jhall236 wrote:
Questions:
1. What tools do you use most often?
It really depends on the type of work I'm doing. For digital analysis of Windows systems, TSK tools (mmls, fls, blkls now and again...), LogParser, Perl, and a lot of my own scripts/home-rolled tools and processes. Much of the analysis work I do involves determining when and how something happened, so timeline analysis is a great way for me to address the goals of my analysis.
jhall236 wrote:
2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?
None. My recommendation would be to start with whatever internal training you can get as part of your job...going to online resources is going to simply inundate you with information...one of the things I hear from folks is, "...there's so much to learn, I don't know where to start...".
If you don't have employment lined up, pick someplace to start, and focus there initially. So many folks, including seasoned professionals, seem to immediately go to the deep end and quickly get in over their heads. If you don't know what to focus on, seek out a mentor.
jhall236 wrote:
3. What is the most rewarding aspect of your job?
Finding stuff other folks haven't seen, or haven't admitted to seeing. Finding undeniable proof that a bad guy did what they were accused of (and denied), or finding undeniable proof that exonerates someone.
jhall236 wrote:
4. What personality traits and academic background are important for today’s digital forensics investigators?
I don't think that academic background plays a huge role, other than getting someone "in". Someone can be a history major and be innately curious and passionate about the work, and do a much better job (and have more fun doing it) than someone with a degree that applies more directly/appropriately to the work.
Something that many analysts seem to have great difficulty doing is putting their egos aside and asking for assistance. I've had analysts tell me that they'd rather "noodle" through something for 3 months or more, so that they could get it themselves, rather than ask for help. I've seen others spend more time than they needed to trying to figure something out when they could've simply asked.
Seek out trusted relationships in the field. No one of us knows everything, and the only way to learn is to explore and ask questions. Also, be prepared to give back...if you find something new, share it. Don't use excuses to hide. Sure, others may have seen it before...but more than likely, they haven't said anything either, so the majority of the field has little knowledge of it. You may have a new variant, which could be significant.
jhall236 wrote:
5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?
Yes. There a number of skills that one needs in this field, but it also important to have a degree of specialization in an area that applies directly to what you're doing, such as knowing the ins and outs of a particular tool, device or data source.
HTH
↧