CHAPTER 2
Learning Computer Forensics
We’ll Cover
Where and how to get training Where and how to get certified How to stay currentChapter 1 defined computer forensics—what it is, who does it, and the traditional ways people enter the field. This chapter offers information about how you can learn more about computer forensics. Although this book will give you a strong foundation that will get you started on your career as a computer forensics professional, it does not contain everything you’ll ever need to know. I hope that the resources in this chapter will help you find additional information as you get the experience you need to take on more complicated cases.
Where and How to Get Training
One of the first things you should be looking to do—beyond buying this book, of course—is getting hands-on training. Hands-on training will help you get comfortable with the tools and procedures detailed in this book.
Although this chapter focuses on industry training and certification, there is another option. Many traditional two- and four-year undergraduate programs, along with graduate programs, from accredited colleges have added digital forensics as a degree option. I don’t cover this option in detail in this chapter, because I assume you are already a working professional and not looking for a years-long ramp-up period before you get started in a new niche.
In Actual Practice
I have a degree in computer science, and most law enforcement computer forensic examiners have degrees in criminal justice. What degree you have does not determine your level of success in the field of computer forensics, however. A computer forensics degree will certainly provide you with a breadth of information from a formal training program that can only help you succeed, but don’t think that you must obtain a degree in computer forensics before pursuing a career in it.
If you are interested in an academic program in computer forensics, it can only help you in the long run. Go to www.digitalforensicsassociation.org/formal-education/ for a current list of available programs out there.
IMHO
I highly suggest that you do not attempt any investigations for another person or any organization without first getting adequate training. Not only might you mess up the evidence, but you might miss the “smoking gun” in the evidence as well! Computer forensics is not just about creating a forensic image of a piece of electronic media; it’s also about knowing how to interpret artifacts found in the forensic image and how to recover more of them. Without the appropriate training, you will not know how to locate and interpret every nuanced or subtle sign, or you may be unable to explain to someone else what it all means.
For example, I participated in one case in which the opposing expert had no prior computer forensic experience. He was wrong in all of his conclusions, and his client’s case was dismissed. It was certainly not a good day for him or his client. Don’t be that guy. Get training and practice in performing a computer forensic examination before offering to perform one for someone else.
If, even after my advice, you do not receive training, before you perform your first computer forensic investigation for someone other than yourself (and you are free to mess up your own evidence for testing), you must explain that you’ve received no formal training, because that person needs to understand that you might mess up the evidence and prevent them from entering a court of law with the evidence. And then you should at least make sure that you have thoroughly tested and documented your procedures in case someone presses you on your results.
Law Enforcement Training
Law enforcement, depending on the level (federal, state, or local), usually provides officers with free training from multiple sources. These free courses are typically restricted to law enforcement only (and, yes, you actually have to provide identification to register, so no sneaking in for free). Since this book is not intended for those pursuing careers in criminal investigation, I won’t delve further into this topic.
Corporate Training
Corporate training is computer forensic training for the rest of us—those of us who are not law enforcement and have no special programs we can join to get training. Corporate employees and the general public can access training from a large variety of organizations and vendors. Some of the most popular training courses lead to some sort of certification, which is something else I would recommend you do. Computer forensic certifications are detailed in the following section; however, the list that follows does not include information on training courses whose only end goal is certification. These computer forensic training courses do not end in certification—there are surprisingly few.
Mobile Forensics
viaForensics https://viaforensics.com/
The folks at viaForensics offer great courses for Android and iPhone analysis techniques. These go beyond the typical phone backups and get into physical inspection of deleted artifacts.
Teel Technologies http://teeltech.com/tt3/class-list.asp
In partnership with Wild PCS, Teel Technologies offers advanced classes in mobile forensics that involves learning how to physically remove NAND (flash) memory from devices for physical inspection.
BK Forensics http://www.bkforensics.com/training.html
BK Forensics provides free training on mobile devices both online and in person—you can’t beat that!
Vendor Training
X-Ways Forensics http://www.x-ways.net/training/index.html
X-Ways Forensics provides training on its forensic products without a certification involved. X-Ways makes the computer forensic tools X-Ways Forensics, X-Ways Investigator, and WinHex. Although the training focuses on how to use X-Ways’ tools to perform computer forensics, the knowledge you gain can be applied to any tool.
IMHO
I’ve always heard great things from people who took these classes, and many of them have converted to the X-Ways methods of performing computer forensics.
Where and How to Get Certified
Certification is a great way to show others that you’ve mastered a certain part of the computer forensics skill set. There are two types of certifications available, vendor and vendor-neutral. Choosing which certification is right for you and your career can be difficult, but hopefully, after reading this chapter, you’ll come away understanding what’s best for you.
