[nflug] Forensics and entering the field [long read]

[Brad Bartram]

Hey everyone;

While at the meeting yesterday, some people came up to me and asked
about getting into forensics and security.  I thought about sending
individual replies, but in further thinking, I figured there is
probably enough interest that I'd post my $.02 to the general list for
everyone's benefit.

I want to preface this with the fact that I am not an expert in this
field, nor should I be considered an authoritative source.  I just
tend to be involved and hang around with people and organizations that
do this stuff for a living in a much more serious context than I.
With that said, I've had some very valuable advice given to me and
figured out a few things along the way that hopefully I can pass
along.

To anyone looking to get into the field of security, I would first
recommend finding a topic within the realm of security that you want
to get into.  The general term "security" is a mile wide and a mile
deep - kind of like saying you want to get into "computers" or
"networks".

Within the realm of security, you have such great topics as risk
management, intrusion detection, intrusion prevention, encryption,
firewalls, filtering, forensics, and on and on.  To focus on one
particular area, forensics, there are two major subdivisions - system
forensics and network forensics.  System forensics is what happens
when harddrives and digital media / devices are deconstructed and
relevant information is discovered, extracted, or recovered.  Network
forensics is tracking down who did what when and where using the
network communications and devices, which is what honeywalls /
honeypots / honeynets facilitate, like we discussed yesterday.

So, in using those two forensics areas, how does one prepare to break
into the field?  Let's first talk about the skills necessary, starting
with Network forensics.

Ironically, I believe that most of the people on this list would find
the skills necessary to break into positions relating to network
forensics are already in their arsenal.  The core skills tend to be a
thorough understanding of networks, i.e., how networks work on the
fundamental levels - protocols, application specific nuances, routing,
etc.  The next big skill is knowing the services that run on networks.

What does an http session look like?  How about an smtp connection?
These are the types of things that are helpful to know, and really
can't be brute-force learned effectively.  These are the types of
things that experience teaches.

The next big skill set is to master the tools.  Wireshark / Ethereal,
Snort, Iptables are opensource tools that are used in every lab I've
worked in for network forensics.  Grep, regex, find, netstat, netcat,
etc are great to know as well.  Don't forget some programming
languages - shell, PERL, python, php, C.

As you might be able to tell, if you work as an admin on a largish or
busy network, chances are, you are on your way to a possible new
career opportunity with only incremental changes.

The other area is in system forensics.  This is an area where knowing
the theory of data storage and methods is critical.  Most people that
I've met, aside from some really interesting folks, don't tend to
think at this level.  Most people are much more comfortable dealing
with interfaces or api's rather than raw bits and bytes.

To enter the world of system forensics, with any seriousness, get used
to working on windows machines.  Understand the underlying mechanics
of filesystems.  Fat12, fat16, fat32, NTFS - know how they work and
order data.  Know how they handle deleted files.  Know how they
allocate clusters and files within clusters.  Be comfortable working
with hex editors and binary.  Learn what files are constructed in what
ways - how is a JPEG different from a WAV or DOC at a filesystem or
binary level.

Once you have the windows stuff down, then learn the ins and outs of
the various linux filesystems - EXT2, EXT3, reiser, XFS, etc., as well
as Mac filesystems and other less common file systems.

Once you have the basics down, learn the tools of the trade.  Encase
and FTK (Forensic tool kit).  Both of these are windows tools and are
very, very good at what they do.

Unlike network forensics, system forensics has no really show-stopping
tools in the opensource realm.  Yes, there are disk editors and
forensic tools like tct (the coroner's tool kit), and sleuthkit, but
they are far from mature.  It's sad to say, but ancient tools such as
Norton's diskedit for DOS are much nicer and fuller featured than the
comparable linux equivalents.

To get practical experience - get nice and comfortable with virtual
machines like virtual pc or vmware.  Then go to town destroying files
on the images and recovering them.

A decent book that is a pretty decent reference, though it does have
it's limitations, is the Thompson / Course Technology - Guide to
Computer Forensics and Investigations.  It comes with evaluation
versions of Encase and FTK as well as sample image files that you can
use to get comfortable with using the software.  This should be
available through amazon.com for about $60.

Once you have all the technical stuff down, set a direction for where
you want to be employed.  The private sector is very active with
security and especially forensics professionals - but not in Buffalo.
You may get lucky and find a position with a bank or a major company -
but most corporate positions are in other areas (New York, Washington
DC, etc.)

Of course, there is also the public sector route.  Depending on your
personal ethics and ideals - law enforcement is always looking for
qualified, experienced people to work in high technology positions.
At the federal level, there are many scholarship opportunities and
other incentives to make service more attractive.

Which brings me to my final point.  If you are interested in a career
in security - any security sector - in any major way, you must have a
clean background.  Major positions both in the public and private
sector require thorough background checks including credit histories.
Certain government positions will require interviews with neighbors
and personal friends as well as polygraph tests.  If you want to
pursue this type of career path, consider this aspect as well as your
technical skills and abilities.

For those interested, there are many resources out there both online
and offline.  If you have a degree already, think about pursuing a
graduate degree in Information Assurance or even just going for a
certificate program.  If you don't have a degree, think about getting
one in Comp Sci, Computer Engineering, Forensic Science, or even like
my degree - Economic Crime Investigations with a Computer Security
minor.  At the very least, think about picking up some vendor
certifications - Cisco, Comp-tiaa (Secuity +), ISC2 certs, Encase, or
FTK certs are great ones.

At the very least, get active in the field by talking to people and
networking.  Know who the major people are in the area for this type
of work (or any desired field for that matter), and continually make
contacts.

This got quite a bit longer than I really expected - but hopefully
someone finds my words of "wisdom" useful.

Brad
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug