[nflug] Forensics and entering the field [long read]

matt donovan kitchetech at gmail.com
Sun Mar 18 19:48:25 EDT 2007 

I know someone that teaches the SANS class he's still going to college but
he has the cert for it and and it's the best thing he said to know how to
do. He mostly does system  forensics but he does network as well if he wants
to but he doesn't use honeynets or any of that other things. but anyways you
can just use dd to make an image of the hard drive and look at it with a hex
editor if you want that's how filesystem forensics is done there is other
tools as well but dd works best if using linux to look at the hard drive.

On 3/18/07, Brad Bartram <brad.bartram at gmail.com> wrote:
>
> Hey everyone;
>
> While at the meeting yesterday, some people came up to me and asked
> about getting into forensics and security.  I thought about sending
> individual replies, but in further thinking, I figured there is
> probably enough interest that I'd post my $.02 to the general list for
> everyone's benefit.
>
> I want to preface this with the fact that I am not an expert in this
> field, nor should I be considered an authoritative source.  I just
> tend to be involved and hang around with people and organizations that
> do this stuff for a living in a much more serious context than I.
> With that said, I've had some very valuable advice given to me and
> figured out a few things along the way that hopefully I can pass
> along.
>
> To anyone looking to get into the field of security, I would first
> recommend finding a topic within the realm of security that you want
> to get into.  The general term "security" is a mile wide and a mile
> deep - kind of like saying you want to get into "computers" or
> "networks".
>
> Within the realm of security, you have such great topics as risk
> management, intrusion detection, intrusion prevention, encryption,
> firewalls, filtering, forensics, and on and on.  To focus on one
> particular area, forensics, there are two major subdivisions - system
> forensics and network forensics.  System forensics is what happens
> when harddrives and digital media / devices are deconstructed and
> relevant information is discovered, extracted, or recovered.  Network
> forensics is tracking down who did what when and where using the
> network communications and devices, which is what honeywalls /
> honeypots / honeynets facilitate, like we discussed yesterday.
>
> So, in using those two forensics areas, how does one prepare to break
> into the field?  Let's first talk about the skills necessary, starting
> with Network forensics.
>
> Ironically, I believe that most of the people on this list would find
> the skills necessary to break into positions relating to network
> forensics are already in their arsenal.  The core skills tend to be a
> thorough understanding of networks, i.e., how networks work on the
> fundamental levels - protocols, application specific nuances, routing,
> etc.  The next big skill is knowing the services that run on networks.
>
> What does an http session look like?  How about an smtp connection?
> These are the types of things that are helpful to know, and really
> can't be brute-force learned effectively.  These are the types of
> things that experience teaches.
>
> The next big skill set is to master the tools.  Wireshark / Ethereal,
> Snort, Iptables are opensource tools that are used in every lab I've
> worked in for network forensics.  Grep, regex, find, netstat, netcat,
> etc are great to know as well.  Don't forget some programming
> languages - shell, PERL, python, php, C.
>
> As you might be able to tell, if you work as an admin on a largish or
> busy network, chances are, you are on your way to a possible new
> career opportunity with only incremental changes.
>
> The other area is in system forensics.  This is an area where knowing
> the theory of data storage and methods is critical.  Most people that
> I've met, aside from some really interesting folks, don't tend to
> think at this level.  Most people are much more comfortable dealing
> with interfaces or api's rather than raw bits and bytes.
>
> To enter the world of system forensics, with any seriousness, get used
> to working on windows machines.  Understand the underlying mechanics
> of filesystems.  Fat12, fat16, fat32, NTFS - know how they work and
> order data.  Know how they handle deleted files.  Know how they
> allocate clusters and files within clusters.  Be comfortable working
> with hex editors and binary.  Learn what files are constructed in what
> ways - how is a JPEG different from a WAV or DOC at a filesystem or
> binary level.
>
> Once you have the windows stuff down, then learn the ins and outs of
> the various linux filesystems - EXT2, EXT3, reiser, XFS, etc., as well
> as Mac filesystems and other less common file systems.
>
> Once you have the basics down, learn the tools of the trade.  Encase
> and FTK (Forensic tool kit).  Both of these are windows tools and are
> very, very good at what they do.
>
> Unlike network forensics, system forensics has no really show-stopping
> tools in the opensource realm.  Yes, there are disk editors and
> forensic tools like tct (the coroner's tool kit), and sleuthkit, but
> they are far from mature.  It's sad to say, but ancient tools such as
> Norton's diskedit for DOS are much nicer and fuller featured than the
> comparable linux equivalents.
>
> To get practical experience - get nice and comfortable with virtual
> machines like virtual pc or vmware.  Then go to town destroying files
> on the images and recovering them.
>
> A decent book that is a pretty decent reference, though it does have
> it's limitations, is the Thompson / Course Technology - Guide to
> Computer Forensics and Investigations.  It comes with evaluation
> versions of Encase and FTK as well as sample image files that you can
> use to get comfortable with using the software.  This should be
> available through amazon.com for about $60.
>
> Once you have all the technical stuff down, set a direction for where
> you want to be employed.  The private sector is very active with
> security and especially forensics professionals - but not in Buffalo.
> You may get lucky and find a position with a bank or a major company -
> but most corporate positions are in other areas (New York, Washington
> DC, etc.)
>
> Of course, there is also the public sector route.  Depending on your
> personal ethics and ideals - law enforcement is always looking for
> qualified, experienced people to work in high technology positions.
> At the federal level, there are many scholarship opportunities and
> other incentives to make service more attractive.
>
> Which brings me to my final point.  If you are interested in a career
> in security - any security sector - in any major way, you must have a
> clean background.  Major positions both in the public and private
> sector require thorough background checks including credit histories.
> Certain government positions will require interviews with neighbors
> and personal friends as well as polygraph tests.  If you want to
> pursue this type of career path, consider this aspect as well as your
> technical skills and abilities.
>
> For those interested, there are many resources out there both online
> and offline.  If you have a degree already, think about pursuing a
> graduate degree in Information Assurance or even just going for a
> certificate program.  If you don't have a degree, think about getting
> one in Comp Sci, Computer Engineering, Forensic Science, or even like
> my degree - Economic Crime Investigations with a Computer Security
> minor.  At the very least, think about picking up some vendor
> certifications - Cisco, Comp-tiaa (Secuity +), ISC2 certs, Encase, or
> FTK certs are great ones.
>
> At the very least, get active in the field by talking to people and
> networking.  Know who the major people are in the area for this type
> of work (or any desired field for that matter), and continually make
> contacts.
>
> This got quite a bit longer than I really expected - but hopefully
> someone finds my words of "wisdom" useful.
>
> Brad
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.nflug.org/pipermail/nflug/attachments/20070525/502aff90/attachment.html
-------------- next part --------------
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list