[nflug] Forensics and entering the field [long read]

matt donovan kitchetech at gmail.com
Sun Mar 18 20:19:18 EDT 2007 

wanted to add that SANS forensics is all about open source it seems I read
there page and they use Helix for their classes

On 3/18/07, matt donovan <kitchetech at gmail.com> wrote:
>
> I know someone that teaches the SANS class he's still going to college but
> he has the cert for it and and it's the best thing he said to know how to
> do. He mostly does system  forensics but he does network as well if he wants
> to but he doesn't use honeynets or any of that other things. but anyways you
> can just use dd to make an image of the hard drive and look at it with a hex
> editor if you want that's how filesystem forensics is done there is other
> tools as well but dd works best if using linux to look at the hard drive.
>
> On 3/18/07, Brad Bartram <brad.bartram at gmail.com> wrote:
> >
> > Hey everyone;
> >
> > While at the meeting yesterday, some people came up to me and asked
> > about getting into forensics and security.  I thought about sending
> > individual replies, but in further thinking, I figured there is
> > probably enough interest that I'd post my $.02 to the general list for
> > everyone's benefit.
> >
> > I want to preface this with the fact that I am not an expert in this
> > field, nor should I be considered an authoritative source.  I just
> > tend to be involved and hang around with people and organizations that
> > do this stuff for a living in a much more serious context than I.
> > With that said, I've had some very valuable advice given to me and
> > figured out a few things along the way that hopefully I can pass
> > along.
> >
> > To anyone looking to get into the field of security, I would first
> > recommend finding a topic within the realm of security that you want
> > to get into.  The general term "security" is a mile wide and a mile
> > deep - kind of like saying you want to get into "computers" or
> > "networks".
> >
> > Within the realm of security, you have such great topics as risk
> > management, intrusion detection, intrusion prevention, encryption,
> > firewalls, filtering, forensics, and on and on.  To focus on one
> > particular area, forensics, there are two major subdivisions - system
> > forensics and network forensics.  System forensics is what happens
> > when harddrives and digital media / devices are deconstructed and
> > relevant information is discovered, extracted, or recovered.  Network
> > forensics is tracking down who did what when and where using the
> > network communications and devices, which is what honeywalls /
> > honeypots / honeynets facilitate, like we discussed yesterday.
> >
> > So, in using those two forensics areas, how does one prepare to break
> > into the field?  Let's first talk about the skills necessary, starting
> > with Network forensics.
> >
> > Ironically, I believe that most of the people on this list would find
> > the skills necessary to break into positions relating to network
> > forensics are already in their arsenal.  The core skills tend to be a
> > thorough understanding of networks, i.e., how networks work on the
> > fundamental levels - protocols, application specific nuances, routing,
> > etc.  The next big skill is knowing the services that run on networks.
> >
> > What does an http session look like?  How about an smtp connection?
> > These are the types of things that are helpful to know, and really
> > can't be brute-force learned effectively.  These are the types of
> > things that experience teaches.
> >
> > The next big skill set is to master the tools.  Wireshark / Ethereal,
> > Snort, Iptables are opensource tools that are used in every lab I've
> > worked in for network forensics.  Grep, regex, find, netstat, netcat,
> > etc are great to know as well.  Don't forget some programming
> > languages - shell, PERL, python, php, C.
> >
> > As you might be able to tell, if you work as an admin on a largish or
> > busy network, chances are, you are on your way to a possible new
> > career opportunity with only incremental changes.
> >
> > The other area is in system forensics.  This is an area where knowing
> > the theory of data storage and methods is critical.  Most people that
> > I've met, aside from some really interesting folks, don't tend to
> > think at this level.  Most people are much more comfortable dealing
> > with interfaces or api's rather than raw bits and bytes.
> >
> > To enter the world of system forensics, with any seriousness, get used
> > to working on windows machines.  Understand the underlying mechanics
> > of filesystems.  Fat12, fat16, fat32, NTFS - know how they work and
> > order data.  Know how they handle deleted files.  Know how they
> > allocate clusters and files within clusters.  Be comfortable working
> > with hex editors and binary.  Learn what files are constructed in what
> > ways - how is a JPEG different from a WAV or DOC at a filesystem or
> > binary level.
> >
> > Once you have the windows stuff down, then learn the ins and outs of
> > the various linux filesystems - EXT2, EXT3, reiser, XFS, etc., as well
> > as Mac filesystems and other less common file systems.
> >
> > Once you have the basics down, learn the tools of the trade.  Encase
> > and FTK (Forensic tool kit).  Both of these are windows tools and are
> > very, very good at what they do.
> >
> > Unlike network forensics, system forensics has no really show-stopping
> > tools in the opensource realm.  Yes, there are disk editors and
> > forensic tools like tct (the coroner's tool kit), and sleuthkit, but
> > they are far from mature.  It's sad to say, but ancient tools such as
> > Norton's diskedit for DOS are much nicer and fuller featured than the
> > comparable linux equivalents.
> >
> > To get practical experience - get nice and comfortable with virtual
> > machines like virtual pc or vmware.  Then go to town destroying files
> > on the images and recovering them.
> >
> > A decent book that is a pretty decent reference, though it does have
> > it's limitations, is the Thompson / Course Technology - Guide to
> > Computer Forensics and Investigations.  It comes with evaluation
> > versions of Encase and FTK as well as sample image files that you can
> > use to get comfortable with using the software.  This should be
> > available through amazon.com for about $60.
> >
> > Once you have all the technical stuff down, set a direction for where
> > you want to be employed.  The private sector is very active with
> > security and especially forensics professionals - but not in Buffalo.
> > You may get lucky and find a position with a bank or a major company -
> > but most corporate positions are in other areas (New York, Washington
> > DC, etc.)
> >
> > Of course, there is also the public sector route.  Depending on your
> > personal ethics and ideals - law enforcement is always looking for
> > qualified, experienced people to work in high technology positions.
> > At the federal level, there are many scholarship opportunities and
> > other incentives to make service more attractive.
> >
> > Which brings me to my final point.  If you are interested in a career
> > in security - any security sector - in any major way, you must have a
> > clean background.  Major positions both in the public and private
> > sector require thorough background checks including credit histories.
> > Certain government positions will require interviews with neighbors
> > and personal friends as well as polygraph tests.  If you want to
> > pursue this type of career path, consider this aspect as well as your
> > technical skills and abilities.
> >
> > For those interested, there are many resources out there both online
> > and offline.  If you have a degree already, think about pursuing a
> > graduate degree in Information Assurance or even just going for a
> > certificate program.  If you don't have a degree, think about getting
> > one in Comp Sci, Computer Engineering, Forensic Science, or even like
> > my degree - Economic Crime Investigations with a Computer Security
> > minor.  At the very least, think about picking up some vendor
> > certifications - Cisco, Comp-tiaa (Secuity +), ISC2 certs, Encase, or
> > FTK certs are great ones.
> >
> > At the very least, get active in the field by talking to people and
> > networking.  Know who the major people are in the area for this type
> > of work (or any desired field for that matter), and continually make
> > contacts.
> >
> > This got quite a bit longer than I really expected - but hopefully
> > someone finds my words of "wisdom" useful.
> >
> > Brad
> > _______________________________________________
> > nflug mailing list
> > nflug at nflug.org
> > http://www.nflug.org/mailman/listinfo/nflug
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.nflug.org/pipermail/nflug/attachments/20070525/52964042/attachment.html
-------------- next part --------------
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list