Henry Dalziel | Digital Forensics | June 19, 2013
In a previous blog post we looked at what it means to be a pentester (you might have heard the profession being termed an ‘ethical hacker’ or ‘penetration tester’).
As we mentioned in that post, there are good and bad sides to the job. Good because you are following your interest and hopefully passion, and bad because there is a considerable amount of auditing and report-writing.
Being a penetration tester is a niche within the world of IT. Another niche is digital forensics; and that is what this post is all about.
A quick word why we are writing this post: we have a live chat feature throughout our site and we realized that the majority of inquiries that come through the live chat ask how they (the visitor to our site) can start their career within Information Security. The answer we give (the live chat is either handled by myself or Lily) is always the same: specialize! Seriously, that is our best advice. Rather than start off as a jack-of-all-trades, we suggest to get moving right away in a specialist field and digital forensics is a great niche. Not only is it in-demand but the pay is very good.
A computer can be a witness to a crime
Think about it. The drug dealer, terrorist, sexual predator or white-collared criminal can and in most cases do, use computers to manage their affairs, business and crimes. Sure, they think that are being smart by encrypting their data but that is where the digital forensics earns their pay. In much the same way that a physical witness can make or break a case, so it is the same with a machine that a criminal used and being able to make that evidence speak as if it was a real witness.
Patience is key
Just like our post about being a penetration tester, patience is key. As a matter of fact, even a bad-guy hacker needs patience! We all do! Digital forensics can take days even months to complete; the duration being something which is almost wholly dependent on the quality and quantity and level of encryption within the hard drives.
Windows, alas, is also a key OS you must learn inside and out
We use Linux more than we do Windows in the office (our designer uses Mac and Windows) but if you’d like to get into the forensics scene then Windows is your friend. We’d suggest switching your main OS to Windows if you have swung to Linux. We blog a lot about Linux penetration testing distros, with our favorite being BackBox, but let’s face it, most of the civilized world uses Windows, and the computers on which you will be researching will very likely be Windows. Windows 7 and to a degree I guess 8 are most widely used, and a working knowledge of Vista and XP will certainly be useful. What is critical is that you understand the inside of the Operating System intimately well, not least the registries and the entire file structures. You have to know what you are looking for and quickly. Your client (be they Police or a Fortune 500) will need deadlines to be met so you’ll need to work as fast as you can. Having to learn where and how to access files might be costly so learn the system now, today!
Now for a contradiction!
In the above we mentioned to use Windows as your daily OS – but you will – and must – become very familiar with a Linux forensics distro. We’d recommend CAINE, a distro we’ve blogged about a few times before. Central to the benefit of learning a specific Linux forensics distro is that all the necessary tools you’ll need to perform a concise and complete forensics audit will be contained with the distro, so learn it!
What does it take to be a forensics expert?
Passion, a capacity to learn, a desire to become an expert and a curious mind are necessary inherent skills that are required to become a successful digital forensics expert. Hardware, software, encryption methodologies are all evolving on a weekly basis – join an email list and you’ll see what we mean.
A digital forensics certification will certainly help as will work experience or if you are just starting out, evidence of your exposure to the subject by either having joined a local hacking club or having attended conferences etc. If you are invited to an interview you might be asked to perform a forensics test, such as how to recover deleted files. Learn how to do this so that you can do it in your sleep!
If you have got this far and you are still reading this then clearly you are interested – so go for it! There is demand for digital forensics, especially good ones, so get involved! Our final tip is to have a think about becoming a mobile device forensics expert. Smart phones are now commonplace, and there are not that many qualified professionals out there. Mobile device forensics would therefore be a very good choice if you are starting your career in security or thinking of migrating your career over to forensics.
Do you work in forensics? Let us know, we’d love to have and share your thoughts!