if the names aren't, necessarily, descriptive.

Posted : 10/08/2010 12:19 am
Community Legend

Experience teaches you many things that you can neither learn nor teach.

Experience that most brutal of teachers. But you learn, my God do you learn.


Posted : 10/08/2010 3:02 pm
Page 3 / 3