Chapter 4: Digital Forensic Analyst

In this chapter, you will learn what a digital forensic analyst is and the average salary range for this career in the United States (US). You will also learn about career progression options and learn common interview questions for the role.

The following topics will be covered in this chapter:

• What is a digital forensic analyst?
• How much can you make in this career?
• Which other career paths can you choose after working as a digital forensic analyst?
• Common interview questions for a digital forensic analyst career

What is a digital forensic analyst?

Digital forensic analysts are tasked with collecting, preserving, and analyzing digital evidence. They might work with incident response teams (IRTs) to investigate incidents and attempt to identify threat actors responsible for an attack. Digital forensic analysts may also work with law enforcement agencies to help in criminal investigations, including crimes against children, and help companies in civil and administrative investigations. They may also be hired by law firms to conduct electronic discovery (e-discovery) work, where the analyst collects electronic evidence to be used in civil cases. An example of this might be collecting evidence on the financial activity of one spouse during a divorce proceeding to help the attorneys prove how much money they have in their accounts. As a digital forensic analyst, you will analyze operating systems such as Windows, macOS, Linux, and mobile OSs, analyze volatile and non-volatile data, and work with forensic tools such as EnCase and Autopsy (https://www.sleuthkit.org/autopsy/).

The Digital Forensics and Incident Response (DFIR) Diva blog (https://dfirdiva.com/) contains listings of free and low-cost resources for you to gain hands-on experience in conducting forensic investigations.

How much can you make in this career?

The salary range for a digital forensic analyst in the US depends on a number of factors, such as your location, the size of the company you work for, certifications you hold, college degrees, and your skills. In the US, an average salary to expect is between $72,000 and $94,000. If you work in an IRT and have some experience, your base salary in the US may be in the six-figure range.

Which other career paths can you choose after working as a digital forensic analyst?

The skills learned as a digital forensic analyst can prepare you for other careers such as penetration tester, malware analyst, cybersecurity manager, and senior executive roles as you advance in your career, such as chief information security officer (CISO). As a digital forensic analyst, you can also use your skills to work on an IRT.

Common interview questions for a digital forensic analyst career

In this section, you will learn some of the most common interview questions that are posed in relation to digital forensic analyst jobs. We present a list of these here:

• Why did you decide to pursue a career in digital forensics?

I suggest you answer this one honestly. What really interests you about working in forensics? Is it the opportunity to catch people doing bad things? Is it because you watched some episodes of CSI: Crime Scene Investigation and found digital forensics interesting?

My answer to this question would be that I fought against bad people all over the world in the military and wanted to continue tracking down bad people while helping the innocent people of the world.

• What is the chain of custody (CoC)?

The CoC is documentation that tracks evidence from the initial scene through the evidence being presented in a court of law. The chain of custody should show who controls evidence and when, document each person or system that holds the evidence at each stage of the investigative process, and document the evidence analysis and any disposal of evidence during or after the investigation. You can view an example of a chain of custody form at this link: https://www.nist.gov/document/sample-chain-custody-formdocx.

• Which tools can be used to recover deleted files?

Some tools that could be used to recover your deleted files include EaseUS (https://www.easeus.com/), Advanced Recovery, Disk Drill (https://www.cleverfiles.com/data-recovery-software.html), Recoverit (https://recoverit.wondershare.com/), and Recuva (https://www.ccleaner.com/recuva).

• What is hashing?

Hashing is a one-way function that takes a specific input and maps it to a specific output. As an example, let's say I use the 26 letters of the US English language alphabet for the input and I map each of those letters sequentially to each corresponding number, so if I enter an A, then my output would be a 1, and if I enter a B, then my output would be a 2. Hashing is something you use to verify the integrity of the file or information. If you download files from websites such as kali.org, you will see a hash for the original file. This helps you compare and validate the original file from the vendor and the file you downloaded to ensure a malicious actor did not alter the file.

• Can you provide examples of some common hashing algorithms?

Some common hashing algorithms in use right now are Message Digest 5 (MD5), Secure Hash Algorithm 256 (SHA-256), and SHA-512.

