Wednesday, September 07, 2011

Getting Started

We see it all the time...someone starts off an email or post to a forum with "I'm new to the field..." or "I want to get into DFIR work..." and they ask for advice on how to "break in" to the field.

Digital forensic analysis can be a large, daunting field.  There's a lot out there (operating systems, platforms, mobile devices, tablets, GPS, applications, etc.), and in many cases, courses available through community colleges and universities sort of lay it all on the table for you, and let you see the enormity of the field, but there simply isn't enough time in the course work to allow for focusing the interest and attention of the future analyst into one particular area of specialization.  Add IR work to that and the field expands even more.  So, if you're in school looking ahead to graduation and getting a job, or if you're looking to change professions, or if you're just looking to break into the field and get do you do that?

Eat the Elephant
DF is a daunting field.  It's huge...expansive.  There's a lot out there.  There are a lot of different devices that can be (and have been) the subject of forensic analysis...computers, laptops, cell phones, smart phones, tablets, Internet kiosks, GPS devices, smart cars...the list goes on.  So how do you get started?  The same way you eat an bite at a time.  Pick something, and start there.  A journey of a thousand miles starts with a single get t' steppin'!

This is going to do a couple of things for you.   First, it's going to give you some experience.  Regardless of where you start, when you do get employment in the field, at some point, you're going to have a sense of deja vu...hey, I've seen this before.  It could be during the interview process or it may be during a case.  It may be some virtualization software, or a particular version of a browser...whatever.  It doesn't matter where you start, the fact that you started is just going to benefit you in the long run.

Second, it's going to show an employer that you can pick stuff up on your own, and that you don't have to be sent away to a training course in order to learn something.  Think about it...would you rather have an employee who can learn on their own, or pick up the basics and then go to the intermediate course, or would you rather have someone who simply can't grow beyond where they are without being spoon fed? 

Don't have access to some of the materials you'd like?  What about your local library?  Seriously.  Libraries and even used book stores are fantastic resources for some of the available books that cover topics in the field.  Maybe you can borrow a book or two from a friend or professor.

However, books aren't necessarily are requirement...a lot of what you need may not be in books.  Let's say that you want to become familiar with browser forensics; start with Google, and then branch out from there.  Most of the browsers are freely available, so do some testing and analysis, using tools and techniques you've read about.

Have a Passion
I attended the PFIC conference in 2010, and while I was there, Amber talked about accessing the Windows Sync in her car.  I thought this was pretty cool because she didn't show up at work everyday and wait for someone to contact her or give her something to do.  In this industry, you can't sit back and wait for stuff to come to have to go after it.

There are a LOT of resources available for you to gain experience in the DFIR field.  There are images and virtual machines available online that you can download and interact with, and there are a wide range for free and open source analysis frameworks available for you to get experience in analysis, as well.

Even if you don't want to go that route, look around you.  How many computer systems do you have access to in your home?  How about via friends?  There are image acquisition tools and even bootable Linux environments that you can download for free to get experience in acquisition...and once you have an image, you can engage in analysis.

So...pick something, and get started.  Even if all you have is a thumb drive, try downloading a tool for dumping physical memory from your Windows system, dump it, and then download a tool to analyze it.

Engage with the Community
There are a number of lists and forums (forii??) out there that are free and open, and allow you to engage with other members of the community.  Start reading, and start asking smart questions.  By that, I mean, don't post a question because you're too lazy to research it some research first.  Have a question about carving files?  Do some research on the topic, and ask a well thought out question.

This also helps when directing questions at one particular person, or working with a mentor...the better developed your questions are, the easier they are to address and answer.

Resources are not just online...there are IRL resources, as well.  In my area, we have the NoVA Forensics Meetups once a month.  Don't have one in your area?  Start one.

An "artifact" of engaging within the community is that you will likely be recognized for your contributions, and if you're looking to change jobs (or get one), you will be "known" to some degree.

Learn to Write
Shakespeare wrote in "Hamlet", "...there are more things on heaven and earth...than are dreamt of in your philosophy", and that holds true for DFIR work, as well.  One of the aspects of the field that a lot of folks don't tell you is that being the best worthless if you can't communicate clearly.  And most folks...whether you're in the public or private sectors...want a report.  Writing is hard, but only because we don't like to do it.  I have the benefit of a wide range of, military, graduate school, and private sector experience...and I've seen a lot of folks go through a lot of pain to provide the benefit of their abilities to customers, simply because they don't like to write.  If you engage in a community as mentioned above, and you've starting asking (and maybe answering) questions, you've already started down the road of developing some writing skills.

When writing, think about your audience.  If you're engaged in an online forum, it might be safe to assume that some of the folks reading your questions or posts have a technical background.  But what if you decide to start writing tutorials?  Let's say that you started to take a look at file carving, and after you had done a great deal of research and study, and worked with several tools, you decided to write up what you learned, either as a tutorial document or a blog post.  At that point, your audience may be a little less technical, and you're providing the benefit of your experience so that others can learn.

Now, take that a step further...let's say that you're working in the private sector and just completed analysis for a customer.  This report is likely going to go to a high-level (possibly C-suite) manager, who isn't highly technical, and needs information in order to make a business decision.  What does he or she want to know?  Were we hacked?  Who hacked us, how did they do it, what did they take?  What risk or compliance issues are we exposed to?

I mentioned getting access to books earlier in this post...going to the library, or a friend, or a professor.  One thing you can do besides using that book as a reference or resource is to write a review.  How do you do that?  Don't reiterate the table of contents...instead, talk about what you found useful (or not so much) in the book.  Then post your review in a public location (book retailer's web site, your own blog, etc.)...with your name on it.  Why do this?  When posting anonymously, we tend to take a much different approach than when we know that what we write can be attributed directly to us, and when you're writing a report in the public or private sector, you can be that the report will be attributed back to you.  Do you seriously think that a prosecutor or a CIO is going accept (and pay for) a report submitted by "anonymous"?

Writing also gives you the ability to give back to and share with the DFIR community.  Mark McKinnon added a list of Jump List AppIDs to the ForensicsWiki not too long ago...he did it by noting which AppIDs were already in the Jump List folder, running another application, and identifying the one that was added...and doing that over and over again.  He then added the table to the wiki.  That's one way of sharing, and there are others.  Put together a white paper.  Review an application or tool.  Start a blog.  Review some material about a particular subject and if you find something within that literature that isn't fully described or even mentioned, blog about it.

There's no requirement within the community or profession that you be able to program, and release open source tools.  However, one of the best ways to expand our knowledge and understanding isn't to hoard it, but to share it.


Mark McKinnon said...

Hi Harlan,

Wish I could take credit for creating the actual list of AppIDs. All I can take credit for is documenting what you and others had done and putting it someplace with reference points back to the where the individuals submitted them.

Also thanks for all your sharing and what you have provided for the community as well. You have been a major contributor and deserve a lot of credit and thanks, and a few free beers from us all.


Keydet89 said...


Thanks, but the fact is that you took the time to post the information. I know of others who had similar lists beyond what you can find online, and didn't share the information.

Thank you for your contributions to the field, my friend.

Craig Lutterbie said...

Hi Harlan -

As a student who is currently in the process of a career transition into the CF/IR field, your advise is spot on. I've asked a lot of questions from you over the past couple years and you've been very helpful and generous with your advise in steering me in the right direction.

I'll say it again, thank you.

I hope all is well.


Binarybod said...

Every forensics forum owner should automate the detection of "I'm new to the field..." submissions and auto-link to this post.

Keydet89 said...

Feel free to link it where you see fit...