Latest news
Inside the mind of a computer forensics investigator
by Mirko Zorz - Tuesday, 16 November 2010.
You will typically create one or two copies of those original drives (one for analysis and one for backup in case something happens to the first one). Eventually, if you need to retain the original hard drive as evidence, you will also need to clone it and restore it into the system to ensure its operational continuity. You will place all this evidence in appropriate anti-static bags and then in tamper-proof evidence bags.
These steps need to conform to an appropriate set of processes and procedures that guarantee that you do not modify the original evidence or as little as possible according to the circumstances. Careful documentation of all the steps taken, integrity hashes, and everything that can be considered relevant in that process are vital.
What advice would you give to those interested in specializing in computer forensics?
Computer forensics is a fascinating world. It is the only area in computer security that you will get to deal at the low level with all types of operating systems, network devices, CCTV cameras, VoIP/PBX systems, network traffic, etc.
Knowledge is the first requirement any investigator needs. Even for highly experienced network and system administrators, computer forensics is a new world, so everyone needs to undergo the appropriate training.
There are multiple resources on the Internet and books that provide very valuable information on this field. The best way to boost your knowledge is to undergo professional training such as the SANS Institute Computer Forensics Curriculum.
Computer forensics is definitely all about experience, so the only way to really learn how to do the job is actually doing it many times so you get to encounter the real world problems, you get to polish your processes, and you get to develop your investigative skills, which are different from the standard IT or Security ones.
As computer forensics is non-destructive, aspiring investigators can practice with their personal systems, corporate systems and forensic challenges that can be found on the Internet. Having a mentor by your side to lead your steps is ideal, but that's often not a possibility due to the low amount of digital investigators in our community.
An experienced forensics examiner is about to testify in court for the first time. Any suggestions about the way he talks about his work?
It is extremely important for the investigator to remember that the real world is very different from the technical world. Things are not binary, normal people are moved by situational perception, and therefore it is of the utmost importance that the investigator is able to translate technical forensic "lingo" to standard concepts people can understand. A perfect investigation with a poor presentation in court will typically not succeed. That's not an easy job and not everyone is ready for it, but with time and dedication, it can be accomplished.
People and courts don't understand concepts such as bits and bytes, unallocated, metadata, clusters, artifacts, prefetch, plist, and the million other terms we use. We need to bridge that knowledge so they can make their decisions based on a correct interpretation of the reality.
These steps need to conform to an appropriate set of processes and procedures that guarantee that you do not modify the original evidence or as little as possible according to the circumstances. Careful documentation of all the steps taken, integrity hashes, and everything that can be considered relevant in that process are vital.
What advice would you give to those interested in specializing in computer forensics?
Computer forensics is a fascinating world. It is the only area in computer security that you will get to deal at the low level with all types of operating systems, network devices, CCTV cameras, VoIP/PBX systems, network traffic, etc.
Knowledge is the first requirement any investigator needs. Even for highly experienced network and system administrators, computer forensics is a new world, so everyone needs to undergo the appropriate training.
There are multiple resources on the Internet and books that provide very valuable information on this field. The best way to boost your knowledge is to undergo professional training such as the SANS Institute Computer Forensics Curriculum.
Computer forensics is definitely all about experience, so the only way to really learn how to do the job is actually doing it many times so you get to encounter the real world problems, you get to polish your processes, and you get to develop your investigative skills, which are different from the standard IT or Security ones.
As computer forensics is non-destructive, aspiring investigators can practice with their personal systems, corporate systems and forensic challenges that can be found on the Internet. Having a mentor by your side to lead your steps is ideal, but that's often not a possibility due to the low amount of digital investigators in our community.
An experienced forensics examiner is about to testify in court for the first time. Any suggestions about the way he talks about his work?
It is extremely important for the investigator to remember that the real world is very different from the technical world. Things are not binary, normal people are moved by situational perception, and therefore it is of the utmost importance that the investigator is able to translate technical forensic "lingo" to standard concepts people can understand. A perfect investigation with a poor presentation in court will typically not succeed. That's not an easy job and not everyone is ready for it, but with time and dedication, it can be accomplished.
People and courts don't understand concepts such as bits and bytes, unallocated, metadata, clusters, artifacts, prefetch, plist, and the million other terms we use. We need to bridge that knowledge so they can make their decisions based on a correct interpretation of the reality.
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