• What is data carving?

Data carving is conducted in a forensic investigation to identify deleted information on a system. Some forensic tools offer data-carving capabilities, and these typically identify file headers and footers to recover files that are intact, meaning the files have been deleted but not overwritten yet by new data. As a forensic investigator, you may also conduct manual data carving, whereby you can pull fragments from previous files in slack space.

• What is data mining?

Data mining is just the process of pulling out specific information from large datasets. In digital forensics, mining can be used to collect correlating data on a suspect. As an example, a suspect visits an internet café to use its computers to commit criminal activity. Let's pretend the internet café doesn't have user accounts, so the only way to identify the person responsible for the crimes is to collect information from the computer, including timestamps, and then correlate that information with security cameras in the area to narrow down the suspect list and identify the person committing the illegal activity.

• What is steganography?

Steganography is a way to hide information within another source. For example, a criminal might hide child sexual abuse material (CSAM) images within an image of a dog found on the web. The average person would see the image in the search results and just think it was a picture of a dog, but other criminals would know to use a steganalysis tool to pull the CSAM images out.

• What are some considerations around forensic investigations in the cloud?

Considerations include jurisdiction, cloud service providers (CSPs), and multi-tenancy. CSPs host data all over the world, which causes jurisdictional issues. For example, you might work with law enforcement in the US and have a warrant to seize data on a suspect, but the data might be stored in Russia, which doesn't recognize your warrant. Another consideration is the CSPs themselves, as they control the hardware and the logging capability in platform-as-a-service (PaaS) and software-as-a-service (SaaS) deployments. CSPs might also sanitize log files from customers and have policies restricting access to log files. Multi-tenancy is another challenge because other organizations do not want you as an investigator to accidentally access their data from the cloud.

• Can you name some common encryption algorithms that are used to encrypt data?

Some encryption algorithms are Advanced Encryption Standard (AES), Rivest-Shamir-Adleman (RSA), and Triple Data Encryption Standard (3DES). 3DES is still used by some financial institutions. RSA is resource-intensive and is usually only used to encrypt small amounts of data. AES is what you will see more commonly used over the others.

• Can you retrieve data from an encrypted hard drive?

Yes, but to view the data you will need the decryption key.

• What is SIFT?

The Sans Investigative Forensic Toolkit (SIFT) is a forensic workstation from SANS that comes with a number of pre-installed forensic and IR tools. Using pre-made images such as SIFT and the Volatility (https://github.com/volatilityfoundation/volatility) framework can save you time in setting up your forensic investigation lab.

• What is timeline analysis?

Timeline analysis is a sequence of events on a system or group of systems that allow the investigator to see what happened and when, along with which events happened just before or after an incident.

• What is metadata?

Metadata is commonly known as data about data. There are three types of metadata, which are descriptive, administrative, and structural. Descriptive metadata contains information about a file, such as the file author, keywords, and title. Administrative metadata contains the ownership and rights management of a file and which program was used to create the file. Structural metadata contains relational information on file data. In digital forensics, metadata can be used to identify the security settings of a file, and in the case of an email thread, metadata can be used to track the email origin and which other systems the email has passed through to its destination.

• Analyze the following scenario and determine the best course of action.

You are contacted by the IRT in your company that a host system has been beaconing out to a command and control (C2) server. The IRT has blocked the outbound communication and requested for you to collect and analyze the disk. Upon arrival at the workstation, what is the first thing you should do?

The first step you should take is to document the current scene, including taking photographs of the workstation and surrounding area and documenting everything that is evidence before touching anything.

• How do you get indicators of compromise (IOCs) from analyzing malware samples?

