How did you get started in computer forensics, was there something in particular which appealed to you about investigating computer misuse?
When I first got started in computer security, I quickly noticed the number of people who were Linux or Unix gurus. The next thing I noticed was that there was an inability (or lack of desire) to transition to the Windows world. What I find most appealing about investigating computer misuse is that a great deal of it occurs on Windows systems, which is the platform that I’ve focused on, almost since the beginning.
Computer crimes require a good deal of technical knowledge in order for the examiner to thoroughly investigate them. However, this is not all that is required. The examiner must also have the ability to communicate his findings to the client, who may not be as technically proficient. And there is more to the picture than simply locating an artifact or two during an examination. The investigator must be able to correlate multiple artifacts, as the information can move from convicting to exonerating the individual.Finally, this field has no end of technical challenges.
Can you tell us something about where you work? What type of work do you do there?
I started out working for ISS on the Emergency Response Services team in Feb, 2006. Later that year, ISS was purchased by IBM, so I now do the same work but for IBM. Most of the work we do centers around issues of emergency computer incident response and forensic analysis.
Your book “Windows Forensics and Incident Recovery” was well received, can you give us some information about your next book, “Windows Forensic Analysis”?
This next book is not a follow-on or second edition to the first book. Instead, it’s a more technically detailed approach to performing live response and forensic analysis, specifically on Windows systems. There is more emphasis on log files, as well as emphasis on areas of study that have more recently been in focus, such as RAM dump or memory analysis, and Registry analysis. So far, the work I have done on the book has been very well received by the technical editors. I have to thank Jesse Kornblum and Troy Larson for their efforts in assisting me with this book.
In addition to writing books, you also manage to keep your blog at windowsir.blogspot.com up to date. Where does your motivation to write about computer forensics come from and what do you get out of the process?
I wouldn’t say that I really keep the blog up-to-date, per se. Much like others in the blogging world, one of the reasons I blog is because bookmarks simply have no context. Sometimes, I have no idea why I bookmarked something, whereas if I write a blog post, I can add context to the URL, and at the same time share that with others. Also, the blog is another vehicle for me to share information and things that I discover and come up with. If I have a challenge in a case that I’m working on, it has occurred to me that others might also have the same challenge, so I’ve posted information in my blog, as well as posted tools to the SourceForge site associated with the blog.
With the recent release of Vista, what new challenges might be in store for the forensics community?
A lot of responses to questions like this focus on technological issues, such as BitLocker and ReadyBoost, etc. I think that the real challenge that will be presented to the forensic community at large is one of communication and information sharing. The vast majority of folks within the “community” don’t have anything to contribute; they’re just there, and if they’re on public lists, they’re reading some of what others post, but for the most part, they don’t add anything to the knowledge base. A lot of the folks I talk to at conferences say things like, “I don’t have the time to do the research”, and I completely understand that…but there’s more to contributing than doing research and publishing. Some of us write tools and have even provided those tools to others, at their request…how about some feedback on the tools, their use, etc?
Not everyone has the ability or even the interest to program. Not everyone has the ability or interest to publish. No one is asking that everyone in the community do this. We all bring something to the table, and the strength of a community is based on those differences. If someone requests or downloads a copy of the tool, provide feedback to the author on how well it worked when deployed in various situations. Engage in discussions, provide your thoughts or opinions. Add to the foundation of knowledge in some way, even by simply asking the question, “why?”
As far as challenges specific to Vista, there are a number of issues that come up at first blush. Everyone’s pointing to BitLocker and whole-drive encryption as a “challenge”, but I think that we already have some viable solutions to this challenge in live response and memory/RAM collection and analysis. What about Registry analysis? How has the Registry changed with Vista, and how has it remained the same? How about memory analysis? We are just now starting to look at incorporating the pagefile into RAM analysis (thanks to Jesse Kornblum), and now Vista presents us with ReadyBoost. What about the Vista SuperFetch capability? I think that the real challenge with these issues will be to get the community to recognize their viability as forensic resources, so that study and research will be brought to bear on them and shared openly.
One of the questions we’re often asked at Forensic Focus is “how do I get started in a computer forensics career?” What advice would you give? What qualities do you think are most important for work in this field?
I don’t think that being a technological wizard is the most important quality to look for in someone in this field. To be “competent”, do you have to be able to understand and program in assembly? No. Computer forensics is about methodology and process, and communicating your results to others. From a hiring perspective, I’d rather hire someone that I need to work with to grow them technically, but they already have some sense of how to handle themselves in customer-facing situations, as well as the ability to write and communicate coherently.
Getting started in the field isn’t all that hard. Some examiners in the field come from programming and/or networking backgrounds, and it’s important to have a broader knowledge base than just imaging drives. One route for folks is the military…enlisting under contract to a specific specialty, or even a guarantee of specific job placement, is an option. It may also help to have some college coursework under your belt when you do that. Another option is to start out in an IT field, such as in the role of an administrator, and seek and develop your own opportunities from there. If your organization already has a security staff, you can bet that it is short-handed, so offering to assist will get you known to them.
What is the most rewarding part of your job?
Using technical acumen to address business issues.
What aspect of your job do you find most challenging?
Working within the confines of a business infrastructure, and not being able to bring all of my skills and resources to bear on an issue.
What do you do to relax when you’re not working?
I find incident response and computer forensics, particularly on Windows systems, to be fascinating, so it’s good that I have a job that I’m interested in. When I’m not working, I like to “think big thoughts” about technology and business challenges inherent to IR/CF, and how to address those challenges. I also like to spend time with my family and my church, lift weights, run, ride my horse, and read. I also get a great sense of accomplishment from completing a lot of the typical homeowner tasks, such as changing out light fixtures and chandeliers, power washing a deck, etc. Another hobby I’ve developed is an interest in beer, an interest that I promised my wife would stop short of actually brewing my own. Now and again, I like to go out someplace that I haven’t been before and try a new beer.
Harlan, thank you very much!