In Actual Practice
If you have no prior computer forensics experience, certification goes a long way toward getting a job in the field. Certification shows that you’ve met the requirements to pass the test and have a sufficient mastery of the information. Although certification does not mean that you are an expert, it certainly does comfort those who need to trust that you will perform a diligent investigation and not mess up the evidence.
TipKeep a record of your trainings, as you normally would for your resume. Listing your training and experience is something you’ll have to do when you provide any type of report, statement, or testimony to the courts.
Vendor Certifications
Most established computer forensic software vendors have created certifications to establish that a person has taken their classes and/or exams and passed them. This shows to your employer, prospective employer, or opposing parties that you have been properly trained to use the tools you have chosen to employ. A wide variety of certifications are available in this category, and choosing the one that’s right for you is more of a “which product do you use” question than a “which is better” question.
EnCase Certified Examiner
Guidance Software, makers of EnCase, created the EnCase Certified Examiner (EnCE) certification. It requires that you as an examiner can demonstrate either 12 months of on-the-job experience or 64 hours’ worth of its training from Guidance, a government agency, or an accredited institution. Once you’ve proved you have the required experience, you can sit for the exam, which is half multiple-choice question and half practical examination with a full report write up. If you or your company has chosen EnCase as your primary forensic suite, this is a good certification to strive for.
Paraben Certified Mobile Examiner
Paraben, makers of forensic software and hardware, have been one of the longer standing contenders in the mobile device forensic space. If you or your company has chosen Paraben Device Seizure as your primary mobile forensic tool, this is a good certification to strive for.
SMART Certified Examiners
ASR Data, makers of SMART forensic products, is the only forensic suite made to run natively in Linux. If you or your company has chosen SMART as your primary forensic tool, or if you want more exposure to forensics using Linux-based systems, this is a good certification to strive for.
AccessData Certified Examiner
AccessData, makers of the Forensic Toolkit, provides the AccessData Certified Examiner (ACE) certification at no cost to those who can pass the examination. If you or your company has chosen the Forensic Toolkit as your forensic suite of choice, this is a good and free certification to strive for. There are no perquisites for education or experience; just know the tools and how to use them during your analysis.
IMHO
I’m not recommending one vendor certification over another. Instead, I am stating that you should get the vendor certification that corresponds to the tool you are using. Having a certification that shows the mastery of a tool that you don’t use in your investigations isn’t helpful. You would be better served by getting a vendor-neutral certification, listed in the next section. Having said that, if a vendor certification is offered for a tool that you are actually using, I would recommend getting it to show your proficiency with the tool.
Vendor-Neutral Certifications
Vendor certifications certify your knowledge of how to use their tools to perform a computer forensic examination, but they do not attest to your overall general forensic knowledge. The vendor-neutral certifications listed in this section allow you to show others that you have mastered the body of knowledge that they cover. These certifications typically go beyond a vendor certification, because they cover areas of forensic analysis outside those the vendor may support. In an ideal world, you would have both a vendor certification for the tool you use and a vendor-neutral certification to show your mastery of the forensic process.
The International Society of Forensic Computer Examiners
ISFCE maintains the Certified Computer Examiner certification, which has grown to be one of the most recognized vendor-neutral computer forensic certifications. After 18 months of documented experience, attending their training camps, or documented original research, you can sit for the certification test. You must take a written test and examine and report on a test forensic image to obtain the certification.
High Tech Crime Network
HTCN offers multiple levels of certification depending on your experience and practical work experience. Once you have been working as an examiner for three years, you might want to check out HTCN and get certified.
SANS
SANS focuses on a series of Global Information Assurance Certification (GIAC) specialties and specifically offers a computer forensics track. SANS has a history of focusing mainly on incident response, with an emphasis on system administrator IR certifications, but its course content has expanded to traditional computer forensic techniques as well.
International Association of Computer Investigative Specialists
IACIS provides the Certified Forensic Computer Examiner (CFCE) certification, which was previously open to law enforcement personnel only but is now open to the general public. For the many years it existed, IACIS was a de facto law enforcement officer certification resource; the organization has a good reputation.
Budget Note
Some certificate programs are free, some require a training class, and some require fees for the testing. The biggest return on your investment right now would be to choose among the ENCE, ACE, and CCE certifications. These are three most recognizable certificates out there, and when recruiters and human resources folks are reviewing resumes, keyword filters will be looking for these certifications.