You can get IOCs by using static analysis. The first step should be to obtain a hash of the malware file and then search online databases, such as VirusTotal, to see whether anyone else has already done a write-up on the malware sample. This step can save you hours of frustration in your investigation. You can then use a tool such as Sysinternals (https://docs.microsoft.com/en-us/sysinternals/) coupled with regex to analyze the strings of the malware sample to look for Internet Protocol (IP) addresses, suspicious Uniform Resource Locators (URLs), and file paths. If you are not familiar with using the Sysinternals suite, this YouTube video (https://www.youtube.com/watch?v=vW8eAqZyWeo) from Mark Russinovich provides an overview of using Sysinternals for malware analysis.

• What is the difference between static and dynamic malware analysis?

Static malware analysis is used to analyze the malware sample and its code without executing it. The forensic investigator might be limited in seeing what capabilities the malware has with simple static analysis, so dynamic malware analysis is used to analyze the behavior of the malware sample. More advanced static analysis can be used to dissect the malware down to assembly language, but this reverse engineering is time-consuming and not pragmatic for many investigations that are part of IR.

• What is a PE file?

Portable executable (PE) is the standard Windows file format for executable files, dynamic-link libraries (DLLs), and object code for both 32-bit and 64-bit Windows operating systems.

• How would a piece of malware maintain persistence?

A few ways to maintain persistence are listed here: the malware copies itself to the Windows Startup folder so that it executes every time you reboot the system; adding entries to the RunOnce and Run Windows registry keys; abusing the default of file associations.

• Can you name some items you would carry in your forensic response kit?

The contents of a forensic response kit will vary based on the investigator, but some items you will want to include are antistatic bags, your forensic laptop, dongles, screwdriver toolkit, extra cables, Faraday bags or commercial aluminum foil, write blocking devices, storage media, gloves, a digital camera for recording the condition of the scene when you arrive, notepad, and evidence paperwork such as labels or tags and CoC forms.

• What are the two main types of data you deal with as a digital forensic investigator?

The two main types of data are volatile and non-volatile.

• What is volatile data?

Volatile data is temporary data on your digital device that is dependent upon having a steady power supply. If the power is interrupted at all, this data can be lost. Some examples of volatile data include the system time, a listing of users logged on to the system, a list of files that are open, information on the network, information on processes running on the system, process-to-port mapping, services running, a list of drivers on the system, a history of the command run on the system, and the contents of the clipboard.

• What is non-volatile data?

Non-volatile data is data that will remain on the system, even if the power supply is interrupted. This type of data can be stored on secondary storage devices, such as memory cards and a hard disk. Examples of non-volatile data include slack space, hidden files, swap files, the index.dat file, clusters that are unallocated, partitions that are not being used, your registry settings, and system event logs.

• Can you name some other locations you can look in to identify information that is similar to the data that would have been in random-access memory (RAM) if the RAM evidence is not collected prior to the suspect's device being turned off?

Some additional locations include the hibernation file (hiberfill.sys), the pagefile (pagefile.sys), the swapfile (swapfile.sys), and the memory dump (memory.dmp).

• Can you provide examples of artifacts you can get from analyzing RAM?

Some artifact information you can get from analyzing RAM includes encryption keys, passwords, IP addresses, browsing history, cleartext data, configuration information, and commands that were entered.

• In which situations can duplicate evidence suffice as evidence?

Situations in which duplicate evidence will be accepted include if the original evidence is destroyed due to a fire, flood, or other disaster in the normal course of business. Duplicate evidence can also be used if the original evidence is in the possession of a third party.

• Can you name three categories of cases you might investigate?

Three types of cases are civil, criminal, and administrative. A case you are investigating might fall into all three categories.

• Which amendment in the US protects against illegal search and seizure by government authorities?

The Fourth Amendment.

• What is the primary purpose of the first responder?

The main goal of the first responder is to secure the scene until investigators arrive. This is done to help protect evidence from contamination or theft.

• Can you provide examples of some forensic tools?

A few forensic tools are FTK Imager, Autopsy, EnCase, Forensic Recovery of Evidence Device (FRED), Capsa, FileMerlin, password-cracking tools, Recuva, PALADIN, Recover My Files, Advanced Disk Recovery, and UndeletePlus.

• What is FTK Imager?

