Okay, I'm going to come at this from a different perspective. I'm relatively new to forensics but my background seems to be a good fit. I've been in low-level infosec for most of my career. A person might note that there are many similarities between an infosec red team member and a forensic examiner- the processes and the techniques are similar in many respects.
Questions:
1. What tools do you use most often?
Visual Studio, Neo Hex Editor, Google, Absolution (cuz its my baby), file carvers, data recovery tools, any other software deemed useful, and various hardware "tools" required to do work. Notable examples:
a) Forensic write blockers for USB and IDE
b) A portable ITX system with an exposed PCI slot for SCSI and Fiber Channel cards
c) Adapters, adapters, adapters... and some docking stations.
d) Paperwork! Checklists for each system and each form of media, verification forms, and other things to make sure each system is collected properly with care.
e) A high resolution camera capable of making videos as well as photographs. You'll want to photograph everything.
f) A safe for keeping media
g) A fast computer system with lots of ram and drive space. Hot swap drive bays a plus.
h) A computer repair kit for opening computers
... etc etc
You get the idea -- other forensic experts may also have phone forensics tools, or on device data extraction tools... All depending on their line of work. But in short, you'll need whatever tools that work for your area AND you'll want to construct the procedures you'll follow in advance before attempting anything.
2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?
I belong to ISACA which is taking an interest in forensics now. I'd love to read other people's answers.
3. What is the most rewarding aspect of your job?
I don't want rewards -- so let me rephrase the question. If you are asking about what motivates me, I believe someday computer forensics will help unite families of missing people faster and save lives; and that my contributions will help give people a life that would have otherwise been stolen from them. No rewards- just hoping that it happens.
4. What personality traits and academic background are important for today’s digital forensics investigators?
Based on what I've been so far: intelligent, curious, detailed, logical, open minded, "good bit" enabled, and a cast iron stomach (which I don't have, unfortunately.) Academically, get a masters degree or higher in order to be able to render expert opinion as testimony in court. It may be required to get a computer forensic certification as well.
5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?
I don't know how anyone could be considered an expert witness with a knowledge of only one or two tools. All industries eventually standardize on putting low cost technicians on a device, so eventually this might be the way things become.
It's the "jack of all trades" that will always win here. Someone will need to direct the technicians anyway, and if you want a career out of this than that person is YOU. You need to learn how businesses work, how computers work at low levels, court procedures, accounting, tools, how to manage clients, etc. Lawyers are also highly educated jacks of all trades, so the more dynamic you can be with them, the better. What other way is there to phrase this except maybe be a leader.
Eric
↧
Employment and Career Issues: Questions about working in Forensics.
↧
General Discussion: Car Camera Forensics
I have requested access to the vehicle but it may take a few days before I can report back.
↧
↧
General Discussion: Password Recovery Software
Topic split -> Excel VBA passwords
↧
Mobile Phone Forensics: Difficulties acquiring iOS 7.1?
Has anyone dealt with acquiring an iOS 7.1 device since its roll out a couple of weeks ago? I had an iPhone 4 GSM come in yesterday running it. XRY latest logical was able to grab the usual stuff, that which can be readily viewed on the device itself. Paraben DS latest would not touch it in logical or physical. Lantern Light / Imager would not do it either throwing an error to the log about it not being an HFS+ partition.
↧
General Discussion: Excel VBA passwords
Thanks jamie. <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
Documented field "ProjectPassword" (for later office versions, but the method/approach shouldn't be that much different, if different at all for 2000/XP/2003):
http://msdn.microsoft.com/en-us/library/dd924969(v=office.12).aspx
http://msdn.microsoft.com/en-us/library/dd949453(v=office.12).aspx
http://msdn.microsoft.com/en-us/library/dd921085(v=office.12).aspx
http://msdn.microsoft.com/en-us/library/dd925094(v=office.12).aspx
Also:
http://download.microsoft.com/download/2/4/8/24862317-78F0-4C4B-B355-C7B2C1D997DB/[MS-OVBA].pdf
jaclaz
↧
↧
Digital Forensics Job Vacancies: Cyber Investigator/Analyst
[img]Y:\Standard Forms\Servoca Resourcing Solutions[/img]
Servoca Resourcing Solutions are currently seeking an experienced Analyst/Investigator for a permanent position in a Government organisation based in London.
The position will involve:
•To provide quick time analysis of threat information and technical data obtained from a diverse range of internal and external sources. The analysed information must be quickly prioritised, and the role holder will identify urgent issues and escalate relevant material in a timely and accurate manner.
•To investigate where potential security incidents have taken place, including proactive investigations to identify suspicious activity on the network.
•To provide verbal and written briefings to a high standard for escalation to local management.
•The role will involve the use of a wide range of security tools and applications, and will necessitate an aptitude for conducting detailed and accurate analysis independently, while also working in a team to fulfil joint objectives.
Essential experience:
•Proven experience as an intelligence analyst or investigator in a law enforcement, intelligence or business environment, with a significant amount of time spent investigating cyber threats.
•Excellent proven investigative and analytical skills.
Desirable:
•Experience analysing network traffic, including full packet capture data.
•Experience utilising network forensics tools.
Contract:Perm
Location:London
Salary:£50K plus benefits
Please send C.V's to SRS@Servoca.com quoting reference Cyber1
↧
General Discussion: Microsoft Outlook Recovery
Maybe doing some searching before starting yet another new thread on this topic?
http://bit.ly/1pyHCYQ
jackaz
↧
Mobile Phone Forensics: Extracting mail content from GMail App on iphone 5?
Running Cellebrite on iPhone 5. Owner using GMail app for mail. See counts, time date stamps, but no content. Being told this is a encryption issue.. Anyone else run into this?
Thanks,
↧
Mobile Phone Forensics: Extracting mail content from GMail App on iphone 5?
dsschell wrote:
Running Cellebrite on iPhone 5. Owner using GMail app for mail. See counts, time date stamps, but no content. Being told this is a encryption issue.. Anyone else run into this?
Thanks,
:D
Whats normally done in this situation (emails) is having root previledges to be able to extract and read the emails, in this case Jail breaking the phone could resolve the problem. otherwise i would recommend if you contact Cellebrite as they keep on updating thier product to parse newer versions of apps, (i.e coming up with a mechanism to bypass or decrypt the encryption methods used by Gmail).
↧
↧
General Discussion: Question about SOP in my workplace
jtingkir wrote:
... could you guys be so kind and point out if my way of doing things is wrong and I should've follow the SOP.
The SOP, whatever it is (written or unwritten), is something your employer or department or whatever requires or expects you to follow, for reasons stated or unstated. Failure to follow it is also something that is handled by the same environment: it may be left unsaid, or it may, for example, be clearly stated that repeated infractions are grounds for dismissal. We don't know; you should.
Quote::
1. SOP: make image of evidence on different HDD (new evidence means new HDD).
There are several reasons for doing so, but which apply in your case is something you will have to ask yourself or your own organization about.
One reason is to avoid having to hand over unrelated evidence to a second investigating instance. If you have images from CASE1 and CASE2 on a HDD, add an image from CASE3, and later discover that CASE3 contains contraband, say, IIOC, what now? In the general case you obviously will have to hand over any HDD that contains that material to LE. How does that affect your ability to work on CASE1 and CASE2? Have you broken contract clauses related to CASE1 or CASE2, say, something about keeping the material secret? How will that damage your company directly (in damages to CASE1 and CASE2 principals), and in the future (tainted reputation for sloppy evidence handling), and possibly event regarding your own credibility in other ongoing legal cases where you are involved?
You may not be waist deep in dung at the moment, but you appear to have taken a few steps closer to the sewage pool that anyone reasonably can wish.
Quote::
2. SOP: put the evidence from point 1. on FRED, extract based on keyword or based on request of client (usually some other just request a full dump on allocated and carve the unallocated)
... I do it on my laptop, it took sometime in my laptop, but beats walking back and forth to the FRED, because it's in different building and not connected via LAN.
And now you may have that contraband on your laptop, and will have to hand that over to LE as well. Does that affect your ability to conduct business related to other investigations you do? Does it have any other unwanted effects?
Your company probably wants to keep business risks under control; your failure to follow your SOPs may have impaired that. This is almost certainly an incident in your company: that is, an unwanted event. Do you also do incident handling as part of your job? Risk identification, assessment, containment, mitigation, and everything else seems to be in order. How would you start that process?
Added: Yes, I've been in this neighbourhood myself.
However, you are on your way to becoming an expert in computer forensics. A wise man once defined an expert as someone who have made all the mistakes and errors possible within his particular area of expertise. Best of luck with the mistakes you have yet to make.
↧
Digital Forensics Job Vacancies: Cyber Forensics contract oppotunity (London) - AVAILABLE!
Hello,
BeecherMadden is a specialist security and risk recruitment firm, based in London, who's directors have up to 8 years individual experience recruiting in information security.
We currently have (as of March 2014) an exciting contract opportunity for a Forensics Consultant, for an international client (located in London).
If you are availiable to start on either 7th or 14th April, in London, and you are experienced in any of the following areas, please contact Luke Vile at BeecherMadden for more information:
- Ideally have experience and training with the Police, Military or a similar organization
- General and dynamic incident investigative experience
- Detailed understanding of digital forensics
- In depth knowledge of criminal and civil court evidence gathering, preservation and transfer
Please contact me ASAP for details on the role;
020 7382 7980 / luke.vile@beechermadden.com
↧
Digital Forensics Job Vacancies: IT Systems Administrator/Forensic Technician - Cambridge
PTP Consulting LLP are seeking an experienced IT Systems Administrator who has an interest in gaining additional skills in a variety of digital forensic disciplines.
PTP Consulting LLP is a PCI Forensic Investigator (PFI) and QSAC providing high end audit, advisory and digital forensic services to a diverse range of organisations spanning many business sectors.
The role would suit a candidate who has a solid background in the administration of secure network environments but who may be looking for a change of direction or new challenges.