The ENCE program requires 64 hours of computer forensic training if you don’t have 12 months of experience. The test costs $200 and requires that you go to a testing center or conference to take it. The cost of Guidance Software’s ENCE training class is $2500 at the time of this writing. The ACE test is free, it’s online, and ACE offers study materials on its web site. However, the ACE does require that you already own a licensed copy of AccessData’s tools, which at the time of this writing can cost around $2000. The CCE is the least expensive of the bunch. Go to its web site to get the latest standards. You can sit for the test having no other experience or training classes. The test costs only $395, and you can use any tool you like.IMHO
I am currently in the process of becoming a CCE. I’ve held off on any certification since they were either vendor-specific or still building credibility. In the end, as someone who runs a computer forensics lab and testifies as an expert witness, I felt that the CCE had the most to offer with their relationship with the Laboratory Accreditation Board of the American Society of Crime Laboratory Directors (ASCLD/LAB). ASCLD/LAB is, in my opinion, the Next Big Thing in our field. More labs will be getting their procedures certified by ASCLD/LAB and this certification may become a requirement in the future.
Staying Current
New information and research is always coming out as applications, operating systems, and technologies change. After you are certified, you should look for new sources of information to keep you up-to-date on what’s happening so you can stay current. In addition, you’ll need to stay current to fulfill your continuing education requirements, which are required for most of the new certifications you receive. In this section, I list the many ways you can stay current with the latest computer forensic advances; whether you choose to do just one or all of them is up to you (and your budget).
You should expect that you will regularly attend, listen to, or read at least one of the items listed in each category. Computer forensics is a young field, and each version of a popular application or operating system creates new challenges and opportunities for an examiner. If you do not keep up with the ever-changing field, or at least have the resources to find new information when you need it, you will miss critical evidence in your cases.
Conferences
Although you’ll find many computer forensic–focused conferences throughout the world today, each has a specific focus. Some focus on research, others on specific technologies, and others on the impact of the law on forensics. In this section, I detail the conferences that provide the best information for someone looking to keep up-to-date on general computer forensic techniques.
HTCIA International
Once a year, the High Technology Crime Investigation Association International Conference is held at a different location. The conference is open to members and nonmembers alike and offers tracks for all skill levels. Although many of the attendees are law enforcement, very few of the labs are off limits to those not in the law enforcement field.
CEIC
Guidance software puts on CEIC on a yearly basis; the conference is alternately held in Las Vegas, Nevada, and Orlando, Florida. The conference sometimes offers tracks devoted to the use of EnCase, but it also contains good sessions on vendor-neutral topics. (I spoke at CEIC 2011 and CEIC 2012, and maybe I will see you at CEIC 2013!)
Techno Forensics
Once a year, the TECHNO Forensics Conference provides a non-vendor–driven conference. There is no specific focus on law enforcement, so any type of computer forensic examiner is welcome. This conference is typically held in Myrtle Beach, South Carolina.
Black Hat
Black Hat is primarily a computer and network security conference, but in recent years it has also began accepting computer forensic presentations as well. Held yearly at Caesars Palace in Las Vegas, Nevada, Black Hat is the best general computer security conference for networking and learning about new topics.
IMHO
I attend Black Hat every year, and I’ve found it to be one of the best overall conferences around. However, I was very impressed with CEIC in 2012 and plan to return in subsequent years, even if I’m not speaking there (but hopefully I will be!). I spoke at HTCIA International in 2010 and noticed that overall attendance has dropped greatly since I first started attending in 2000. If you have to make a choice between the two, I’d suggest you attend CEIC rather than HTCIA International for the time being.
SANS
SANS produces a range of conferences and events through the year. Some events specialize in forensics, and they usually offer the SANS forensic classes for your GIAC certification needs. In addition to these conferences, SANS also provides several summits that take place around the country.
Blogs
Blogs are great resources for computer forensics information. In years past, most computer forensics techniques and procedures were considered secrets, and most people hesitated to detail them outside of private members-only forums. However, with the rapid expansion of our industry and the large availability of books such as this one, the cat is out of the bag, so to speak. Blogs have been sprouting up in earnest with various specialties providing new research and tools to the general public. Here is a list of the blogs that I follow to keep current.
IMHO
Blogs are what I follow the most on a day-to-day basis to stay current. I’ve subscribed all of these blogs to a Google reader account and I read them when I have free time during the day either on my PC or smartphone.
Hacking Exposed Computer Forensics Blog by David Cowen
This is my blog, and I read it often! All kidding aside, this blog is for computer forensic topics too advanced to be included in this book or for those that supplement the information in McGraw-Hill’s Hacking Exposed Computer Forensics series. I update the blog weekly and typically have some kind of multiple-part series going all the time.
