Okay, I'm going to come at this from a different perspective. I'm relatively new to forensics but my background seems to be a good fit. I've been in low-level infosec for most of my career. A person might note that there are many similarities between an infosec red team member and a forensic examiner- the processes and the techniques are similar in many respects.
Questions:
1. What tools do you use most often?
Visual Studio, Neo Hex Editor, Google, Absolution (cuz its my baby), file carvers, data recovery tools, any other software deemed useful, and various hardware "tools" required to do work. Notable examples:
a) Forensic write blockers for USB and IDE
b) A portable ITX system with an exposed PCI slot for SCSI and Fiber Channel cards
c) Adapters, adapters, adapters... and some docking stations.
d) Paperwork! Checklists for each system and each form of media, verification forms, and other things to make sure each system is collected properly with care.
e) A high resolution camera capable of making videos as well as photographs. You'll want to photograph everything.
f) A safe for keeping media
g) A fast computer system with lots of ram and drive space. Hot swap drive bays a plus.
h) A computer repair kit for opening computers
... etc etc
You get the idea -- other forensic experts may also have phone forensics tools, or on device data extraction tools... All depending on their line of work. But in short, you'll need whatever tools that work for your area AND you'll want to construct the procedures you'll follow in advance before attempting anything.
2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?
I belong to ISACA which is taking an interest in forensics now. I'd love to read other people's answers.
3. What is the most rewarding aspect of your job?
I don't want rewards -- so let me rephrase the question. If you are asking about what motivates me, I believe someday computer forensics will help unite families of missing people faster and save lives; and that my contributions will help give people a life that would have otherwise been stolen from them. No rewards- just hoping that it happens.
4. What personality traits and academic background are important for today’s digital forensics investigators?
Based on what I've been so far: intelligent, curious, detailed, logical, open minded, "good bit" enabled, and a cast iron stomach (which I don't have, unfortunately.) Academically, get a masters degree or higher in order to be able to render expert opinion as testimony in court. It may be required to get a computer forensic certification as well.
5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?
I don't know how anyone could be considered an expert witness with a knowledge of only one or two tools. All industries eventually standardize on putting low cost technicians on a device, so eventually this might be the way things become.
It's the "jack of all trades" that will always win here. Someone will need to direct the technicians anyway, and if you want a career out of this than that person is YOU. You need to learn how businesses work, how computers work at low levels, court procedures, accounting, tools, how to manage clients, etc. Lawyers are also highly educated jacks of all trades, so the more dynamic you can be with them, the better. What other way is there to phrase this except maybe be a leader.
Eric
↧