FTK Imager is a popular forensic tool that helps an investigator acquire and analyze the files and folders found on system hard drives, network drives, and compact disc read-only memory (CD-ROM)/digital versatile disc (DVD). The tool also helps investigators analyze forensic images and memory dumps. Some other capabilities of FTK Imager include the ability to create hashes of files, recover and review deleted files from the Recycle Bin in the Microsoft Windows operating system, and export files and folders from captured forensic images to disk.

• What is EnCase?

EnCase is a multi-purpose digital forensic platform that includes many useful tools to support your digital forensic investigation.

• Which law in the US deals with fraud and related activity in connection with computers?

Title 18 US Code subsection 1030—or, more appropriately written, 18 USC §1030—deals with fraud and other activity in connection with computers.

• Which federal law in the US covers CSAM?

Title 18 US Code subsection 2252A (18 USC §2252A) covers CSAM.

• What is Rule 402 of the Federal Rules of Evidence?

Rule 402 covers the general admissibility of relevant evidence.

• What is the difference between Rules 701 and 702?

Rule 702 covers testimony by expert witnesses and Rule 701 covers opinion testimony by laypersons.

• Which rule would cover the admissibility of duplicates for evidence?

Rule 1003 covers the admissibility of duplicates. Duplicate evidence (or a copy of evidence) might be used in a situation where law enforcement cannot obtain the original evidence or if the original evidence was destroyed as part of the normal investigative process.

• What are some best practices for computer forensic investigations?

The following list details a few best practices:

• Obtain authorization to conduct the forensic investigation.
• Conduct a preliminary analysis of the scene and identify the evidence you will be collecting.
• Do not turn the computer off or on, run any programs, or attempt to access data on the computer before documenting the scene.
• Collect and secure any relevant media, including hard drives, cell phones, DVDs, Universal Serial Bus (USB) drives, and so on that may be relevant to the investigation.
• Conduct a bit-for-bit copy of the evidence (if possible).
• Document in your CoC.

• What are the steps in computer forensics investigation methodology?

Here is the approach we can use for investigating digital evidence:

1. Initial response to the scene (first response)
2. Search and seizure
3. Collect the evidence
4. Secure the evidence
5. Data acquisition
6. Data analysis
7. Evidence assessment
8. Documentation and reporting
9. Expert witness testimony

• If an investigator needs to obtain information from a service provider (SP), such as billing records and subscriber information of a victim's computer, what type of warrant is issued?

An SP search warrant allows the investigator or first responder to obtain victim information such as billing records and subscriber information.

• What is a platter?

Platters are circular metal disks that are mounted in the drive enclosure.

• What are sectors?

Sectors are small, physical storage units located on the hard disk platter; they are 512 bytes long.

• What is slack space?

When a filesystem allocates an entire cluster for a file, but the file size is much smaller than the full cluster available, the remaining area is known as slack space.

• What is a GUID?

A globally unique identifier (GUID) is a 128-bit unique number generated by Windows that is used to identify things such as Component Object Model (COM) DLLs, primary key values, browser sessions, and usernames. A GUID is sometimes known as a universally unique ID (UUID).

• What is file carving?

File carving is a technique used to recover files and fragments of files from an unallocated portion of the hard disk. This technique can be used if you can't find any file metadata.

• What type of image file format is lossless?

Portable Network Graphics (PNG) is a lossless image format that was intended to replace Graphics Interchange Format (GIF) and Tagged Image File Format (TIFF) formats.

• What type of image file starts with a hexadecimal (hex) value of FF D8 FF?

Joint Photographic Experts Group (JPEG) files start with this hex format.

• What is the Master Boot Record (MBR)?

The MBR holds information about partitions, the bootloader code, and information on filesystems.

• Can you explain the boot process?

The boot process starts with the Power-On Self-Test (POST), where the central processing unit (CPU) accesses the ROM and Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI) on newer computers. If the computer uses BIOS, then the BIOS will check for the MBR, and once it is located, it will activate the bootloader, then pass control to the operating system to finish booting the computer. If the computer uses UEFI, it will look for the GUID Partition Table (GPT) and then activate the bootloader, before passing control to the operating system to complete the boot process.

• What is a registry hive?

A registry hive is a grouping of subkeys, values, and keys found in the Windows Registry.

• Can you explain the difference between the modified timestamp and the change timestamp?

A modified timestamp shows when the content of the file has been modified, while a change timestamp shows when characteristics of the file have changed, such as permissions, the name of the file, or file ownership.

• What is the difference between UEFI and BIOS?

One difference is that UEFI offers Secure Boot, which protects against your computer booting unsigned or unauthorized applications. UEFI also offers faster boot time, supports larger drives, and can run in 32-bit or 64-bit mode. BIOS runs in 16-bit mode.

• Which National Institute of Standards and Technology (NIST) document covers sanitation techniques for the media?

NIST Special Publication (SP) 800-88 guidelines cover proper techniques for sanitizing media.

• What is live data acquisition?

This is the process of acquiring volatile data (for example, RAM) from a computer that is turned on, but that is either locked or in sleep mode. You conduct live data acquisition (sometimes called live box forensics) to acquire volatile data because volatile data is lost when the system suffers a power outage or when the user turns the system off.

• Why would you use write protection when acquiring evidence?

Write protection is used when acquiring images, so you do not alter the original data.

• Can you name some functions that are offered with dcfldd and not dd?

Some of the functions offered are status output, hashing on the fly, flexible disk wipes, verifying a target drive is a bit-for-bit match, outputting to multiple disks or files at the same time, splitting output into multiple files with additional configurability, and piping the output.

• Can you name some anti-forensic techniques?

Some common anti-forensic techniques include using encryption, data cleaning, using packers such as Ultimate Packer for eXecutables (UPX), using The Onion Router (TOR), altering timestamps, and using steganography.

UPX is used to compress files. A threat actor might use a packer such as this to try to get their malware past security tools that are scanning for specific file signatures.

The TOR browser is used to anonymize the internet activity of a user. This can be helpful for journalists in oppressive regimes. A threat actor might use TOR during their attack to obfuscate their actual IP address.

Steganography is simply a way to hide a message within something else. For example, a threat actor might hide illegal images within a normal image file or hide a written message within an image file.

• Where is email stored in Thunderbird?

Email is stored within an MBOX file. An MBOX file is just a collection of email messages from the Mozilla Thunderbird email application that are stored in a single file.

• Where is the Google Chrome history file located?

The history file in Chrome is found in %USERS%/AppData/Local/Google/Chrome/User Data/.

• What information can you gather from the Chrome history file?

Some information that can be obtained from the history file includes any typed URLs, keyword searching, and downloads of files.

• What does the HKEY_CLASSES_ROOT registry key contain?

It contains the file extension association information and programmatic ID (ProgID), class ID (CLSID), and interface ID (IID) data.

• What does the HKEY_CURRENT_USER registry contain?

This registry key contains the configuration information (that is, wallpaper preference, screen colors, display settings) related to the user currently logged on.

• What does the HKEY_USERS registry key contain?

This registry key contains information about all the active user profiles on the system.

• Which tools can be used to analyze Windows Registry?

Some tools you could use are regedit, RegRipper, Process Monitor (ProcMon), Registry Viewer, and ProDiscover.

• Can you provide a registry key that threat actors frequently add malicious entries to in order to maintain persistence?

The Run key often has malicious entries. For example, APT29 commonly adds a spool.exe entry to the registry key.

• What sort of data should you collect in the event of a website attack?

Some data that should be collected includes the following:

• The date and time at which HyperText Transfer Protocol (HTTP) requests were sent
• The source IP address of the request
• Which HTTP method was used (GET, POST, and so on)
• HTTP query information
• A full set of HTTP headers and the full HTTP request body
• Any event logs
• Any file listings and timestamps

• Can you briefly explain the MySQL architecture?

MySQL is a relational database management system (RDBMS) that allows you to manage large databases using Structured Query Language (SQL) queries. The MySQL architecture consists of a client layer, a storage layer, and a server layer.