SANS: Computer Forensics and Incident Response with Rob Lee
Rob Lee and his team at SANS produce a great blog that is constantly updated with new techniques and free tools that they either promote or develop themselves. Two of the largest projects they’ve contributed to open source computer forensics is the SIFT workstation and log2timeline, both of which are covered in this book. If you need an open source library of tools for your arsenal, this is blog is a must.
Windows Incident Response by Harlan Carvey
Harlan Carvey has written many books on forensics and incident response. In his blog, he keeps his readers up-to-date on new tools, techniques, and topics he is researching. Harlan also developed the free and open source Perl program RegRipper and Forensic Scanner. (Don’t worry; he distributes it as a Windows executable as well.)
Forensics from the Sausage Factory by Richard Drinkwater
This blog whose name is almost as long as mine, brought to you by Richard Drinkwater, who goes by the name DC1743, reflects a great deal of quality and unique information. Richard provides forensic information that I have not found elsewhere. From details on the forensics of GPS devices to new operating system forensic techniques, this blog delivers new and relevant information.
Forensic Focus Blog by Jamie Morris
Forensic Focus is one of the best publicly accessible computer forensics forums around right now. Jamie Morris writes the blog and keeps it updated with new content from columnists, interviews, and new events. Following this blog is often easier than trying to keep up with the forums, which are very active.
Forums
Forensic Focus
Forensic Focus is the most active public computer forensic forum that I am aware of. With daily topics spanning a range of international questions, from law, to ethics, to technology, there is always something new to learn at the Forensic Focus forums.
Vendor Forums
Beyond the general forum described so far, each of the major vendors operates a forum for its users to discuss its product, troubleshooting problems, and new techniques. Whatever forensic suite you end up deciding to use, find out what forums are available and get involved. Typically, a vendor forum will require that you have a validated licensed version of the software to gain access.
Podcasts
Podcasts can be a nice change from your daily routine. Listening to a podcast while driving, working out, or working in the lab can be a very effective way to keep up with the latest news. This section covers the three most popular podcasts, but there are more every day as our field keeps growing.
Forensic 4cast
Forensic 4cast is one of the most popular podcasts around today and focuses exclusively on computer forensics. The web site offers a mixture of episodes and articles that make for good reading and listening. One of the other fun things that Forensic 4cast does is run a yearly contest, with awards for the best blogs, tools, web sites, and so on, in the field. This is a must listen.
CyberSpeak
CyberSpeak offers a mix of computer forensics and computer security information. If you are looking for good computer forensic information along with information security topics, this is a good choice.
Inside the Core
Inside the Core, the 2010 Forensic 4cast Award winning podcast, is unique in that it focuses only on Macintosh forensics. All Apple products are included here, and the information covered is very much needed. Mac forensics is not as well researched as Microsoft forensics and is a field that we must keep up with, as Apple devices have skyrocketed in popularity.
Associations
Networking can also be a great way to stay current. The contacts you make in the industry at conferences or association meetings can often be of great help when you find yourself in new territory.
High Tech Crime Investigators Association International
HTCIA is one of the oldest computer forensic organizations around. With chapters around the world, HTCIA provides local training and networking to criminal and civil forensic examiners. To join the HTCIA, one of your primary job duties must include computer forensic examinations and/or the development of security technologies. (Note that you’ll have to undergo a criminal background check when you apply for membership.) You should attend a meeting first, however, because they also ask for other members to sign your application.
The major restriction that HTCIA places on its members is that they are not allowed to do forensic examinations for criminal defense cases.
Association of Certified Fraud Examiners
Although not strictly a computer forensic organization, many people must be familiar with fraud and computer forensics in their work. If your investigations take you into the realm of fraud, this organization offers a good way to meet peers and learn what trends are forming. It also offers a certification that you can achieve remotely.
We’ve Covered
In this chapter, I’ve given you my opinions on the best places for training, keeping up with forensic research, and getting certified. Other people you meet will have different opinions; some may even say how wrong I am, and that’s OK! As you attend conferences, listen to podcasts, read blogs, and go to trainings, you’ll form your own opinions and find what works for you. In the next chapter, I talk about how to build your forensic lab, so things are about to get interesting!
Where and how to get training
Get training while working in law enforcement. Get training from corporations. Focus on specialties within training.Where and how to get certified
Sign up for the most popular vendor and vendor-neutral certifications. Determine which type of certification you qualify for.How to stay current
Attend conferences. Read blogs. Visit forums. Listen to podcasts. Join associations...................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.