Although the primary purpose of this role is the effective administration of the company networks, we are actively seeking someone who is keen to learn and progress into the field of Digital Forensics, Incident Response, Data Processing, PCI-DSS and ethical hacking.
The role will be based from the Cambridge office, and may involve some travel throughout the UK.
As a Systems Administrator, your primary focus is to support the reliable and effective provision of a highly secured IT infrastructure through the provision of network and server configuration, maintenance and team support.
Key responsibilities for this role will include:
Ensuring operational issues are tracked, monitored and resolved;
Developing configurations and test remedial and preventative maintenance for core systems;
Scripting, web development etc. to provide easy to use operational support;
Answering technical queries, system performance tuning and troubleshooting;
Help solve problems by thinking widely and applying innovative solutions.
This role will develop, through training and practical work assignments, to include performing investigative tasks, conducting ‘on-site’ consultancy, acquisition and analysis of forensic evidence, and report writing.
You will be an enthusiastic self-starter who is flexible, proactive and able to work efficiently as part of a team, and independently when required. Candidates should be able to demonstrate the following essential, personal qualities:
Flexibility;
'Can do' attitude;
Willingness to learn and progress;
Enthusiasm;
Team Work;
Problem Solving;
Excellent communication skills and customer focus.
The following skills are essential for this role:
A minimum of 3 years of IT Administration experience;
Comprehensive understanding of Windows 2008 Server environment and configuration, including virtualised systems;
Demonstable experience of working with Active Directory, Windows Network Services (e.g. File and Print, DNS), Microsoft Exchange, Microsoft Systems Centre, Microsoft PowerShell scripting;
Understanding of Linux server, desktop and virtualised systems;
A good understanding of advanced security configuration on both outward facing and air gapped network environments.
The ability to work without supervision; effective time management and strong organisational skills.
The ability to work to deadlines and see tasks through to completion.
The following skills are desirable but not essential:
Experience of conducting forensic imaging and acquisition of computer and storage media.
Experience with standard forensic toolsets e.g.: EnCase, FTK, DD, WFT, Linux Forensic tools etc.
Experience with different operating systems such as Linux / Windows / Mac Operating.
Experience of analysing forensic evidence, report writing and the ability to communicate complex technical data to the lay person is also a must have.
Knowledge of programming with one or more of the following languages: Perl, Python, Ruby, PHP, ASP, SQL, HTML etc.
Driving License / Car
Please send a CV and a covering letter demonstrating why you are the right candidate and why you wish to join PTP Consulting to:
jobs @ ptpconsultingllp.com
Please include the job title in the email.
↧
General Discussion: Car Camera Forensics
Have you considered using the OBD or UPA port, instead of USB?
It might fall under driver's supplementary vehicle instrumentation, or vehicle telematics. Newer Intelligent Parking Assist Systems (IPAS) ties directly into OBD because it needs to know of the gear position, and steering wheel turn for projection curve (curved guidelines).
You can get an OBD & UPA to USB kits for less than $10.
There is even a Bluetooth version, where data goes to an Android phone.
↧
↧
Classifieds: XRY XACT FOR SALE
Hi there, I've been trying to PM you but the messages won't seem to send. Can you please email me on zjzack at gmail dot com?
Thanks in advance
↧
General Discussion: Microsoft Outlook Recovery
↧
Mobile Phone Forensics: Can a SDCard be linked to a phone?
Rich2005 wrote:
This may not be helpful but just in case - off the top of my head I seem to remember in the past seeing firmware versions of devices also stored in images (probably the EXIF).
So whilst this wouldn't help you tie the card to a phone exactly/definitely, it might be enough to narrow down to which of the devices the card likely belonged, if a likelihood is enough for your purposes in this instance.
Do you not think this would merely show that the card was in that phone once?....
↧
Forensic Hardware: File Archiving Equipment
Those are exactly what I'm looking for. Thanks. Now I just wonder if there's anyone with experience with any of these.
↧
↧
Mobile Phone Forensics: Samsung SGH-i747 And. 4.1
meadowscl3 wrote:
I have a GSM Samsung SGH-i747 with Android 4.1. The device will not connect with my Cellebrite UFED (setting changed as prompted). Has anyone had a similar problem?
I was recently having issues doing a physical acquisition of a Samsung Galaxy S3 lte model SGH-i747m.......I had some help from cellebrite but was unable to get a physical extraction only logical.
I did finally manage to get a physical extraction using the latest version of XRY. This included email which is what I was after to begin with.
↧
Mobile Phone Forensics: Can a SDCard be linked to a phone?
Coligulus - yeah - as I say - it's most certainly not definitive proof of anything in any way. But could give him an indication (that's even if he can find such a model + firmware embedded).
Obviously, for example, the person might have used all 3 memory cards in all 3 different devices at some point, swapping them around.
↧
Mobile Phone Forensics: Samsung SGH-i747 And. 4.1
http://www.iol.co.za/news/crime-courts/oscar-s-ipad-history-shown-in-court-1.1663803
If you would like a free evaluation of XRY please email sales@msab.com and we can arrange one for you.
↧