• What is database forensics?

Database forensics is the examination of databases and related metadata using forensically sound practices to ensure the findings are admissible in a court of law.

• Where does the Microsoft SQL (MSSQL) server store data and logs?

It stores them in primary data files (Main Database Files, or MDFs), secondary data files (SQL Server Secondary Database Files, or NDFs), and transaction log data files (Log Database Files, or LDFs).

• In which directory does the MySQL Server store status and log files?

It stores status and log files, along with other data managed by the server, under the data directory.

• What are some common types of cloud models?

Common types include public, private, community, and hybrid.

• Can you list the categories of cloud crimes?

The categories of cloud crimes are listed here:

• Cloud as a subject, which refers to a crime in which attackers try to compromise the security of a cloud environment to steal data or inject malware—for example, stealing credentials of a cloud account and leveraging the credentials to delete or modify data stored in the cloud environment.
• Cloud as an object, which refers to an attacker leveraging the cloud environment to conduct an attack against the CSPs. Distributed Denial of Service (DDoS) attacks are an example of an attack that is leveraged against CSPs.
• Cloud as a tool, which refers to when an attacker uses one compromised cloud account to attack other accounts. In these situations, the source and destinations of the attack can yield evidence for your case.

• What are some common cloud threats?

Some common threats involved in using cloud environments include data breaches, data loss, abuse of native cloud services for attacks, insecure application programming interfaces (APIs), security misconfigurations, a lack of accountability for keeping data safe, not clearly identifying who owns the responsibility for the security of data, a lack of user ID federation, lack of visibility, multi-tenancy security concerns, and a lack of compliance.

• Can you provide examples of crimes that are supported by email capabilities?

Some crimes include business email compromise (BEC), identity theft, cyberstalking, and crimes targeting children.

• Can you name some tools used for collecting and analyzing emails?

Tools that can be used for email collection and analysis include Stellar Phoenix Deleted Email Recovery, FTK, Paraben E-mail Examiner, and Kernel for Outlook PST Recovery.

• What is the purpose of the Stellar Phoenix Deleted Email Recovery software?

It helps you recover lost or deleted emails from MS Outlook data (Personal Storage Table, or PST) files and Outlook Express Mail Database (DBX) files.

Paraben's E-mail Examiner helps you examine different email formats, including Outlook (PST and Offline Storage Table (OST)), Thunderbird, Outlook Express, Windows Mail, and more. The tool allows the analysis of message headers, bodies, and attachments. It also helps recover email from deleted folders, offers support for advanced searching and reporting, and offers an export capability to PST and other formats.

• What information can you find on a subscriber identity module (SIM) card?

You can locate information such as contacts, messages, timestamps, integrated circuit card ID (ICCID), the last numbers dialed, and the SP name.

• What is the International Mobile Equipment Identifier (IMEI)?

The IMEI is a 15-digit unique number on the handset that identifies mobile equipment.

• In which locations can you find evidence on mobile devices?

Some locations include the internal memory, the external memory, and the SIM card.

• Can you name a tool that can be used to gather information from Facebook and Twitter?

Bulk Extractor is one tool that can be used to collect and analyze social media artifacts from a captured memory file or forensic image.

• What are some benefits of solid-state drives (SSDs)?

In comparison to traditional hard drives, SSDs offer increased reliability, weigh less, increase the data access speed, and help reduce power consumption.

• What is the master file table (MFT)?

The MFT tracks the files in the volume and essentially manages them.

There are many locations where a digital forensic investigator could find evidence on a system. For job interviews, it is important to be familiar with some of the common types of data that can be acquired and their location.

Summary

In this chapter, you learned about the job of a digital forensic analyst and what to expect in terms of an average salary. You also learned the two main types of data that can be collected in a digital forensic investigation—volatile and non-volatile data—and some of the most common interview questions you may face from a hiring manager. You also learned about some tasks and investigations you might be involved in as a digital forensic investigator.

In the next chapter, we will discuss a cryptanalyst's career path.